Contents
Heya folks, Ned here again. Starting with Windows 11 Insider preview Build 25992 (Canary), the SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using alternative network ports. Today I'll explain how to configure this and talk about the near future of this in Windows and Windows Server Insiders a bit.
Previous port behaviors
SMB server in Windows has required inbound connections using the IANA-registered port TCP/445 for decades, and the SMB TCP client has only supported connecting outbound to that TCP port. The newer SMB over QUIC protocol requires the QUIC-mandated UDP/443, both for server and client. Until now these were hard-coded and unalterable.
Configuring alternative ports
You can now connect to alternative TCP, QUIC, and RDMA ports with the SMB client as long as the SMB server supports listening on that port and has been configured to do so. You can do this through mapped drive commands NET USE or New-SmbMapping now, and in a coming release, specify ports to connect to on specific servers using Group Policy or PowerShell or through DNS SRV records. An administrator can also block the use of SMB client alterative ports completely using Group Policy.
Map an alternative port with NET USE
To map an alternative TCP port using NET USE, use the following syntax:
NET USE servershare /TCPPORT: NET USE servershare /QUICPORT: NET USE servershare /RDMAPORT:
For example, to map the G: drive port to TCP/847, use:
NET USE G: waukeganfs1.contoso.comshare /TCPPORT:847
Map an alternative port with New-SmbMapping
To map an alternative TCP port using New-SmbMapping PowerShell, use the following syntax:
New-SmbMapping -RemotePath servershare -TcpPort New-SmbMapping -RemotePath servershare -QuicPort New-SmbMapping -RemotePath servershare -RdmaPort
For example, to map the G: drive port to TCP/847, use:
New-SmbMapping -LocalPath G -RemotePath waukeganfs1.contoso.comshare -TcpPort 847
Control use of SMB client alternative ports
To control SMB client alternative port usage, configure the group policy under:
Computer Configuration Administrative Templates Network Lanman Workstation Enable Alternative Ports
gpedit
Coming soon to Insiders
Windows Server Insider does not support changing the SMB server TCP listening port to something besides the default 445. However, a coming update will allow changing the SMB over QUIC listening ports to numbers besides UDP/443. We will continue to evaluate customer feedback for the ability to configure TCP server behavior.
Final notes
Windows Server does not support configuring alternative SMB server TCP ports, but third parties such as Samba do. For more information on configuring non-standard SMB server ports in third parties, consult their product documentation.
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until next time,
Ned Pyle