# SMB

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/smb

## Quick definition

SMB is a way for computers to talk to each other on a network so they can share files and printers. It lets one computer access files on another computer as if they were on its own hard drive. Many businesses use it so employees can share documents without emailing them. Windows computers use SMB as their main method for file sharing.

## Simple meaning

Imagine you are working in an office with several coworkers, and each of you has a filing cabinet at your desk. If you need a document from a coworker's cabinet, you have to get up, walk over, and ask them to open it. SMB is like a magic system that lets you reach over and open their filing cabinet from your desk. You can see the folders, pick a document, and even save changes back to their cabinet without ever leaving your chair. In computer terms, SMB is a protocol, a set of rules that computers follow to share files and printers over a network. When you use Windows File Explorer to browse “Network” and see other computers, SMB is what makes that possible. It works by sending messages back and forth between the computer that has the resource (the server) and the computer that wants to use it (the client). These messages include requests like “please send me this file” or “please save this data to that folder.” SMB also handles security, so only users with permission can access certain files. It is a client-server protocol, meaning one machine acts as the server that hosts the shared folders, and other machines connect as clients. SMB is built into Windows, but it also works with Linux and macOS using software like Samba. This is why you can often access a Windows shared folder from a Mac on the same network. SMB has gone through many versions over the years. The most common today are SMB1 (old and insecure), SMB2 (introduced with Windows Vista), and SMB3 (Windows 8 and later). SMB3 added features like encryption and better performance. Network administrators use SMB to set up shared drives where employees can store common files, making collaboration easier. It is a foundational technology in most business networks.

One important thing about SMB is that it does not just move files. It also allows for “locking” so that if one person is editing a file, others cannot overwrite those changes. This is critical for shared databases or documents. SMB also supports named pipes and other inter-process communication mechanisms, but for most IT professionals, the file and printer sharing features are the most important. Understanding SMB is essential for anyone working with Windows networking, because it is the default method for most resource sharing in that environment.

## Technical definition

The Server Message Block (SMB) protocol is a network file sharing protocol that operates at the application layer (Layer 7) of the OSI model. It enables client-server communication for accessing files, printers, and serial ports on a network. SMB was originally developed by IBM in the 1980s and later heavily refined by Microsoft, which integrated it into Windows operating systems. The protocol uses a request-response model, where the client sends SMB commands encapsulated within a transport protocol, typically NetBIOS over TCP/IP (NBT) or directly over TCP port 445. In modern implementations, SMB runs directly over TCP on port 445, bypassing the older NetBIOS layer.

SMB operates through a series of dialects or versions. SMB1 (also known as CIFS) is the oldest and most feature-rich but lacks modern security measures, making it a target for malware like WannaCry. Microsoft has deprecated SMB1 and strongly recommends disabling it. SMB2, introduced with Windows Vista and Server 2008, reduced the number of commands from over 100 to 19, improving efficiency and reducing chatter. SMB3, introduced with Windows 8 and Server 2012, added features such as SMB Direct (RDMA support), SMB Multichannel (multiple network paths for increased throughput and failover), SMB Encryption (end-to-end encryption of data), and SMB over QUIC (for remote access). SMB3.1.1, included with Windows 10 and Server 2016, added pre-authentication integrity and secure negotiation.

At its core, SMB works by establishing a session between client and server. The process begins with a TCP three-way handshake to port 445. The client then sends a Negotiate Protocol Request, listing the SMB dialects it supports. The server responds with the highest mutually supported version. Next, the client authenticates using NTLM or Kerberos, establishing a session. Once authenticated, the client can mount shares (tree connect) and then perform file operations like open, read, write, close, and delete. SMB also supports oplocks (opportunistic locks) that allow clients to cache data locally, reducing network traffic while maintaining consistency.

