 Welcome to the Windows Server Engineering Summit. Today I'm talking about Next Generation SMB, that's the remote file services SMB, not small, medium business SMB, in Windows Server 2025 and Windows vNext. My name is Ned Pyle, I'm a Principal Program Manager in Windows Server. You probably are here and know me from SMB, the protocol over the years. You might also know me from Active Directory and DFSR and Storage Replica and lots of other stuff. I've been around here a long time, you can tell from my extremely gray beard. So what's the agenda? Having a security mindset, Windows and Windows Server 2025 are the next generation of security, but they're also part of a change in mindset around secure by default, around the most secure posture we can have out of the box, get away with those things, and about shifting existing functionality to follow that mindset. So this session is about that, it's about what's coming next, a lot of those changes I'm talking about are security related. There's also a lot of real functionality changes coming as well, but a lot of these ones here in this particular release are security. I'm going to have a lot of demos, a lot of hands-on, everything you do here, everything you see here from me, you can do in Insider builds. So if you go to the Windows Insider program, the Windows Server Insider program, all this stuff that I do, you can do and if you go to the FileCab blog, that's the Windows Storage blog, you'll see specific hands-on steps to run PowerShell or do Group Policy or whatever and be able to do these as well yourself. So let's get to it. I've only got an hour to cover a ton of stuff. So what is this mindset I'm talking about? What is this security campaign I'm talking about? We are really radically shifting with SMB the protocol and its implementation in Windows, and to try to force the entire ecosystem of SMB, which is vast, billions of devices support SMB. Right now, if I was to look at telemetry, I would see hundreds of millions of Windows devices using SMB right now, hundreds of millions. So this mindset change happens right away is making security the highest priority, the first priority over performance, over compatibility. And that's a list which for the last 25, 30 years has been reversed, right? Windows lives by, it's the most compatible, especially backwards compatible. Then the performance is the most important thing. And security traditionally was the least of those things when you had to have a winning argument. Now the focus in SMB will be security first, performance you will have to consider secondary and compatibility tertiary. So there's a lot of capabilities, a lot. I got a lot to cover here, let's get to it. So this continuum here, this timeline is across the last three years of us doing development since we shipped a server 22, Windows 11. Starting with the year 2022, we started pushing out some significant SMB changes. We changed how compression worked. Compression was released in Windows 11. It gave you the ability to do much more efficient, faster copy of big files on really narrow or congested networks. And we made changes that we kept iterating and improving it. We also started creating new functionality in the insiders builds. The first one was this thing called the rate limiter. And then moving on to the next year of 2023 in the first half, we added guest auth being auth. We removed the SMB1 client being on by default in home. We disabled mail slots and we started requiring signing. So you can see it through this year, progressively you'd see different things coming online either through insiders or what were called moments that basically they were updates happening through Windows update to Windows across the course of the years. Let's get into some of this in more detail now. We'll come back to this continuum later. So the first big thing is this SMB auth rate limiter. What is that? It throttles bad user names and password attempts, brute force attacks, trying to guess passwords. You can send a lot of those against SMB and because SMB is on and if it's been configured in the firewall it is listening, you can use SMB as a way to try and maybe guess an administrator password or guess some highly privileged user password. So what we do now is we throttle bad passwords from NTLM, PKU2U and this new thing which you might not have heard about yet called local KDC. It doesn't affect AD based Kerberos attempts. If you are familiar with Kerberos and you should be if you work in any enterprise, it sends along tickets and they are effectively in their own channel, right? I say I'm gonna go and do an AS rec, I'm gonna provide a password, I'm going to get a ticket. That ticket is granting me access to some remote thing to go do and I'm gonna send along that ticket to that remote thing and they'll say sure and then my actual protocol usage can begin. Well, NTLM, PKU2U, they don't work like that. I mean their SMB connection is part of the authentication process directly and local KDC, this new thing will be as well. Local KDC is what it sounds like. Windows, the next Windows Server 2025 will now have a tiny little Kerberos distribution center key distribution center on every device which means you won't have to use NTLM. Which means you can turn NTLM off and it'll still work in a work group. It'll still work in a DMZ where there's no active directory. A lot of possibilities are coming here as part of this security mindset change, okay? So let's get back on subject. What is this off-rate limited buying me? It adds a two second delay between each failed attempt for my client. This is configurable. It could be anywhere from zero to 10 seconds and it's in milliseconds so you can really do it very particularly if you wish. And it is on by default. You can control a