An SMB file share is a folder on a server that has been shared over the network using the SMB protocol. Clients connect to the share using a UNC path (\\server\sharename) and can read, write, and manage files based on their assigned permissions. SMB is the default file sharing protocol in Windows environments.
- How SMB works
- SMB versions
- Security risks
- Native limitations
- Monitoring
- FAQ
SMB (Server Message Block) is a client-server network protocol used to share access to files, folders, printers, and serial ports across a network. An SMB file share is a directory on a server that has been made available to network clients through the SMB protocol, so users can read, write, and manage files remotely as if they were stored locally.
SMB is the default file sharing protocol in Windows environments. macOS and Linux support it through the Samba implementation.
If you have ever mapped a network drive, accessed a shared folder through a UNC path (\\server\share), or connected to a DFS namespace, you were using SMB. For IT administrators, understanding how SMB works, which versions are secure, and how to audit file share access matters for data security and compliance.
How SMB file sharing works
SMB runs on a client-server model. The client sends a request to the server, the server processes it, and sends back a response. Every file open, read, write, or close operation on a shared folder travels over this request-response cycle.
A typical SMB session has four stages:
- The client and server negotiate a dialect, agreeing on the highest SMB version both support.
- The client authenticates using either NTLM or Kerberos credentials.
- The client connects to a specific share by name.
- The client performs file operations on that share.
SMB communicates over TCP port 445 for direct hosting. Older environments may use TCP port 139, which routes SMB traffic over NetBIOS. Port 139 is a legacy configuration; most modern networks rely exclusively on port 445.
SMB uses opportunistic locks (oplocks) to improve performance by letting clients cache file data locally and reduce network round trips. SMB signing is another mechanism worth understanding: when enabled, it attaches a cryptographic signature to each packet, preventing attackers from tampering with SMB traffic in transit.
SMB versions compared
Not all SMB versions are equal. Each major version introduced security and performance improvements, and the version your environment runs determines your exposure to specific threats.
| SMB version | Introduced with | Key features and security notes |
|---|---|---|
| SMB 1.0 / CIFS | Windows 2000 | Deprecated. No encryption. Vulnerable to EternalBlue (MS17-010). Should be disabled on all systems. |
| SMB 2.0 | Windows Vista / Server 2008 | Reduced protocol chattiness. Larger read/write buffers. Improved message signing. |
| SMB 2.1 | Windows 7 / Server 2008 R2 | Large MTU support. Improved oplock leasing for better caching. |
| SMB 3.0 | Windows 8 / Server 2012 | End-to-end encryption. SMB Multichannel (multiple network connections). SMB Direct (RDMA support). |
| SMB 3.0.2 | Windows 8.1 / Server 2012 R2 | Added the ability to disable SMB 1.0 completely. |
| SMB 3.1.1 | Windows 10 / Server 2016 | Pre-authentication integrity checks (SHA-512). Secure dialect negotiation prevents downgrade attacks. Mandatory encryption negotiation. |
SMB 1.0 is the single largest SMB-related risk in any environment. Microsoft deprecated it because it lacks encryption, uses weak authentication, and is the protocol version exploited by EternalBlue. You can check whether SMB 1.0 is still enabled on a Windows server by running this PowerShell command:
Get-SmbServerConfiguration | Select EnableSMB1Protocol
On Windows 10 and later, you can also check through Windows Features:
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
If either command returns True or Enabled, disable SMB 1.0 immediately.
SMB vs. NFS
SMB and NFS (Network File System) are both network file sharing protocols, but they serve different ecosystems and handle authentication differently.
| Criteria | SMB | NFS |
|---|---|---|
| Primary OS compatibility | Windows (native); Linux and macOS via Samba | Linux and UNIX (native); Windows via third-party clients |
| Authentication model | User-level authentication via Kerberos or NTLM; integrates with Active Directory | Host-based trust by default (NFSv3); Kerberos support added in NFSv4 |
| Encryption support | End-to-end encryption available in SMB 3.0 and later | Kerberos encryption in NFSv4; no native encryption in NFSv3 |
| Performance characteristics | Higher protocol overhead due to richer metadata; Multichannel and RDMA offset this in SMB 3.0+ | Lower protocol overhead; generally faster for small-file workloads on Linux |
| Typical use case | Windows file shares, Active Directory environments, mixed OS environments | Linux-to-Linux file sharing, NFS exports for VMware datastores, HPC storage |
In mixed Windows and Linux environments, SMB is typically the better choice because of its native Active Directory integration and user-level access control. NFS is more common in Linux-only or UNIX-only environments where host-based trust models are acceptable.