From a security standpoint, SMB supports several mechanisms. SMB signing ensures that messages are authentic and have not been tampered with. SMB encryption provides confidentiality. Access control is enforced via Windows NTFS permissions and share-level permissions. In domain environments, Kerberos provides stronger authentication than NTLM. Older SMB versions are vulnerable to relay attacks and should be avoided. IT professionals must know how to configure SMB settings, disable SMB1, enable SMB signing, and manage shares through tools like Server Manager, PowerShell, and Group Policy.

Common troubleshooting scenarios include slow file transfer speeds (often due to SMB signing overhead or lack of multichannel), access denied errors (permissions issues), and discovery problems (firewall blocking port 445). Understanding SMB is critical for network administrators, security professionals, and anyone working with Windows-based file servers.

## Real-life example

Think of SMB like the intercom system and pneumatic tubes used in a large retail store. Imagine you work at a department store where every employee needs access to a central inventory book. Instead of walking to the manager’s office every time you need to check if a size is in stock, the store installs an intercom system. You pick up a phone, say what you need, and an assistant in the office looks it up and shouts the answer back. That is similar to how SMB lets your computer ask the server for a specific file. But SMB goes further, it is more like having a direct pneumatic tube connecting your desk to every filing cabinet in the store. You put a request for a document into the tube, and a few seconds later the actual document comes back to you. You can read it, make notes on it, and send it back to be filed. This is essentially what SMB does: it transports data between the client and the server quickly and reliably.

Now imagine that the store has a special rule: only employees with a certain badge can access the premium inventory list. The intercom system checks your badge number before it allows the connection. This mirrors how SMB handles authentication. The server does not allow access until the client provides valid credentials. Also, if two employees try to edit the same inventory page at the same time, the system locks it for the first person and tells the second to wait. That is how SMB uses file locks to prevent data corruption. Finally, imagine that the store installs a faster intercom system that can send messages over multiple cables at once, so even if one cable is cut, the inventory requests still get through. That is SMB Multichannel, using multiple network paths for better reliability and speed. This analogy makes it clear why SMB is so valuable: it provides a familiar, efficient, and secure way for computers to share resources just as people share physical items in a well-organized workplace.

## Why it matters

SMB is critically important because it is the backbone of file sharing in most Windows-based business networks. Without SMB, employees would have to rely on third-party tools, email attachments, or cloud storage for every file transfer, which is inefficient and insecure. SMB allows organizations to centralize data on file servers, making backup, permission management, and disaster recovery much easier. For example, an IT administrator can set up a shared drive called “Marketing” that all marketing staff can access, while the HR department has its own restricted share. This centralization reduces data duplication and ensures that everyone is working from the same source of truth.

From a security standpoint, SMB is a double-edged sword. Older versions (SMB1) are notoriously insecure and have been exploited by ransomware. Disabling SMB1 is a standard security best practice. Modern SMB3 with encryption and signing is much safer, but misconfigurations can still open doors to attackers. Network security professionals must understand how to harden SMB: disabling unnecessary dialects, requiring signing, encrypting traffic, and restricting access with firewalls. For penetration testers, SMB is a common vector for privilege escalation and lateral movement. Tools like PsExec, SMBExec, and Impacket rely on SMB for remote command execution.

For IT support staff, SMB is often the source of user complaints: “I can’t access the shared folder,” “The network drive is slow,” or “I get an access denied error.” Troubleshooting these issues requires knowledge of SMB permissions, firewall rules, group policy, and authentication. The protocol also impacts disaster recovery planning: if the file server goes down, SMB-based shares become unavailable, so redundancy through DFS (Distributed File System) or failover clustering is important. In short, SMB is not just a protocol; it is a critical service that affects daily operations, security posture, and user productivity.