PowerShell using the server configuration. This is a server size setting through invalid authentication delay time in MS. That's a real mouthful of a parameter name or you can use this group policy. And so what would this do practically? Right now if I could send 300 brute force attempts trying to guess a password a second and SMB will gladly handle that. SMB is a kernel driver. It can handle a lot of auth attempts. It's extremely good on resource handling. It's designed to be connected to a lot by a lot of machines. You know, those machines are designed to push a lot of data so auth is no problem. If I do that for five minutes I can send a 90,000 attempted passwords just try to guess 90,000 times in five minutes. That's a lot. With this off-rate limiter on that same guessing pattern would now take 50 hours. So we didn't stop brute forces. We didn't stop dictionary attacks. We didn't stop guessing attacks. But what we did stop was easily using that to get in. And so now an attacker is more likely to simply give up and move on to some other technique or better yet some other machine. And this is especially useful for an unmanaged device where there's no intrusion protection software and nobody's really keeping an eye on it but somebody could gain access to the device especially as a consumer or even as a gently managed end user and then use that for ransomware or lateral movement or all sorts of things that are gnarly and disgusting. We'll see this thing in a nice quick demo. So here I go. I've got this setting and right now it's like I said it's on by default. So let's just get SMB server configuration and look for this invalid long, long name. Right now it says 2,000. That's 2 seconds, 2,000 milliseconds. And I'm gonna set it for the purposes of demonstration back to zero, back to the behavior of like Windows Server, every other version, old Windows servers or clients. And I wrote this script, it's awful script. You can have it, you can contact me if you want it but it's really gross. All it does is basically try to connect to some share and send along random passwords and not really trying to do it as fast as it possibly can. So I tell it, try once, connect to this share and try this user, blammo. That was immediate, right? This is the today behavior of say like Windows Server 22. Five seconds, wow, I'm doing 52 passwords a second. Let's try 50 passwords. I'm gonna do an almost 60 passwords a second on this crap old script. Somebody writes something much faster than that. So now let's set this thing back to the 2,000 milliseconds, that default of two seconds. This is the out of box setting and try this again. One Mississippi, two seconds. Let's change it over to five attempts. One Mississippi, two Mississippi, three Mississippi, four Mississippi. You know what's gonna happen, right? It's gonna take 10 seconds for this thing to come back and finally say no, you didn't guess the password chump. Now imagine trying to go against this machine. The attacker is gonna get bored of this real quick and that's the goal. Get bored of this, move on. Defense and depth, right? The onion layers. There's no single magic way to protect your machines. This is just one of those additional layers. On by default, in Windows Server 2025, Windows Client, me next. So obviously you can control this through group policy. I was doing that all with PowerShell. Who wants to go around PowerShell on 10,000 machines? You can just enable the authorate limiter here. We also have the ability, it's coming to insiders very soon to be able to set the timer inside of group policy as well. There's still things being finished up here in the last few minutes of being ready to ship this OS. And also some things will show up after we ship. That's what we call DCRs. But you'll be able to control everything I talk about today, everything through both PowerShell and group policy when all of a sudden none. So the next thing here is guest off, off in pro. What does that mean? Guest off is still fairly common in the consumer world. In a network appliance device, the kind you could buy like a big box store with a disc in it that you can map a drive to. It was very common for vendors there in these inexpensive devices to use guest authentication rather than actual security. So it was very easy for a user to connect because these folks didn't care about security, they cared about easiness, right? It's a $99 device. It's still fairly common in that space, although luckily it's been going away. And so we starting in Windows 10 started getting rid of guest authentication in SMB. It's a fallback behavior. It was a pretty easy method to attack a client by saying, hey, connect to this share. And you try to connect and you wouldn't have the password and the password wouldn't work. And then the client would say, well, I'll just try guest and it would connect. And then your attacker can get them to click on something or run something or they're pointing to a batch file and execute some payload. And suddenly you've got, you're covered in evil. So we turned this off in enterprise and education and Windows Server years ago. We're now turning it off in Pro. That's Windows Pro Editions, Pro Professional, which means that only home is the last addition of Windows left that will do this fallback behavior. And then that's eventually gonna go away. This has been like the process of us removing SMB1. It takes some time, but we would get there eventually. And this one's gonna take a little bit longer because these consumer devices out there, they still exist. And it's very difficult to explain or manage a completely consumer end user who doesn't really know what's going on or why they can't connect anymore. Then, and this has actually already happened in Windows 11. We turned off the