Security risks and attacks targeting SMB
SMB has been a high-value target for attackers because it handles authentication credentials and provides direct access to file data. Several major attacks have exploited weaknesses in the protocol or in how organizations configure it.
EternalBlue and WannaCry
The most damaging SMB exploit in recent history is EternalBlue (MS17-010), a vulnerability in SMB 1.0 that allows remote code execution. EternalBlue was the exploit behind the WannaCry ransomware outbreak in May 2017 and the NotPetya attack that followed weeks later.
Both attacks spread laterally across networks by exploiting unpatched SMB 1.0 services. The damage from NotPetya alone exceeded $10 billion globally, according to a 2018 Wired report on the attack.
SMB relay attacks
In an SMB relay attack (a form of manipulator-in-the-middle attack), the attacker intercepts NTLM authentication traffic between a client and a server, then relays those credentials to a different server to gain unauthorized access. This works when SMB signing is not enforced, because the attacker can forward authentication messages without the server detecting the tampering.
Lateral movement over SMB
Once an attacker gains a foothold in a network, SMB shares are a primary channel for lateral movement. Techniques like pass-the-hash and pass-the-ticket attacks let attackers authenticate to SMB shares using stolen credential material without knowing the actual password. From there, they can access sensitive files, deploy malware, or move deeper into the environment.
Credential harvesting and brute-force attacks
Attackers can set up rogue SMB shares that prompt connecting clients to submit their credentials, capturing NTLM hashes for offline cracking. Brute-force attacks against SMB authentication are also common, particularly against internet-exposed SMB services where TCP 445 is not blocked at the perimeter.
Data exfiltration
SMB shares that store sensitive data without proper access controls become exfiltration targets. An attacker with valid credentials (or stolen hashes) can copy large volumes of data from file shares without triggering alerts if the environment lacks file access monitoring.
ADAudit Plus detects pass-the-hash attacks through its Attack Surface Analyzer and monitors file share access anomalies using user behavior analytics, sending real-time alerts when unusual file activity occurs on SMB shares.
How to secure SMB file shares
Securing SMB requires protocol hardening, network controls, and access auditing. Here is what that looks like in practice.
Disable SMB 1.0 on all systems. There is no legitimate reason to run SMB 1.0 in a modern environment. Disable it on every server, workstation, and domain controller. On Windows Server, use Set-SmbServerConfiguration -EnableSMB1Protocol $false.
On Windows 10 and later, remove the SMB 1.0 feature through Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol.
Enforce SMB signing. SMB signing prevents relay attacks by cryptographically verifying that packets have not been tampered with in transit. Set RequireSecuritySignature to True on both the SMB server and client via Group Policy or PowerShell. Without enforced signing, your environment is open to credential relay.
Enable SMB encryption. SMB 3.0 and later support end-to-end encryption. You can enable encryption per share (Set-SmbShare -Name "ShareName" -EncryptData $true) or globally (Set-SmbServerConfiguration -EncryptData $true). Encryption protects data in transit without requiring a VPN or IPsec.
Use Kerberos authentication instead of NTLM wherever possible, since Kerberos provides stronger mutual authentication and is resistant to relay attacks.
Restrict SMB traffic to internal networks. Block TCP 445 at the perimeter firewall. SMB was designed for LAN communication, and exposing it to the internet invites brute-force attacks and exploit attempts. If remote users need file share access, route them through a VPN rather than opening SMB ports externally.
Apply least-privilege share permissions so that users can only access the shares and folders they need for their role.
Audit SMB share access. Enable object access auditing in Group Policy and configure SACLs on critical shares. Monitor Event IDs 4656 (handle requested), 4663 (object access attempted), and 5140 (network share accessed) in the Security event log. This audit trail is your foundation for detecting unauthorized access and investigating incidents.
Limitations of native SMB auditing tools
Windows gives you the building blocks for SMB file share auditing through Group Policy, SACLs, and Event Viewer, but these native tools fall short at scale.
Event Viewer logs are local to each file server. If you have five file servers hosting SMB shares, you need to check the Security log on each one individually. There is no centralized view of file share access activity across your environment without writing scripts or deploying a third-party tool.
Security log size limits make this worse. When the log reaches its maximum size, older events get overwritten, and you lose audit data for SMB access events that occurred before the rollover.