## Why it matters in exams

SMB appears frequently in general IT certification exams such as CompTIA A+, Network+, Security+, and Microsoft’s Azure and Windows Server certifications. In CompTIA A+ (220-1101), you need to know that SMB is used for file and printer sharing in Windows networks and that it uses TCP port 445. Questions may ask you to identify the protocol that enables network file sharing or to troubleshoot why a user cannot see shared folders. For CompTIA Network+, SMB is covered under network services and application layer protocols. You might be asked to differentiate SMB from FTP or HTTP when it comes to file sharing. Security+ focuses on the security risks of SMB1 and the importance of disabling it, as well as enabling SMB signing and encryption. You could see questions about securing a legacy SMB implementation or recognizing the symptoms of an SMB relay attack.

In Microsoft certifications like MS-900 (Microsoft 365 Fundamentals) or AZ-800 (Administering Windows Server Hybrid Core Infrastructure), SMB is a core concept. You may need to configure SMB shares, enable SMB encryption, or troubleshoot access issues in hybrid environments. For Azure-related exams, understanding SMB over QUIC is relevant for remote file access. The exam objectives often list “Configure file and printer sharing” or “Manage SMB protocols.” Questions can be scenario-based: “A user reports that file transfers to the server are slow. What should you check?” or “An attacker exploited an SMB vulnerability. Which version should you disable?” Performance-based questions (PBQs) may ask you to set up SMB shares with specific permissions.

Cisco CCNA does not focus heavily on SMB, but it is relevant when discussing network services and application layer protocols. The exam may mention SMB in the context of Windows networking or as a supported protocol for network attached storage (NAS). For Linux+ or LPIC, SMB is important because Samba is the Linux implementation of SMB/CIFS. You might be asked how to configure a Samba share or troubleshoot connectivity between Linux and Windows systems. Overall, SMB is a protocol that crosses multiple certification paths, and understanding its versions, ports, security features, and practical configuration is essential for exam success. Exam questions tend to be straightforward but require attention to detail, especially regarding security settings and version differences.

## How it appears in exam questions

Exam questions about SMB typically fall into three categories: identification, security, and troubleshooting. Identification questions are the most common in entry-level exams. They might ask: “Which protocol is used for file and printer sharing on Windows networks?” with options like FTP, HTTP, SMB, and SSH. The answer is SMB. They may also ask: “Which port does SMB use?” The correct answer is TCP 445 (or sometimes 139 for older NetBIOS sessions). Another form: “Which SMB dialect should be disabled for security reasons?”, SMB1.

Security-related questions appear in Security+ and Microsoft security exams. A typical scenario: “A company experienced a ransomware outbreak that spread through a file server. Which configuration change should be made to prevent this from happening again?” The answer: disable SMB1. Another: “An IT administrator wants to ensure that SMB traffic cannot be intercepted and read. Which feature should be enabled?”, SMB encryption. Or: “A user receives an ‘access denied’ error when trying to open a file on a network share. What is the most likely cause?”, Incorrect share permissions or NTFS permissions.

Troubleshooting questions often present a user complaint: “A user cannot see the shared folder from their Windows 10 workstation. The server is running Windows Server 2022. Other users can access the share. What should the technician check first?” Possible answers: firewall rules on the client, SMB version compatibility, or user permissions. Another: “File transfers to a network share are very slow. The network is gigabit Ethernet. What could be the cause?”, SMB signing is enabled but causing CPU overhead, or SMB Multichannel is not configured correctly. Performance-based questions in Microsoft exams may ask you to create a new SMB share with specific permissions, enable SMB encryption, or configure SMB Multichannel using PowerShell cmdlets like New-SmbShare and Set-SmbServerConfiguration.

In Azure-related exams, you might see: “Which protocol can be used to access Azure Files without opening port 445?”, SMB over QUIC. Or: “A user needs to map a drive from a Windows client to an Azure file share. Which configuration is required?” Understanding the difference between SMB access (requires port 445) and SMB over QUIC (uses UDP port 443) is important. Overall, exam questions test factual knowledge of ports, versions, and security features, as well as the ability to apply that knowledge to real-world scenarios.