SMB1 client in Home Edition. About eight years ago when I started the SMB1 removal campaign, one of my most notorious infamous moments in Microsoft, about 45% of all SMB traffic was SMB1. I could tell from telemetry. That's in the Windows 10. Now it's down to about 0.25%, about a quarter of a percent. You're looking at an actual telemetry dashboard of SMB right here from Windows. So SMB1 is effectively gone. And I mean, just not just gone from Windows, it's gone from the ecosystem. And it is no more, that makes me extremely happy. The next thing we've done here at Insiders is we have disabled mail slots. You've got to be pretty darn old to remember seeing mail slots in the wild when I first came out in the 1980s. It's a very simple protocol with no security, not unsafe, no safety, anonymous. You could do things like send messages to a network anonymously saying you were somebody else about whatever you wanted. People had all sorts of hilarious pranksters and fun. Tricking people into thinking that they had been attacked by viruses or that it was time to go out and have a drink. Have a drink. That net send command is no more, but the actual protocol underneath it is still in existence. And so now an SMB and an active directory in the DC Locator protocol, mail slot is disabled by default and is no longer used anywhere. And no application can make use of it through those areas. You can control it with PowerShell and Group Policy. Again, it's a client configuration, it's off by default, so you'd have to go turn it back on to make some heinous application work. But it is officially deprecated. So if you find yourself turning this on to make mail slots work, understand that you are standing next to a ticking time bomb because we're gonna pull this protocol out. It's gonna be gone in a future release. By being officially deprecated, that means we now reserve the right to remove it in any operating system update after this release. Anyone we feel like. So you've gotta get it out of there. And then here's a really big thing. So this is one of the major, major pieces of news and this is one of the last things we did in that first half of the calendar year and that is requiring signing by default. SMB signing is integrity protection of SMB traffic, right? It's not encryption. So it doesn't protect people from seeing the SMB payload but it does prevent them from manipulating it. So spoofing, pretending to be somebody else, tampering with the payload so that what you sent isn't what it gets received or what you asked for isn't what you actually get. All of those things are protected by a thing called SMB signing and signing has been around since NT. It's very, very old and it's been updated over and over again to have more secure cipher suites to go with it but it's been there for a long time but it's never been on by default unless you were talking to a domain controller either because the domain controller itself required it through the default domain controller policy or your client required it because it was using UNC hardening and it was connecting to shares called SysFault or NetBlogon which any AD admin knows are the automatically created shares on domain controllers. Now Windows and Windows Server 25 have signing on by default to be required. It's not in all cases. So I understand this very carefully. The SMB server requiring signing so inbound to me, I'm an SMB server. Windows clients require it but notice that servers don't require it. Now SMB client signing being required the client part outbound Windows and Windows Server all of them are requiring signing now, all of them. So we can prevent these types of attacks, relay attacks attacker in the middle, phishing attacks all these things that you would commonly see being used to basically poison SMB to redirect you to somewhere else to tamper with it to do some evil. Signing stops that, it stops it dead. And so you're gonna have to decide to opt out of this because we're no longer gonna be a party to SMB being used for evil in this way. You control a PowerShell, you control a group policy. I'm gonna be like a real broken record here about PowerShell and group policy and something I wanna point out stop querying the registry. Stop using the registry as what you believe to be the source of truth and start using PowerShell and group policy to see the effective results. So if I set this through group policy if I set this through PowerShell if I was to go write this in places by using the PowerShell I can tell you what the effective result is. I can also look at group policy RSOP but if I just do get SMB client configuration or get SMB server configuration we'll tell me the truth on that machine of what it believes the setting is to be right now. Stop looking down at the storage areas which doesn't necessarily understand what the server and client drivers are telling you is the truth. Use PowerShell or RSOP as the truth. Okay. Now let's say I turn on signing or I've got signing turned on and I deploy Windows VNX or the server and it doesn't work. What would I see? If signings prevented these are your errors. These are the things that will come back or show up from the client or from the server. If signings being tampered with if some WAN appliance in the middle some optimizer just doesn't support signing or isn't configured correctly for signing. If the device you're connecting to isn't Windows all versions of Windows support and enable signing all of them, all of them. Even the ancient unsupported ones. So it's not Windows fault if signing doesn't work. It is always a third party's fault. Always a third party's fault if signing does not work. And so if you got some WACO Linux device from 1999 and it barely supports SMB and if you've got some other stuff it doesn't matter. These