SMB is a protocol for client-server communication for sharing files, printers and other network ressources. It can also be used for inter-process communication (IPC). Originally, it was developed for Windows, but more and more operation systems are adapting to it. Linux for example uses Samba.
Any computer supporting file sharing has both a SMB server for providing access to its files and a SMB client for accessing a remote computers' files. In Windows, the services LanmanServer and LanmanWorkstation respectively are responsible for that task which are running on the ports 445 and 139.1
There are a handful of default file shares like ADMIN$, C$ and IPC$ meant for administrative purposes.2 They should not be deactivated because complications may arise when accessing network shares.3 Instead, they should be protected with proper firewall rules (local client). Get-SmbShare creates a listing of all SMB shares.
Overview over the default shares and their purpose:
| File share name | Description |
|---|---|
| Admin$ | Remote Admin (refers to %SystemRoot% directory), used for remote computer management |
| IPC$ | Remote IPC, used to communicate with programs via named pipes |
| C$ | Default Share. Shared system drive. If there are any other drives on the computer that have letters assigned to them, these will also be automatically published as admin shares (D$, E$, etc.). |
| Print$ | Published when you share your printer (opens access to the printer drivers directory C:\Windows\system32\spool\drivers) |
| FAX$ | For shared fax server access |
Registry settings for the two services are available under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services > LanmanServer and LanmanWorkstation respectively.
SMB 1.x is insecure because it does not support encryption and should be deactivated, however, keep in mind that some legacy systems like printers may only use this protocol.
If Get-SmbServerConfiguration | Select EnableSMB1Protocol shows True, it means the SMB server still supports SMB Version 1.
Get-SmbSession | Select ClientComputerName, ClientUserName, NumOpens, Dialect displays open SMB sessions on the server and which protocol version is used for them. Likewise, Get-SmbConnection shows connections initiated by the client.
Activate file and printer sharing on the firewall only for the private profile. Never enable this for the public profile.
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile PrivateIn the user interface, this can be done under Windows Defender Firewall > Allow an app or feature through Windows Defender Firewall. Now check the box for File and Printer Sharing under Private or Domain only. Do not check the box under Public.
Keep in mind that clients that do not support encryption will not be able to communicate with the server upon turning on this feature.
Furthermore, there may be a notable performance cost when using encryption compared to non-encrypted traffic.
Set-SmbServerConfiguration -EncryptData $True -ForceIf encryption should just be enabled for one specific share (e.g. Projects), use the following command:
Set-SmbShare -Name Projects$ -EncryptData $True -ForceNotice: Setting the property RejectUnencryptedAccess to "false" allows unencrypted traffic for devices not supporting encryption despite encryption being required for connections (see above). However, this workaround is not recommended and the devices should be updated instead.
SMB message signing allows for verifying the exchanged data's integrity by attaching a hash value.
If server-side SMB signing is required, a client will not be able to establish a session with that server unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers.
Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.4
Set-SmbServerConfiguration -RequireSecuritySignature $True -ForceThere is another property named EnableSecuritySignature, which is only used with SMB 1.0. With SMB 2.0 or higher, this setting is ignored and does not have any effect.
There are several ways to connect a printer to a network.
One of the most common methods is connecting the printer directly to the network using an Ethernet cable. This involves:
- Connecting an Ethernet cable from the printer's Ethernet port to a router or network switch
- Configuring the printer with an IP address on the network
Ethernet provides a fast, reliable connection and is suitable for most office environments.
For printers without built-in networking capabilities:
- Connect the printer to a router's USB port using a USB cable
- The router shares the printer on the network
This method turns a USB printer into a network-accessible device.
Many modern printers have built-in Wi-Fi capabilities:
- The printer connects directly to the wireless network
- No cables are required
- Allows flexible printer placement
This is convenient for home and small office use.
Some printers support Wi-Fi Direct:
- Creates a direct wireless connection between the printer and devices
- Does not require a Wi-Fi network infrastructure
For older printers without networking features:
- Connect the printer to a dedicated print server device
- The print server connects to the network and shares the printer
This allows legacy printers to be used on modern networks.
Printers can also be hooked up to a network device like a laptop which then shares the printer to all other devices on the network:5
- File and printer sharing must be enabled
- Print requests are first send to the management device and then transformed into the required format for the printer
- The SMB protocol: All you need to know
- SMB security enhancements
- How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows
- Stop using SMB1
- Printer Sharing
Footnotes
-
PowerShell command:
Get-Service Lanman*↩ -
The dollar sign at the end signifies that these are administrative shares. See Managing Administrative Shares (Admin$, IPC$, C$) on Windows. ↩
-
See for example How to Share Printer on Network (Share Printer in-between Computers) Easy. ↩