## Example scenario

You are an IT support technician at a mid-sized company. One morning, you receive a ticket from a user named Sarah in the accounting department. She says: “I can’t open the budget spreadsheet on the shared drive. It says ‘Access Denied.’ I could open it yesterday.” You remotely connect to Sarah’s Windows 10 PC and check the mapped network drive. It shows drive Z: mapped to \\FileServer\Accounting. You try to open the shared drive from your own administrative account and it works fine. So the issue is specific to Sarah’s account.

You check the permissions of the shared folder on the server. The Accounting share has the “Accounting Team” group listed with Modify permissions. You open Active Directory Users and Computers and confirm that Sarah is a member of the “Accounting Team” group. The group membership is correct. Next, you check the NTFS permissions on the folder itself. You find that the folder has an explicit Deny permission for the “Accounting Team” group, but an Allow for another group. This is a common misconfiguration: a Deny entry overrides any Allow. You remove the Deny entry, and ask Sarah to reconnect. The file opens successfully.

This scenario tests your understanding of SMB share permissions versus NTFS permissions, and how they interact. The effective permission is the most restrictive combination. You also see the importance of group membership and the fact that Deny entries always take precedence. In an exam, you might be asked: “A user can see a share but cannot access a specific file. Where should you check permissions first?” The answer is NTFS permissions on the folder. This scenario also highlights that SMB itself is working correctly, the share was visible and connectable. The problem was at the file system level. Understanding these layers is key to passing IT certification exams that cover SMB.

## Common mistakes

- **Mistake:** Confusing SMB with FTP.
  - Why it is wrong: FTP is a separate protocol for file transfer, often uses ports 20 and 21, and does not support locking or printer sharing like SMB does. They serve different purposes.
  - Fix: Remember that SMB is for local network file sharing with native Windows integration, while FTP is for transferring files over the internet, often requiring separate client software.
- **Mistake:** Thinking SMB only works on Windows.
  - Why it is wrong: SMB is a protocol, not a Microsoft proprietary product. Linux and macOS can connect to SMB shares using Samba or built-in clients. The protocol is platform-independent.
  - Fix: Know that SMB is supported across operating systems. On Linux, use the cifs-utils package. On macOS, use Finder ‘Connect to Server’ with smb://.
- **Mistake:** Disabling SMB signing globally to improve performance.
  - Why it is wrong: SMB signing does add CPU overhead, but disabling it removes integrity checks, making the connection vulnerable to man-in-the-middle attacks. The performance gain is often minimal on modern hardware.
  - Fix: Keep SMB signing enabled for security. If performance is a concern, consider using SMB Multichannel or upgrading network hardware instead of disabling security features.
- **Mistake:** Assuming SMB1 is safe if the network is internal.
  - Why it is wrong: SMB1 has known vulnerabilities that can be exploited even within a local network. Ransomware like WannaCry spread via SMB1. Internal networks are not immune to attacks.
  - Fix: Always disable SMB1 on all systems. Use PowerShell: Set-SmbServerConfiguration -EnableSMB1Protocol $false. Apply via Group Policy across the domain.
- **Mistake:** Setting share permissions to “Everyone: Full Control” and relying only on NTFS permissions.
  - Why it is wrong: Share permissions are a separate security layer. If share permissions allow Everyone Full Control, but NTFS denies a user, the user is denied. However, if share permissions deny, the user is denied regardless of NTFS. The most restrictive permission wins.
  - Fix: Use share permissions to grant full control to the relevant group, then use NTFS permissions to fine-tune user access. This simplifies management and avoids accidental lockouts.