are the errors you will get and if the signing is not working it's not Windows it's something else. Go look at something else. What are you connecting to? What are you connecting through? And then the other aspect of signing and one of the big arguments against turning it on for years was our mandate about compatibility that's up there and then performance that's here. Obviously turning on signing reduces performance. Core count, speed and utilization are the real factors here for your CPU. You should not see significant throughput reduction. If you got like a relatively modern machine you've got a relatively normal number of cores and you're not super already overloaded from a bunch of other nonsense running on there. You should see around 15% reduction in throughput. So I'll one minute copy now it takes a minute and seven or eight seconds maybe. It's not gonna burn down the world and you're getting a huge amount of protection to get this. The reason why it's not turned on by default on server inbound for signing is because in that particular, you know in that arena those six, eight, seven seconds really do matter to some workloads. So we leave it to an administrator to make a decision over there. From the client side though we wanna make you opt into danger not opt out of danger. Don't forget that SMB compression which I mentioned at the very beginning of this will go a long way towards offsetting some of this performance hits. So you might lose 15% throughput with signing but you might gain 50, 60, 70, 90% throughput with compression and therefore, you know make the whole thing a wash. So don't forget about using compression especially for larger and more inefficient files to get back some savings here in this space. But you must test, you must decide. All the stuff I just showed you are things that only you can tell because I don't know what kind of CPUs you have I don't know what your workloads are I don't know what your SLAs are you must test and decide. Okay, we also added auditing events this way you can tell that signing isn't supported this will help you learn about those third parties out there and the problems that they're causing. And there's group policy for this. And there is group policy for all this. I have not forgotten you group policy administrators and I've not forgotten you active directory administrators. Everything that you managed with today will work here in group policy. So, you know, this is the thing I want to get out there in the world you might have seen my SMB1 clearing house it says still needs SMB1 that was a place to sort of shame third parties and vendors into saying like your product sucks and people shouldn't buy it unless you give them an upgraded version that supports SMB2 or later we're gonna do the same thing for signing. So, this link, which I don't have turned on right now because I don't have a big enough list and I don't wanna show up with like one vendor on there looking like the world's worst vendor I wanna have five or six. Gets populated by you. You email me that won't sign SMB at Microsoft.com Give me some evidence of vendor link, network capture, whatever. Screenshots, I don't care. As long as we can prove to each other reasonably that signing is not possible and the vendor says like, whoops, we don't do signing we will put them up on the shame board and eventually people will learn not to use this product or to upgrade this product or to get a better version of this product or whatever because what I don't want you to do is turn off signing. Again, all Windows versions support signing it's always enabled. Anything which doesn't do signing is not from us. It's from a third party. And if it won't sign by default they might have a way to go turn it on. Go turn it on. Don't turn off signing in Windows. Go turn on signing in this other thing. And if you can't turn it on you really look and they really just made a crappy device that doesn't support signing upgrade that device, upgrade that application yell at that vendor replace them with a competitor all those things work great. I mean it. Don't make me send Darby after you. Okay, so that was the last couple of years in the first half of 2023. Now, the rest. We added an NTLM blocking option. We added dialect control. We added SMB over quick client access control. We added global encryption from the client. We added SMB firewall rule tightening. We added SMB alternative ports and we added an extra special thing that will leave for a surprise at the end. So SMB NTLM disable option. This is our ability to stop sending along NTLM challenge responses. No more hashes. No more sending of password information in SMB for attack offline cracking, brute force, John the Ripper, all that stupid goofy stuff or past the hash impersonation because you can now turn off NTLM specifically in SMB. So when you connect, it's gotta be Kerberos. It's gotta be PQDU. It cannot be NTLM. We will not even send it out. It will never go on the wire at all. And this is part of a larger change happening in Windows LSA and the Windows security subsystem for this thing called Spinego, security package negotiation, that an application or a service or in our case a driver can subscribe to and say, look, I don't care that Windows supports NTLM. I don't support NTLM, me this app. And that's off by default because this one's gonna be tough, right? You've got a lot of devices out there that are using NTLM unwittingly. They could use Kerberos and they aren't or they are using NTLM because they must and this one's gonna be harder, a long-term effort but the actual Windows security team has worked out a solution here where they have built something called local KDC and iCurb. And that's also part of Windows Server 2025 and vNext. That's not, it's a whole