SMB over QUIC client access control now supported in Windows Insider

Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25977 (Canary Channel) and Windows Server Preview Build 25997, SMB over QUIC now supports access control for clients. Today I'll explain how this works, what the advantages are, and set it up.

SMB over QUIC

SMB over QUIC introduced an alternative to TCP and RDMA, supplying secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory -based encryption instead of relying on passwords.

SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high security organizations. The server creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443* instead of the legacy TCP port 445. No SMB traffic – including and authorization – is exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change and capabilities like multichannel and compression work.  

A file server administrator must opt in to enabling SMB over QUIC, it isn't on by default and a client can't force a file server to enable SMB over QUIC. It's available in Windows 11 and Windows as an SMB client and in Windows Azure Edition* as an SMB server.

* Update Nov 15, 2023. We just announced that SMB over QUIC is now part of Windows Server Datacenter and Standard editions for the next release of Windows Server and that you can now control the QUIC network port. You can try it out in Insiders Preview. For more info, review https://aka.ms/SMBoverQUICServer

SMB over QUIC Client Access Control

SMB over QUIC client access control (CAC) improves the existing SMB over QUIC feature. Previously, servers trusted all clients if they were issued the same root chain as the server's SMB over QUIC server certificate. With this new option, administrators can restrict which clients can access SMB over QUIC servers – an allowlist for devices trusted to connect to the file server. This gives organizations more protection but does not change the Windows used to make the SMB connection nor does it alter the end user experience.

This feature works by a client trusting the SMB over QUIC server via a valid shared root authority key. An admin also gives the client a certificate from the same issuer, and that certificate's hash (or issuer) is added to a trust list maintained by the server. When the client connects, it sends the certificate info to the server for comparison against the allow list, granting or denying access to QUIC. Then SMB occurs inside the QUIC TLS tunnel, and the user connects to their share. An admin can also explicitly deny access or just revoke certificates. CAC is optional and – for now – not on by default.

Update November 8, 2023:

Starting with Build 25992, the SMB over QUIC client access control feature now supports using certificates with subject alternative names and not just a single subject. This means the client access control feature now supports using a Microsoft AD Certificate Authority and multiple endpoint names, just like the currently released version of SMB over QUIC. You can now evaluate the feature using the recommended options and not require self-signed test certificates. 

Configuring SMB over QUIC client access control

The steps to configure SMB over QUIC CAC are nearly identical for the server-side. The steps for clients are quite different. This is the typical trade-off between security and ease of management.

Prerequisites

To evaluate CAC, you'll need:

Configure SMB over QUIC CAC

To configure SMB over QUIC CAC, we're going to use a self-signed certificate and PowerShell.

These steps are strictly for Insider Preview evaluation purposes; the released CAC feature will fully support a Certificate Authority and Windows Admin Center, and you should never use a self-signed certificate with SMB over QUIC in a production environment.

  1. Open an administrator-elevated PowerShell console on the SMB over QUIC server.
  2. Create server self-signed certificate (where “Server DNS name” is the fully-qualified name of the SMB over QUIC server):
$serverCert = New-SelfSignedCertificate -DnsName Server DNS name -CertStoreLocation "Cert:LocalMachineMy" -NotAfter (Get-Date).AddMonths(6) -KeyAlgorithm "RSA" -KeyLength "2048"
  1. Configure the server certificate mapping requiring client authentication:
New-SmbServerCertificateMapping -Name Server DNS name -Thumbprint $serverCert.Thumbprint -Store My -Requireclientauthentication $true
  1. Export the certificate:
Export-Certificate -Cert $serverCert -FilePath pathserverCert.cer
  1. Copy the servercert.cer file to the client machine and on the client, open an administrator-elevated PowerShell console
  2. Install the certificate into the trusted root store on the client:
Import-Certificate -FilePath pathserverCert.cer -CertStoreLocation Cert:LocalMachineroot
  1. Create the client's certificate for use with the server allow list:
$clientCert = New-SelfSignedCertificate -DnsName Server DNS name -CertStoreLocation "Cert:LocalMachineMy" -NotAfter (Get-Date).AddMonths(6) -KeyAlgorithm "RSA" -KeyLength "2048"
  1. Configure the client certificate mapping on the client machine:
New-SmbClientCertificateMapping -Namespace Server DNS name -Thumbprint $clientCert.Thumbprint -Store My
  1. Obtain client certificate SHA256 hash by running certutil to examine the Cert Hash(sha256) field:
Export-Certificate -Cert $clientCert -FilePath pathclientCert.cer

certutil.exe pathclientCert.cer | findstr /i /c:"Cert Hash(sha256)"

An example of the certutil command runningAn example of the certutil command running     

     10. Return to the server.

     11. Install the client certificate into the trusted root store on the server:

Import-Certificate -FilePath pathClientCert.cer -CertStoreLocation Cert:LocalMachineroot

     
     12. Grant access to the client by its SHA256 entry:

Grant-SmbClientAccessToServer -Name Server DNS name -IdentifierType SHA256 -Identifier Cert Hash(sha256)

Note: you can also grant access by Issuer, meaning instead of adding a certificate SHA256 hash from every single client, you can instead add the Issuer DN by using -IdentifierType ISSUER. While not as granular or secure, this is useful for large client fleets when using a trusted certificate authority and not self-signed evaluation certs.

     12. You have now configured SMB over QUIC CAC. Connect to the server using either:

NET USE server DNS nameshare /TRANSPORT:QUIC
New-SmbMapping -RemotePath server DNS nameshare -TransportType QUIC

Final Notes

SMB over QUIC isn't just for mobile users and edge servers in Internet DMZs, it's a practical defensive layer to prevent leakage of NTLM credentials and makes attacking internal files servers harder without first subverting a trusted client. TCP had its time, QUIC is the future of user and application transport.

We also just announced that a replacement for KDC Proxy –  IAKerb – is coming to Windows Insider Previews along with a local KDC. These combined options mean the beginning of the end for NTLM, which will make SMB over QUIC Kerberos usage much easier. Read about it at The evolution of Windows authentication.     

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

For more information on securing SMB on Windows in-market, check out:

Until next time,

Ned Pyle

 

This article was originally published by Storage at Microsoft. You can find the original article here.