Talking about SMB and SMB small case sharing in Windows server

SMB origin

Server Messages Block (English: Server Message block, abbreviated SMB, Server Message Block), also known as a network file sharing system (English: Common Internet Files System, abbreviated to CIFS), an application-layer network transport Protocol, Developed by Microsoft, the main function is to enable the machine on the network to computer files, printers, serial ports and communication resources. It also provides certified inter-process communication functions. It is primarily used on machines that are installed on Microsoft Windows, and is called Microsoft Windows Network on such a machine.

SMB version

OS	Windows 10 WS 2016	Windows 8.1 WS-R2	Windows 8 WS 2012	Windows 7 WS-R2	Windows Vista WS 2008	Previous Versions
Windows 10 WS 2016	SMB 3.1.1	SMB 3.0.2	SMB 3.0	SMB 2.1	SMB 2.0	SMB 1.0
Windows 8.1 WS-R2	SMB 3.0.2	SMB 3.0.2	SMB 3.0	SMB 2.1	SMB 2.0	SMB 1.0
Windows 8 WS 2012	SMB 3.0	SMB 3.0	SMB 3.0	SMB 2.1	SMB 2.0	SMB 1.0
Windows 7 WS-R2	SMB 2.1	SMB 2.1	SMB 2.1	SMB 2.1	SMB 2.0	SMB 1.0
Windows Vista WS 2008	SMB 2.0	SMB 2.0	SMB 2.0	SMB 2.0	SMB 2.0	SMB 1.0
Previous Versions	SMB 1.0	SMB 1.0	SMB 1.0	SMB 1.0	SMB 1.0	SMB 1.0

Note: The SMB version of earlier Windows 10 and WS TP is 3.1

How to view SMB versions

Above Windows 8 or WS 2012, use PowerShell with administrator input:

Get-smbconnection

650) this.width=650; "title=" clip_image001[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image001[4]" src= "http://s3.51cto.com/wyfs02/M00/8D/13/wKioL1iFppTwbE2fAAAmRZvdCh4973.png" height= "100"/ >

For each version of SMB, refer to: https://en.wikipedia.org/wiki/Server_Message_Block#SMB_3.1.1

SMB 3.1.1 New features can be consulted: https://blogs.technet.microsoft.com/josebda/2015/05/05/ whats-new-in-smb-3-1-1-in-the-windows-server-2016-technical-preview-2/

One of the concerns is that the SMB 3.1.1 encryption algorithm defaults to AES-128-GCM, before SMB 3.0 is used with AES-128-CCM.

About client SMB upgrade issues

Currently looking for data shows that the client-side SMB protocol does not upgrade to improve the SMB version, which means that when the Enterprise Planning file server, you need to consider the Enterprise Client SMB version, the corresponding SMB server, such as the above SMB version list.

About SMB server shutdown low-version SMB support operations:

In Windows 7 and WS 008 R2, disabling SMBV2 disables the following features:

1. Request Comps-allows multiple SMB 2 requests to be sent as a single network request

2. Greater read and write-better use of faster networks

3. Cache folder and file properties-clients keep local copies of folders and files

4. Persistent handle-Allows the connection to transparently reconnect to the server if a temporary disconnect is present

5. Improved message signing-HMAC SHA-256 replaces MD5 with hash algorithm

6. Increase the scalability of file sharing-the number of users per server, number of shares and open files greatly increased

7. Support for Symbolic Links

8. Client Operation lock Lease mode-restricts data transferred between client and server, improves performance of high-latency networks, and increases SMB server scalability

9. Large MTU Support-full use of 10Gigabye (GB) Ethernet

10. Improved energy efficiency-clients that open files to the server can sleep

Disable SMBv3 in Windows 8 and WS 2012. The following features are disabled:

1. Transparent failover-The client is reconnected during maintenance or failover without disrupting the cluster nodes

2. Scale out-concurrent access to shared data on all file cluster nodes

3. Multichannel-Aggregate network bandwidth and fault tolerance if there are multiple paths between the client and the server

4. SMB Direct-adds RDMA network support to achieve very high performance, low latency and low CPU utilization

5. Encryption-provides end-to-end encryption to prevent eavesdropping on untrusted networks

6. Catalog Leasing-Improve application response time for branch offices through caching

7. Performance optimization-small random read/write I/O optimization

In Windows 8 or WS 2012 Versions you can enter with PowerShell:

disabling SMBV2 and SMBV3

Set-smbserverconfiguration-enablesmb2protocol $false

Disable SMBV1

Set-smbserverconfiguration-enablesmb1protocol $false

PS: If you want to restore enabled, use a value of $ true.