different discussion. That's really a whole topic to discuss on its own but it's the ability to have Kerberos in a work group. Kerberos with IP addresses. Kerberos with anything where you don't necessarily get Kerberos today where NTLM fallback happens or where NTLM was required, it's no longer gonna happen. It's so it's for remote NTLM usage in SMB but Windows is coming up with a way now to no longer need NTLM at all anywhere, ever. And working through the process of making sure now that all these vendors out there also follow that and don't require NTLM unnecessarily. So you can control the SMB part. Again, it's broken record time, client configuration disable NTLM. There's also an exception list. So you can control, well, maybe I need to use a little NTLM. Maybe just to this one Linux server, this one Windows server, it's in a DMZ and it's got no Active Directory and we just manage it with local user accounts. And it's running Windows Server 2008. We can't do anything about iCurb and local KDC. So you will have the ability to get out of jail on this but generally speaking, stop using NTLM. And in an Active Directory world of SMB, there's really not a whole lot of good reason to be needing NTLM and see if you just turn it off. So let's see this in action. All right, so I'm gonna take a look at my client settings real quick. And remember, this is not on by default. This blocking behavior is off by default because it's gonna be pretty disruptive, right? So right now, if I was to go and map a drive over to my server, see the old fashioned net use command, I'll just connect to some share and I'll use a local user account, right? So this one's needing NTLM because it's a local user. And I'll turn on the wire sharkage so I can actually see this happening under the covers because it's not very exciting in the demo. Type in some extremely good password. And if I take a look closer down at the negotiation phase where off happens, here is NTLM security package being used because I use a local user account. And we can even prove that even harder by digging down into this frame where you can see my admin user on the host is a local user. There's no domain, okay? So now we'll just clear this drive mapping so we don't have any cache creds. Make sure you always do that whenever you're doing demos of SMB stuff. And then I'm going to turn this on. So my client now is no longer going to allow NTLM. True. Yes. Notice how I'm not rebooting. Notice how during none of these demos will I be rebooting or doing any of that shenanigans. SMB always knows that something's got changed because we know what we're doing over in code writing land. Let's try and map this drive. Oh, a nice useful error, NTLM's disabled. And we look over here, you can see on the wire that I tried to negotiate and got back the error that is disabled. Nice and clear cut and distinct. There's a good policy for this. Notice I have block NTLM. When I say NTLM, just so we're clear, yes I mean LM, yes I mean NTLM, yes I mean NTLM V2. Everybody gets wound around the axle saying like, oh, do you mean this version of NTLM? Yes, NTLM means all of these things to us. We no longer want to care about V2 or V1 or land manager, which what the NLM stands for is distinct things. They all suck and they're all deprecated and we all want them to go away, all of it. And it's too cumbersome to say, NTLM, LM, NTLM V2 blocking. So, and notice I can also do this exception list. So here I've got some machines that have to use NTLM for some reason. And so I've turned off NTLM for the world except for connecting to these machines. I can do it by name, by FQDN, by IP address. And that way I can guarantee that my goofy app running on some critical server that can't be updated for who knows what reason can keep operating. But my general use of NTLM is now restricted just to that machine. Okay, so that was that. Let's talk about dialect control. What is a dialect? Dialects are just versions and versions that represent a series of capabilities, right? So you already know what a dialect is. SMB3.1.1, that's a dialect. SMB3.0, that's a dialect. Slightly different version has different abilities. Dialect control allows you to set a range of refusal or allow for SMB2 and three as an entire family. Previously you could get rid of SMB1, and you're like, okay, job done, no more SMB1. But if you found some reason to not want to have SMB2.02 to show up, it's less secure. It implies that VISTA is still running around in your network. You were out of luck. So what this gives you is better security control, very fine-grained security control over SMB1 and a modern environment. I can, it actually first came around on Windows 10 and sort of a semi-documented feature just for the client, just for, I'm not even sure if we had a good policy at first. But now we have a PowerShell for all of it, for both server and client. And you can set a minimum and a maximum, and there's group policy throughout. You don't need to set max. Setting max is just sort of being persnickety. Right now the max would be 3.1.1. You could set max to nothing and just have SMB, the minimum be 3.1.1, and that is implicitly the max of 3.1.1 because there is nothing higher than that. So let's see this one in action. And it's important to understand this. It's good to set this and run it from the perspective of wanting better security. You've also got to be careful, right? Because plenty of Windows versions over the years, many of them still out there, 2012, 2012 R2. They're still out there not supporting SMB 3.1.1. So you have to be cautious about blasting yourself with a setting which is too restrictive. And certainly if you've got a bunch of like ancient Linux running around and who knows what else, it's very unlikely that they support the