## Exam trap

{"trap":"The exam question says: “Which protocol is used to share a printer over a network?” and gives options including SMB and IPP (Internet Printing Protocol). The learner might choose IPP because it sounds print-specific, but in Windows networks, printer sharing is often done via SMB, not IPP.","why_learners_choose_it":"IPP is a well-known protocol for printing, especially over the internet. Learners assume that any network printing must involve IPP, forgetting that SMB also provides printer sharing as a resource.","how_to_avoid_it":"Remember that SMB is the standard for sharing resources (files, printers, serial ports) on Windows networks. IPP is for network printers that support it, but a printer shared from a Windows computer uses SMB. In exam contexts, when the scenario is about a Windows shared printer, SMB is likely the answer."}

## Commonly confused with

- **SMB vs NFS (Network File System):** NFS is another file sharing protocol, but it is primarily used in Unix/Linux environments. SMB is native to Windows. While both allow file sharing, they use different protocols, ports, and authentication methods. NFS is stateless and simpler, while SMB supports more features like file locking and printer sharing. (Example: If you need to share files between two Windows computers, you use SMB. If you need to share files between two Linux servers, you might use NFS.)
- **SMB vs FTP (File Transfer Protocol):** FTP is designed for transferring files between a client and server, often over the internet. It does not support the concept of “sharing” a folder; you upload or download files. SMB allows you to mount a folder as if it were local, edit files in place, and supports locking. FTP also does not natively support printer sharing. (Example: FTP is like a mailbox: you send and receive files. SMB is like having a key to a shared filing cabinet.)
- **SMB vs HTTP/WebDAV:** WebDAV is an extension of HTTP that allows file management over the web. It works over port 80 or 443 and is cross-platform, but it is slower and less feature-rich than SMB. SMB is optimized for local network performance and supports advanced features like opportunistic locking and direct memory access (RDMA). (Example: WebDAV is useful for accessing files on a web server from anywhere. SMB is better for high-performance file sharing on a local office network.)

## Step-by-step breakdown

1. **Client Initiates Connection** — The client computer (e.g., Windows 10) sends a TCP SYN packet to the server’s IP address on port 445. This starts a three-way handshake to establish a reliable connection.
2. **Negotiate Protocol Version** — The client sends a Negotiate Protocol Request that lists all SMB dialects it supports (e.g., SMB2.0.2, SMB3.0.0, SMB3.1.1). The server responds with the highest common version. This ensures both sides use the most secure and efficient version available.
3. **Session Setup (Authentication)** — The client authenticates with the server using Kerberos (in domain environments) or NTLM. This involves sending security tokens. If authentication fails, the server refuses the session. This step establishes a secure session context.
4. **Tree Connect (Mounting a Share)** — After authentication, the client sends a Tree Connect request specifying the share name (e.g., \\FileServer\Marketing). The server checks share-level permissions and, if allowed, returns a tree ID. The client now has access to the root of that share.
5. **File Operations** — With the share mounted, the client can send SMB commands to open, read, write, close, delete, or rename files and directories. Each command includes a file handle. The server processes the request, applying NTFS permissions and file locks, then returns data or status.
6. **Session Teardown** — When the client is done, it sends a Tree Disconnect to unmount the share, followed by a Logoff request to end the session. The TCP connection may be closed, or kept alive for future requests if the client caches credentials.

## Practical mini-lesson

In a real-world IT environment, managing SMB effectively means understanding both configuration and security. As an administrator, you will most often interact with SMB through Server Manager or PowerShell. To create a new SMB share on Windows Server, you can use the New-SmbShare cmdlet: New-SmbShare -Name “Reports” -Path “D:\Data\Reports” -FullAccess “DOMAIN\ReportingTeam” -ChangeAccess “DOMAIN\Managers”. This sets share-level permissions. But you must also set NTFS permissions on the D:\Data\Reports folder itself because share permissions and NTFS permissions act together.

A common task is to enable SMB encryption. You can do this per share: Set-SmbShare -Name “Reports” -EncryptData $true. This ensures that all data transferred over the network is encrypted, protecting against eavesdropping. You can also require encryption for all shares on a server: Set-SmbServerConfiguration -EncryptData $true. Be careful: older clients may not support encryption and will fail to connect.

