Microsoft is testing SMB firewall rule changes and alternative ports in Windows 11

Microsoft has been making several enhancements to Server Message Block (SMB) over the past couple of years. Windows 11 Home no longer ships with SMB1 due to security reasons, and the Redmond tech giant has also recently begun testing support for Network-designated Resolvers (DNR) and client encryption mandates in SMB3.x. Today, it has announced further changes to the client-server communication protocol with the rollout of the latest Windows 11 Insider build.

Windows 11 Insider Preview Canary build 25992, which began rolling out just a few hours ago, changes the default behavior of Windows Defender when it comes to creating an SMB share. Since the release of Windows XP Service Pack 2, creating an SMB share automatically enabled the “File and Printer Sharing” rule group for the selected firewall profiles. This was implemented with SMB1 in mind and was designed to improve deployment flexibility and connectivity with SMB devices and services.

However, when you create an SMB share in the latest Windows 11 Insider Preview build, the operating system will automatically enable a “File and Printer Sharing (Restrictive)” group, which will not contain the inbound NetBIOS ports 137, 138, and 139. This is because these ports are leveraged by SMB1, and are not utilized by SMB2 or later. This also means that if you enable SMB1 for some legacy reason, you will need to reopen these ports in your Firewall.

Microsoft says that this configuration change will ensure a higher level of network security as only the required ports are opened by default. That said, it is important to note that this is just the default configuration, IT admins can still modify any firewall group according to their liking. However, do keep in mind that the Redmond firm is looking to make SMB connectivity even more secure by opening only mandatory ports and closing down Internet Control Message Protocol (ICMP), Link-Local Multicast Name Resolution (LLMNR), and Spooler Service inbound ports in the future.

Talking about ports, Microsoft has also published another blog post to describe alternative port changes in SMB connectivity. SMB clients can now connect to SMB servers through alternative ports over TCP, QUIC, and RDMA. Previously, SMB servers had mandated the use of TCP port 445 for inbound connections, with SMB TCP clients connecting outbound to the same port; this configuration could not be changed. However, with SMB over QUIC, UDP port 443 can be used by both client and server services.

SMB clients can also connect to SMB servers through various other ports as long as the latter supports a particular port and listens on it. IT admins can configure specific ports for specific servers, and even block alternative ports fully through Group Policy. Microsoft has provided detailed instructions on how you can map alternative ports with NET USE and New-SmbMapping, or control the use of ports through Group Policy.

It is important to note that Windows Server Insiders cannot currently change TCP port 445 to something else. However, Microsoft will enable IT admins to configure SMB over QUIC to use other ports besides the default UDP port 443.