Native tools do not offer real-time alerting on suspicious file share activity. If an attacker copies thousands of files from an SMB share at two a.m., you will not know until someone manually reviews the logs. There is no scheduled report delivery either; pulling a weekly summary of SMB access events requires manual filtering and export on every server.
Correlating related events (linking Event ID 5140 with Event IDs 4656 and 4663 to build a complete picture of a file access session) requires PowerShell scripting or third-party tools. Native Windows auditing also provides no user behavior analytics or anomaly detection, so you cannot automatically flag patterns like a sudden spike in file deletions or access from an unusual time of day.
Monitoring SMB file share access with ADAudit Plus
What ADAudit Plus monitors on SMB file shares
ADAudit Plus audits all file and folder changes on Windows file servers and 13 NAS device types, including creates, modifications, deletions, moves, renames, and copies. Every event captures who performed the action, when it occurred, from which client machine, and the full file path.
Beyond change tracking, ADAudit Plus monitors file read access (both successful and failed attempts) and tracks folder permission changes with old and new ACL values, so you can see exactly what changed in a folder's access control list. Network share access events (share added, modified, deleted, and read) are captured through dedicated reports under the Server Audit tab.
ADAudit Plus applies machine learning through its UBA engine to detect anomalous file activity patterns. It flags unusual volume of file access, file access at unusual times, and spikes in file deletions or modifications, which are strong indicators of ransomware activity.
When the system detects a potential ransomware pattern, it triggers the "Possible Ransomware activity detected" alert. You can configure real-time alerts for any file share event and schedule reports for automatic delivery to compliance teams on a daily, weekly, or monthly basis.
Native Windows auditing vs. ADAudit Plus
| Capability | Native Windows tools | ADAudit Plus |
|---|---|---|
| Centralized file share audit view across servers | No. Logs are local to each file server. | Yes. Single console for all file servers and NAS devices. |
| Real-time alerts on file share events | No. Manual log review only. | Yes. Email and SMS alerts with configurable alert profiles. |
| Scheduled report delivery | No. Manual export required per server. | Yes. Automated hourly, daily, weekly, or monthly delivery. |
| Before-and-after permission values | Limited. Event Viewer shows that a change occurred but not the old and new values. | Yes. Old and new ACL values displayed side by side (Professional edition). |
| UBA anomaly detection for file activity | No. | Yes. Machine learning baselines per user for file access volume, time, and deletion patterns. |
| Ransomware activity detection | No. | Yes. Dedicated alert for unusual file modification and deletion spikes. |
| Export formats | Event Viewer exports to .evtx or .csv only. | CSV, PDF, HTML, CSVDE, and XLSX. |
A one-stop solution for all your IT auditing, compliance, and security needs
Try ADAudit Plus free for 30 days. No credit card required.
Frequently asked questions
Create a folder on the server, right-click it, select Properties, go to the Sharing tab, and click Advanced Sharing. Enable Share this folder and set share permissions. From a client machine, connect to the share using File Explorer by entering the UNC path (\\servername\sharename) or by mapping a network drive.
SMB 1.0 is vulnerable and should be disabled on all systems. SMB 3.1.1 with signing and encryption enabled is secure for LAN use. The protocol itself is not inherently insecure, but running outdated versions or skipping signing and encryption creates exploitable gaps.
SMB supports user-level authentication through Active Directory (Kerberos or NTLM), end-to-end encryption in version 3.0 and later, and granular file and folder permissions. FTP transmits credentials in cleartext by default and lacks native integration with directory services. SFTP and FTPS address the encryption gap, but neither provides the same level of access control integration that SMB offers in a Windows domain.
Run Get-SmbServerConfiguration in PowerShell to see which SMB versions are enabled on a server. To check specifically for SMB 1.0 on Windows 10 or later, run Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. If the output shows Enabled or True for SMB 1.0, disable it immediately.
SMB 3.1.1 with encryption and signing is secure for local area network file sharing. For file transfers across the internet or wide area networks, use a VPN tunnel with SMB, or use HTTPS-based file transfer protocols. No single protocol replaces SMB for all use cases; the right choice depends on whether you need LAN file sharing, WAN file transfer, or cloud storage access.
Experience
ADAudit Plus for free
With ADAudit Plus, you can:
- Get full visibility into logons
- Monitor employee attendance
- Detect attacks like Kerberoasting
- Generate logon audit trails
- And much more