What can go wrong? One frequent issue is SMB version mismatch. If you disable SMB2 and SMB3 on a server for security reasons, Windows 7 clients (which use SMB2) will not connect. You need to ensure client and server support at least one common version. Another problem is slow file transfer. This can be caused by SMB signing overhead, especially on older CPUs. In that case, you can consider enabling SMB Multichannel if the server has multiple network interfaces. SMB Multichannel aggregates bandwidth and provides fault tolerance. It is configured automatically but requires matching interface speeds and RSS support.

Security hardening is critical. Always disable SMB1 using Group Policy or PowerShell. Enable SMB signing if not already required. For internet-facing file sharing, use SMB over QUIC (available in Windows Server 2022) instead of opening port 445 to the internet. Monitor SMB events in the Windows Event Log under “Microsoft-Windows-SMBServer” for audit and troubleshooting. You can also use the Get-SmbConnection cmdlet to see active SMB sessions. For Linux administrators, Samba is the equivalent. Configuration is in /etc/samba/smb.conf, where you define shares, set valid users, and configure SMB protocols with parameters like “server min protocol = SMB2_10”. Testing with smbclient is essential. Understanding these practical aspects will make you a more effective IT professional and help you ace exams that involve SMB configuration and troubleshooting.

## Memory tip

Think of SMB as “Shared Message Box”, it is the box that holds the messages (files and printer jobs) that computers share. The number to call is 445.

## FAQ

**What is the default port for SMB?**

The default port for SMB over TCP is 445. Older versions also used port 139 via NetBIOS, but modern Windows uses port 445 directly.

**Should I disable SMB1 on my network?**

Yes, absolutely. SMB1 is outdated and insecure. It was exploited by ransomware like WannaCry. Disable it to reduce your attack surface.

**Can I access SMB shares from Linux?**

Yes, Linux can access SMB shares using the cifs-utils package and the mount.cifs command. You can also use Samba to host SMB shares on Linux.

**What is the difference between SMB2 and SMB3?**

SMB2 reduced protocol chatter and improved performance over SMB1. SMB3 added encryption, multichannel, SMB Direct (RDMA), and higher security. SMB3 is recommended for modern networks.

**How do I enable SMB encryption?**

You can enable SMB encryption per share or for the entire server using PowerShell: Set-SmbShare -Name “ShareName” -EncryptData $true, or Set-SmbServerConfiguration -EncryptData $true.

**Can SMB work over the internet?**

SMB can work over the internet, but it is not recommended to expose port 445 directly. Use a VPN or SMB over QUIC (Server 2022) for secure remote access.

**What is SMB Multichannel?**

SMB Multichannel allows SMB traffic to use multiple network paths simultaneously, increasing throughput and providing failover if one path goes down. It is available in SMB3.

## Summary

SMB (Server Message Block) is a fundamental networking protocol that enables file, printer, and resource sharing across Windows-based networks. It operates over TCP port 445 and has evolved through versions SMB1, SMB2, SMB3, and SMB3.1.1, with each iteration improving performance, security, and features. For IT professionals, understanding SMB is critical because it is the default method for sharing resources in corporate environments. Misconfigurations can lead to security vulnerabilities, performance issues, or access problems, making SMB a common topic in troubleshooting scenarios.

Exams like CompTIA A+, Network+, Security+, and Microsoft certifications test your knowledge of SMB ports, versions, security settings, and troubleshooting. Common questions ask you to identify the correct protocol, disable insecure versions, or configure shares. To succeed, focus on memorizing port numbers, the differences between SMB versions, and the principle that share permissions and NTFS permissions combine to determine effective access. Security is paramount: always disable SMB1, use SMB signing and encryption, and restrict access via firewalls.

In practice, SMB management involves creating shares, setting permissions, enabling encryption, and troubleshooting connectivity. By mastering SMB, you will be better prepared for both exams and real-world IT roles.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/smb
