SMB alternative ports now supported in Windows Insiders
Zitat von mpachmann am 29. Januar 2024, 9:16 Uhrhttps://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-alternative-ports-now-supported-in-windows-insiders/ba-p/3974509
Heya folks, Ned here again. Starting with Windows 11 Insider preview Build 25992 (Canary), the SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using alternative network ports. Today I'll explain how to configure this and talk about the near future of this in Windows and Windows Server Insiders a bit.
Update: Windows Server Insider build 26040 now allows configuring alternative ports for SMB over QUIC. See below for details.
Previous port behaviors
SMB server in Windows has required inbound connections using the IANA-registered port TCP/445 for decades, and the SMB TCP client has only supported connecting outbound to that TCP port. The newer SMB over QUIC protocol requires the QUIC-mandated UDP/443, both for server and client. Until now these were hard-coded and unalterable.
Configuring alternative ports
You can now connect to alternative TCP, QUIC, and RDMA ports with the SMB client as long as the SMB server supports listening on that port and has been configured to do so. You can do this through mapped drive commands NET USE or New-SmbMapping now, and in a coming release, specify ports to connect to on specific servers using Group Policy or PowerShell or through DNS SRV records. An administrator can also block the use of SMB client alterative ports completely using Group Policy.
Map an alternative port with NET USE
To map an alternative TCP port using NET USE, use the following syntax:
NET USE \\server\share /TCPPORT:<some port between 0 and 65536> NET USE \\server\share /QUICPORT:<some port between 0 and 65536> NET USE \\server\share /RDMAPORT:<some port between 0 and 65536>For example, to map the G: drive port to TCP/847, use:
NET USE G: \\waukeganfs1.contoso.com\share /TCPPORT:847
Map an alternative port with New-SmbMapping
To map an alternative TCP port using New-SmbMapping PowerShell, use the following syntax:
New-SmbMapping -RemotePath \\server\share -TcpPort <some port between 0 and 65536> New-SmbMapping -RemotePath \\server\share -QuicPort <some port between 0 and 65536> New-SmbMapping -RemotePath \\server\share -RdmaPort <some port between 0 and 65536>For example, to map the G: drive port to TCP/847, use:
New-SmbMapping -LocalPath G -RemotePath \\waukeganfs1.contoso.com\share -TcpPort 847Control use of SMB client alternative ports
To control SMB client alternative port usage, configure the group policy under:
Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation \ Enable Alternative Ports
Configuring SMB over QUIC alternative listening port
Windows Server Insider does not support changing the SMB server TCP listening port to something besides the default 445. However, you can configure the SMB over QUIC server to use an alternative port, via the following powershell cmdlets:
Get-SmbServerAlternativePort New-SmbServerAlternativePort Remove-SmbServerAlternativePort Set-SmbServerAlternativePortThe configure the SMB over QUIC listener to use a port other than its default UDP/443, use the New-SMBServerAlternativePort cmdlet. For example, to configure the port to UDP/1775, run the following on the Windows Server Insider SMB over QUIC machine:
New-SmbServerAlternativePort -TransportType QUIC -port 1775 -EnableInstances DefaultIf you then run NETSTAT you'll see the server listening on that UDP port
NETSTAT -anob ... UDP 0.0.0.0:1775 *:* 2848 LanmanServerFinal notes
Windows Server does not support configuring alternative SMB server TCP ports, but third parties such as Samba do. For more information on configuring non-standard SMB server ports in third parties, consult their product documentation.
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until next time,
Ned Pyle
Heya folks, Ned here again. Starting with Windows 11 Insider preview Build 25992 (Canary), the SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using alternative network ports. Today I'll explain how to configure this and talk about the near future of this in Windows and Windows Server Insiders a bit.
Update: Windows Server Insider build 26040 now allows configuring alternative ports for SMB over QUIC. See below for details.
Previous port behaviors
SMB server in Windows has required inbound connections using the IANA-registered port TCP/445 for decades, and the SMB TCP client has only supported connecting outbound to that TCP port. The newer SMB over QUIC protocol requires the QUIC-mandated UDP/443, both for server and client. Until now these were hard-coded and unalterable.
Configuring alternative ports
You can now connect to alternative TCP, QUIC, and RDMA ports with the SMB client as long as the SMB server supports listening on that port and has been configured to do so. You can do this through mapped drive commands NET USE or New-SmbMapping now, and in a coming release, specify ports to connect to on specific servers using Group Policy or PowerShell or through DNS SRV records. An administrator can also block the use of SMB client alterative ports completely using Group Policy.
Map an alternative port with NET USE
To map an alternative TCP port using NET USE, use the following syntax:
NET USE \\server\share /TCPPORT:<some port between 0 and 65536> NET USE \\server\share /QUICPORT:<some port between 0 and 65536> NET USE \\server\share /RDMAPORT:<some port between 0 and 65536>
For example, to map the G: drive port to TCP/847, use:
NET USE G: \\waukeganfs1.contoso.com\share /TCPPORT:847
Map an alternative port with New-SmbMapping
To map an alternative TCP port using New-SmbMapping PowerShell, use the following syntax:
New-SmbMapping -RemotePath \\server\share -TcpPort <some port between 0 and 65536> New-SmbMapping -RemotePath \\server\share -QuicPort <some port between 0 and 65536> New-SmbMapping -RemotePath \\server\share -RdmaPort <some port between 0 and 65536>
For example, to map the G: drive port to TCP/847, use:
New-SmbMapping -LocalPath G -RemotePath \\waukeganfs1.contoso.com\share -TcpPort 847
Control use of SMB client alternative ports
To control SMB client alternative port usage, configure the group policy under:
Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation \ Enable Alternative Ports
Configuring SMB over QUIC alternative listening port
Windows Server Insider does not support changing the SMB server TCP listening port to something besides the default 445. However, you can configure the SMB over QUIC server to use an alternative port, via the following powershell cmdlets:
Get-SmbServerAlternativePort New-SmbServerAlternativePort Remove-SmbServerAlternativePort Set-SmbServerAlternativePort
The configure the SMB over QUIC listener to use a port other than its default UDP/443, use the New-SMBServerAlternativePort cmdlet. For example, to configure the port to UDP/1775, run the following on the Windows Server Insider SMB over QUIC machine:
New-SmbServerAlternativePort -TransportType QUIC -port 1775 -EnableInstances Default
If you then run NETSTAT you'll see the server listening on that UDP port
NETSTAT -anob ... UDP 0.0.0.0:1775 *:* 2848 LanmanServer
Final notes
Windows Server does not support configuring alternative SMB server TCP ports, but third parties such as Samba do. For more information on configuring non-standard SMB server ports in third parties, consult their product documentation.
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until next time,
Ned Pyle