full gamut of SMBs. So let's give this a whirl. I'm gonna set my client configuration with a min and a max just for the argument of showing off the feature. And these are a nice little enum list so I can just err on my way through, not have to type anything, get it wrong. So 3.1.1 is my minimum. I'm gonna set my maximum just because I like to touch stuff and hit okay. I'm gonna set my maximum and go for it. And now if I do my network capture, if you're familiar with SMB, during some of that protocol negotiation phase, you would see a list of all the various versions of SMB that I support as a client. So if I go down and look at my negotiate request, that's not a list anymore. That's just, I just support SMB 3.1.1. They don't even go on the wire, that's it. And the server says, oh cool, I do too. I might support others, but we're just gonna do one. Now this is clearly not Windows 11. This is a 2012 R2 machine. I'm trying to connect to that same destination. I don't support 3.1.1, so I couldn't connect. I get status not supported. And if you saw that, as I breezed through it, you saw that my list of SMB dialects, I don't know what 3.1.1 is, I can't request it. And so I was refused. And that's the thing to watch out for. So you got good policy for this, you can mandate the minimum and the maximum. And then we move on to this. I wanna reintroduce SMB over quick. This came out a couple of years ago in Windows Server Azure Edition on 22 and quick is a replacement for TCP. And it's a consortium protocol, an IETF protocol out there in the world used for things like HTTP3 and DNS and SMB as a way to work safely over unsafe networks. So it's UDP-based, it's very secure, very reliable. It always requires an implementation encryption. It uses TLS 1.3. It does not require a VPN. That's the beauty of it. You're basically, you are a VPN. Your browser, edge browser, will do HTTP3 over quick. And the entire communication is happening encrypted the entire time over port 443 by default. And for SMB perspective, it's useful for things like telecommuters and mobile devices and cloud connectivity and really super high security environments, right? That makes sense. It came out, like I said, in Azure Edition. And if you wanna see, if you know, if you'd ever play around with Azure Edition, it would look like this. So I've got my client and I'm gonna map a drive which I've opened up and I've got this, you know, document I'm working on. In this case, it's a book about dogs and I'm working here in my share. It's got these dogs in here. I'm gonna sell this thing on Barnes & Noble for a million billion dollars and be rich, like Stephen King, obviously for different reasons. And now I wanna go get some coffee. I'm gonna sign up, go over to coffee shop across the street. I sit down, I've got my mochalate and I try to go back to my share. Where's my share? Here's my share down here. And I try to open it and it just sits there. And it sits there for a minute. This is me shaving time off the demo so you're not staring at this for a minute and then you get some complete nonsense error from the shell, it takes a ton. So what can I do as an administrator? Let me go into Windows Admin Center, go to File, Shares and configure SMB over Quick. It's something I can do today. And now I get the right certificate. I put that under my server and I select that certificate and it's gonna have names in it that are allowed to be connected to. We call these endpoints for Quick. Really they're just server names, right? And I can choose that certificate. I can choose to use Kerberos via KDC Proxy and I can enable all this. It turns on. My client, which was issued a root certificate out of that same issuer chain can just start working right now. If I just open that file again, it will work. I didn't have to do anything. In Kablamo, there's my document. And under the covers, SMB was trying TCP. It didn't work and it's like, let me try Quick and it did work. And so there you go. So that's the feature today, right? Well, the thing about that is is you saw that I didn't have to, you know, there was nothing about the client in any of that process. That was just setting up a server and saying come and get it. Client access controls a new feature for SMB over Quick that says we can do mutual authentication through a stored exchange. And that means that I can allow and block specific clients. Right now I'm relying on a client to know where it is to connect to it, to have a username and password that works from SMB and has a trust chain and a valid set of certificates issued by me so that that's the level of trust. This new thing says I don't trust anybody to connect even, even to Quick. Never before they get to SMB. They can't even trust connecting to Quick unless they provide me with a certificate that I issued to them and that certificate is listed on a chain of issuers and is put into an access control list for mutual auth. So this is, you start to identify by the shot if you six hash you can also optionally choose an issuer name and access is only granted if there's no deny and if there's an allow. So that's extremely granular control and with extremely granular control comes great operational overhead. Right. So you're exchanging ease of use now for now I got to manage all these clients connecting and getting them certificates. That might be a little too much burden for some folks. That's why this is not on by default. There's a way to split the difference which is used that based on issuer where you say these clients that were issued certificates out of my issuer chain that I trust if they've got a cert from me that's enough to let them in. Not specifically anything more than a quick cert but it's the right quick cert that I don't need to go and like plum in. I'll see