Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25977 (Canary Channel) and Windows Server Preview Build 25997, SMB over QUIC now supports access control for clients. Today I’ll explain how this works, what the advantages are, and how to set it up.
SMB over QUIC
SMB over QUIC introduced an alternative to TCP and RDMA, supplying secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords.
SMB over QUIC offers an "SMB VPN" for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443* instead of the legacy TCP port 445. No SMB traffic - including authentication and authorization - is exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change and capabilities like multichannel and compression work.
A file server administrator must opt in to enabling SMB over QUIC, it isn't on by default and a client can't force a file server to enable SMB over QUIC. It’s available in Windows 11 and Windows Server 2022 as an SMB client and in Windows Server 2022 Azure Edition* as an SMB server.
* Update Nov 15, 2023. We just announced that SMB over QUIC is now part of Windows Server Datacenter and Standard editions for the next release of Windows Server and that you can now control the QUIC network port. You can try it out in Insiders Preview. For more info, review https://aka.ms/SMBoverQUICServer
SMB over QUIC Client Access Control
SMB over QUIC client access control (CAC) improves the existing SMB over QUIC feature. Previously, servers trusted all clients if they were issued the same certificate root chain as the server’s SMB over QUIC server certificate. With this new option, administrators can restrict which clients can access SMB over QUIC servers – an allowlist for devices trusted to connect to the file server. This gives organizations more protection but does not change the Windows authentication used to make the SMB connection nor does it alter the end user experience.
This feature works by a client trusting the SMB over QUIC server via a valid shared root authority key. An admin also gives the client a certificate from the same issuer, and that certificate’s hash (or issuer) is added to a trust list maintained by the server. When the client connects, it sends the certificate info to the server for comparison against the allow list, granting or denying access to QUIC. Then SMB authentication occurs inside the QUIC TLS tunnel, and the user connects to their share. An admin can also explicitly deny access or just revoke certificates. CAC is optional and – for now – not on by default.
Update November 8, 2023:
Starting with Build 25992, the SMB over QUIC client access control feature now supports using certificates with subject alternative names and not just a single subject. This means the client access control feature now supports using a Microsoft AD Certificate Authority and multiple endpoint names, just like the currently released version of SMB over QUIC. You can now evaluate the feature using the recommended options and not require self-signed test certificates.
Configuring SMB over QUIC client access control
The steps to configure SMB over QUIC CAC are nearly identical for the server-side. The steps for clients are quite different. This is the typical trade-off between security and ease of management.
Prerequisites
To evaluate CAC, you’ll need:
- One Windows Server vNext Azure Edition Preview Build 25977 or later VM. You’re allowed to run Windows Server Azure Edition outside of Azure IaaS and Azure Stack HCI for evaluation and testing purposes.
- One Windows 11 Insider Preview Build 25977 (Canary Channel) or later client.
Configure SMB over QUIC CAC
To configure SMB over QUIC CAC, we’re going to use a self-signed certificate and PowerShell.
These steps are strictly for Insider Preview evaluation purposes; the released CAC feature will fully support a Certificate Authority and Windows Admin Center, and you should never use a self-signed certificate with SMB over QUIC in a production environment.
- Open an administrator-elevated PowerShell console on the SMB over QUIC server.
- Create server self-signed certificate (where “Server DNS name” is the fully-qualified name of the SMB over QUIC server):
$serverCert = New-SelfSignedCertificate -DnsName Server DNS name -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddMonths(6) -KeyAlgorithm "RSA" -KeyLength "2048"
- Configure the server certificate mapping requiring client authentication:
New-SmbServerCertificateMapping -Name Server DNS name -Thumbprint $serverCert.Thumbprint -Store My -Requireclientauthentication $true
- Export the certificate:
Export-Certificate -Cert $serverCert -FilePath path\serverCert.cer
- Copy the servercert.cer file to the client machine and on the client, open an administrator-elevated PowerShell console
- Install the certificate into the trusted root store on the client:
Import-Certificate -FilePath path\serverCert.cer -CertStoreLocation Cert:\LocalMachine\root
- Create the client’s certificate for use with the server allow list:
$clientCert = New-SelfSignedCertificate -DnsName Server DNS name -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddMonths(6) -KeyAlgorithm "RSA" -KeyLength "2048"
- Configure the client certificate mapping on the client machine:
New-SmbClientCertificateMapping -Namespace Server DNS name -Thumbprint $clientCert.Thumbprint -Store My
- Obtain client certificate SHA256 hash by running certutil to examine the Cert Hash(sha256) field:
Export-Certificate -Cert $clientCert -FilePath path\clientCert.cer
certutil.exe path\clientCert.cer | findstr /i /c:"Cert Hash(sha256)"
An example of the certutil command running
10. Return to the server.
11. Install the client certificate into the trusted root store on the server:
Import-Certificate -FilePath path\ClientCert.cer -CertStoreLocation Cert:\LocalMachine\root
12. Grant access to the client by its SHA256 entry:
Grant-SmbClientAccessToServer -Name Server DNS name -IdentifierType SHA256 -Identifier Cert Hash(sha256)
Note: you can also grant access by Issuer, meaning instead of adding a certificate SHA256 hash from every single client, you can instead add the Issuer DN by using -IdentifierType ISSUER. While not as granular or secure, this is useful for large client fleets when using a trusted certificate authority and not self-signed evaluation certs.
12. You have now configured SMB over QUIC CAC. Connect to the server using either:
NET USE \\server DNS name\share /TRANSPORT:QUIC
New-SmbMapping -RemotePath \\server DNS name\share -TransportType QUIC
Final Notes
SMB over QUIC isn’t just for mobile users and edge servers in Internet DMZs, it’s a practical defensive layer to prevent leakage of NTLM credentials and makes attacking internal files servers harder without first subverting a trusted client. TCP had its time, QUIC is the future of user and application transport.
We also just announced that a replacement for KDC Proxy - IAKerb - is coming to Windows Insider Previews along with a local KDC. These combined options mean the beginning of the end for NTLM, which will make SMB over QUIC Kerberos usage much easier. Read about it at The evolution of Windows authentication.
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until next time,
Ned Pyle
Microsoft