In Windows Vista or WS 2008 versions with PowerShell input:

disabling SMBV2 and SMBV3

Set-itemproperty-path "Hklm:\system\currentcontrolset\services\lanmanserver\parameters" smb1-type dword-value 0- Force

Disable SMBV1

Set-itemproperty-path "Hklm:\system\currentcontrolset\services\lanmanserver\parameters" smb2-type dword-value 0- Force

The value of Ps:value, 0 for Disable, 1 for Enable

To disable the SMB protocol on the client

Prohibit SMBV1

Sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

Sc.exe config MRXSMB10 start= disabled

Enable SMBV1

Sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsisc.exe config mrxsmb10 start= Auto

disabling SMBV2 and v3

Sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsisc.exe config mrxsmb20 start= disabled

Enable SMBV2 and V3

Sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsisc.exe config mrxsmb20 start= Auto

Share the small case

Environment : Windows Server R2 File server

client : Windows 7+10

Problem Description : Set up the shared folder on the server, the first to test the shared folder with Win10 client, normal, follow-up did not continue to test Win7 normal access, and then open to the user, found that Win7 user no matter how to enter the account and password, all show denied access, Permissions are OK.

Error Graph :

650) this.width=650; "title=" clip_image001[6] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image001[6]" src= "http://s3.51cto.com/wyfs02/M02/8D/13/wKioL1iFppXjXmLLAAB-wEZru20892.png" height= "321"/ >

650) this.width=650; "title=" clip_image001[8] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image001[8]" src= "Http://s3.51cto.com/wyfs02/M01/8D/13/wKioL1iFppbjGdCMAAAfItrtODg984.png" height= "105"/ >

the key to the problem : Shared folders start encrypting data

650) this.width=650; "title=" clip_image001[10] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image001[10]" src= "http://s3.51cto.com/wyfs02/M02/8D/13/wKioL1iFppbxWuA9AAC29PbETnU609.png" height= "603"/ >

In 2012, encrypted data access is encrypted data to protect the security of the transmission process, to prevent tampering and eavesdropping attacks, the encryption algorithm used is AES-128-CCM. So the old version of SMB2 is not supported with hmac-sha256 at all.

Workaround :

Method 1. Remove the encrypted data access. (If the encryption issue is not considered, then the selection can be removed)

Method 2: If you consider the encryption issue and want the SMBV2 version of the client to be able to access it properly, PowerShell input on the server.

Get-smbserverconfiguration

650) this.width=650; "title=" clip_image002[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image002[4]" src= "Http://s3.51cto.com/wyfs02/M00/8D/13/wKioL1iFppfg4KO4AADsuSKtgno826.png" height= "731"/ >

The rejectunencryptedaccess parameter is whether clients that do not support cryptographic algorithms are denied access if the client tries to link to an encrypted shared folder. The default value is True

We can configure its value to False

In PowerShell input:

Set-smbserverconfiguration-rejectunencryptedaccess $False

650) this.width=650; "title=" clip_image003[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image003[4]" src= "Http://s3.51cto.com/wyfs02/M00/8D/13/wKioL1iFppjT1k8cAADKvJUClbs635.png" height= "118"/ >

It's going to be.

650) this.width=650; "title=" clip_image004[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image004[4]" src= "Http://s3.51cto.com/wyfs02/M01/8D/16/wKiom1iFppmSu889AABAdxt9Q6I968.png" height= "167"/ >

PS: The command of Method 2 is configured for the entire Smbserver, this method is generally used as a transition, if the client version is SMB 3.1, it is recommended to configure Rejectunencryptedaccess to True

If you are interested in SMB, refer to: https://blogs.technet.microsoft.com/josebda/2015/04/30/smb3-networking-links-for-windows-server-2012-r2/

This article from "Gs_hao" blog, declined reprint!

Talking about SMB and SMB small case sharing in Windows server