you in the demo right in here. Okay. This mutual off process is basically and effectively it's a client hello where a server sends a certificate back to the client and requests that client to send them a cert and it gets validated on the client it gets validated on the server and other steps happen to make sure that the certificates themselves are valid and that lets you in. Let's just see this in action. Shall we? So here I am. Notice that I'm not using WAC because WAC's not ready for this demo right now but I'm requiring client authentication on my server. So this is a new setting and on my client I will now need to have a cert before I didn't need to have anything but the root cert the public key. Now I need my own actual cert issued to me, Johnny client and so I've got the certificate. Here it is. I've got a little hash and we're going to use here in a second and I'm going to map for myself this certificate to my quick server. So new client certificate mapping here's my quick server name and the name of my quick server and here's a thumb print from the certificate that I've got issued to me. You can automate all of this with PowerShell and not have to go through and be clicking around like a monkey like I am right now but it's got to be somewhat interesting in a demo. So I've mapped the certificate with a thumb print and so now my client trusts the server my server needs to trust the client. So I'm going to take that SHA-256 hash from my certificate and I'm going to give it to the server into an access control list using this grant command. So I'm going to grant client access to me using SHA-256 for this particular client. Blambo. Yes. And if I go back to my client right now and try to connect Bada Bing. Now I'm using client access control. I'm quick protected. The server feels safer. The client feels safer. The admin feels safer. It's a lot more work but it's a lot safer. So this here is not really a security feature. This is more operational. Azure Files has this problem. ISPs block SMB on the internet. They block TCP 445. They block a lot of stuff. This is one of those things they block and the VPN options to set up for Azure Files. Not ideal. It's a lot of work if you've ever read the documentation there. It's many, many pages and much clicking and typing and allow listing and such. Also SMB over quick which runs by default in 4.4.3 as you know by now is it's somewhat irritating to some administrators to where like, you know not everything can run over 4.4.3. I got web traffic here. I got DNS traffic here. I've got SMB traffic here. Let me split this out and just sort of see what's happening where at a glance. So what we did is create finally for the first time the ability for SMB client and server to specify alternative ports on the server side right now that is quick only. So I can specify quick on port 1, 2, 3, 4, 5 and that will work and no longer have to use 4.4.3. On the client side, I can specify whatever. So my client side says I'm going to connect that can be a quick port, that can be a TCP port, that can be an RDMA port, whatever, float your boat and then Azure files as an example is allowing TCP alternate ports where they will implement that it's coming and so if a client said I want to do TCP port 6, 7, 9 and Azure file says oh I will allow TCP 6, 7, 9 for SMB from this tenant that will work and you can specify all this settings on the server and in the client on the fly even by like as you map drives where you can say like I want to connect to this particular machine on this particular port or I can also specify I want to save this setting so that when I connect to this machine and I don't know about ports and stuff I just am mapping a drive I will happen to use that port we're also don't tell anybody working on this as a DNS option so we would make it so that SRV records which provide port information on DNS requests could know about SMB and could know about alternative ports so instead of doing all these settings through group policy and power shell and all kind of stuff you can specify like look I created a special kind of DNS record when somebody connects to this server for SMB purposes use this port or these ports because you can do lots of these you don't have to have just one and that's all on group policy as well notice how here I can even specify alternative port mappings so that I don't need to go and remember that this server is on port 555 I can just have it stashed here in my GP settings for that set of machines nice okay we're getting close to being done here but there's still more global encryption from the client always encrypt all SMB outbound from your client this will mean that encryption is just like signing now you'll have the ability to say like I've got to encrypt I don't care who I'm talking to encryption better work or I'm not connecting that's really for the highest security posture environments obviously encryption comes with a lot of penalties around compatibility to older devices that don't support SMB3 at least because there is no encryption in SMB before SMB3 or it's a third party that never implemented encryption and they are out there they definitely exist even though they say they support SMB3 they don't support encryption or it's not turned on or it doesn't work or whatever so it's for the highest security posture environments it costs more on performance but it's because you value security more than anything else you would use this it's not on by default but you can go and do it now and say this client is going to encrypt and we also added audit options so you can see where encryption is not working and that way you can see if clients are not able to do encryption of servers and able to do encryption and make decisions about turning this setting on more broadly or not you can also do all of this mandating through group policy you don't need to use PowerShell and all this auditing you can do through group policy because I'm just that amazing and helpful okay, firewall rule we want to end some legacy firewall rules that have been around literally since XP they were invented in XP as part of the trustworthy computing initiative where the firewall was added XP-SP2 I think so if you install the file server role on a windows server class machine right now it opens up SMB 445 or TCP and WMI and Decon for management and that's it but if you were to go create a share like right click and explorer and create you know do properties and create a share or one of those goofball you know kind of usury things it opens up all these ports all the shenanigans that's opened up because that's something that XP thought was important to do back in 2003 or whatever so now creating a share that way doesn't open up the net bios ports and we're going to keep tightening this and tightening this and tightening this so that things like Ping and LL and spooler RPC and all these other doofuses coming along for a ride don't get ports open even though they're not being used and they can all go implement their own firewall rules because they're not my problem the way we do this is we created a new rule group so you're probably familiar with the file and printer sharing group there's another one now called restrictive and it includes just these things but notice how net bios is not there anymore 137138139 are no longer there and they weren't being used SMB2 and later don't use those protocols so they were just pointlessly open and now they're closed okay so here's my big surprise SMB over quick is coming to all editions of Windows Server 2025 that means that you get to have the server in standard in data center and in azure edition it's no longer limited to like it was in server 22 azure edition so you can have SMB over quick at your edge in your DMZ in your highest security posture environments in specialty cases where you wanted to have like the tightest security level even beyond SMB encryption where the entire SMB payload all of it including the authentication and everything happens inside of this tunnel at all times and you don't have to be using azure or azure stack or azure edition it's SMB over quick for the world it's entirely free no extra cost no subscription, no arc none of those things we want to make sure that SMB is always providing value to Windows Server in the most broad way possible when we can and make it so that the best things for the future of your operations and the best things for the future of the protocol itself go wide we don't try to squeeze every last nickel and dime out of it so it comes with the server it's already in the client Windows 11 implemented the SMB over quick client years and years ago and so you don't need to do anything there it'll just work this is all about the server piece that was limited on the server side and there's nothing up my sleeve SMB over quick for everybody so that is a lot of stuff I have been talking so long that my throat's getting a little bit raw all coming towards this the next major release the next major long term servicing channel release I can't give you that date I don't actually know that date if I did know it and I told you Saudi would come and punch me in the face but it's coming soon and you can tell we start having server summits and we start talking about all this stuff in detail and things stop showing up in insiders for a few months and you're like where's all the new features I'm like well we've obviously stabilized and we're now getting ready to cut a build this stuff's coming pretty soon it's definitely coming soon enough that you should be caring about it right now and the insiders give things a try because that's a long list of stuff you need to be aware of I've been talking nonstop here for almost an hour about guest off being off in pro by default global encryption from the client being available server dialect control from server and client being available signing being required by default on by default the auth rate limiter being there on by default the ntlm disable option being there ready to be used and should get turned on start being evaluated the smb over quick client access control available now the smb alternative ports now available the firewall rule tightening happening mail slots being annihilated and smb over quick being available for all of you to use for everything that is a lot of stuff we've done in the last couple of years you're probably going to want to find the on demand version of this and go back and watch it again a few more times you're probably going to have a lot of questions and feedback to give me I welcome it it's happening during this summit you can go and find me if you go into these q&a areas and ask you'll see me answering questions but also you can find me over at the file cab blog windows storage blog you can send me a dm you can go into the comments you'll find everything I talked about there everything has a blog article on it and all those things are being converted into learn articles so there will be official documentation should we ship this stuff I really want to thank you for your time I know it's really precious it's hard to find a couple of days to see what's new but really that's kind of the fun part of our jobs you've got plenty of what's old to deal with I think it's more interesting sometimes to take a break and sort of look to the future making your life easier in some cases here making your life harder but more safe and how that can bring a lot of value to your organization and make you a valuable member of it so thanks again and enjoy the rest of this conference bye