22

I'm an admin at a hosting company and I deal primarily with Linux machines though we have plenty of customer with Windows servers.

In my capacity I have only ever used SMB for a file / print server on my local LAN.

Is there any reason to leave SMB open? I have not heard of any actual reason to have it exposed to the internet, is there some Windows thing I am unaware of that requires it?

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
MadRush
  • 221
  • 1
  • 2
  • 4
  • 9
    Did you heard about the recent (may 2017) worlwide cyberattack called `wannacry`, that mainly exploited a vulnerability in SMB protocol ? https://en.wikipedia.org/wiki/WannaCry_ransomware_attack. Think carefully ! – krisFR Sep 22 '17 at 15:38
  • 5
    `Is there any reason to allow SMB over the internet?` - That's kind of an open ended question. Is there **any** reason? Possibly. For practical purposes though, no there isn't any reason. – joeqwerty Sep 22 '17 at 15:46
  • I am acutely aware of the massive attacks that have been happening lately, that is why I am wondering why not just disable it by default. It just seems to me that most likely there is no reason to have it open, but I am curious if there is something that a lot of Windows guys would be doing that requires it. – MadRush Sep 22 '17 at 15:56
  • 4
    Your question and then your comment above don't quite line up. You state "is there any reason to leave SMB open?" Your question is unclear. Are you asking about inbound SMB (SMB server) or outbound from workstations connection to SMB over outbound internet access? If inbound, why do you say "it's open by default"? Firewalls by default shouldn't allow inbound SMB traffic. The server/VM running the SMB server service might, but the edge firewall wouldn't just allow this traffic inbound unless the firewall was configured to do so. – TheCleaner Sep 22 '17 at 21:07
  • 3
    In 1998 or so, when Internet access was dial-up, I was surprised to notice one day that my ISP's printers were visible in Windows when I dialled up to the Internet. I never tried printing to them — I didn't know where to pick up my finished print job! – Craig McQueen Sep 24 '17 at 04:58
  • What The Cleaner said, and also no. – Katherine Villyard Sep 26 '17 at 19:57

4 Answers4

40

SMB is a file sharing protocol and, as such, it is sometime left open to the internet for, well, sharing files.

However, this is a very bad idea. Compared to simpler protocol as FTP or WebDAV, which basically have very small GET/PUT interfaces and are entirely implemented in isolated userspace processes, SMB is a much more complex protocol, deeply integrated into core Windows services.

The more complex nature of SMB (and it's very low security/integrity until at least version 2) means that many critical flaws were exploited, and its tight integration with Windows means these exploit were very dangerous.

So, no, do not open SMB to the internet

shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • 1
    Would you say the same thing about SMBv2? – user541686 Sep 24 '17 at 10:48
  • 1
    SMBv2 with signing enabled is quite secure, but you **must** disable previous SMB version to prevent protocol-downgrade attack. Anyway, I would **not** publish anything SMB-based on the internet: the attack surface is simply too big and, due to tight integration with core Windows services, eventual exploits are simply devastating. – shodanshok Sep 24 '17 at 12:02
  • Even if it runs on Samba? – user1686 Sep 24 '17 at 15:17
  • 1
    Samba is surely somewhat more secure than its Windows counterpart. However, [critical bugs happens even on Samba](https://securelist.com/sambacry-is-coming/78674/). So, I stand that exposing SMB to the internet is a big security mistake. At the very least you should filter the source IP, whitelisting only very few IPs. – shodanshok Sep 24 '17 at 19:08
8

Just don't do it. If anyone asks you to do it, I would strongly recommend telling them no and running away fast.

You could technically provide this kind of service over a VPN, but if it's over any significant distance over WAN it's almost certainly going to perform like total garbage.

There are far superior services to accomplish remote and local file sharing that you could provide. Consider Amazon Storage Gateway, or Google Storage. These solutions allow cloud storage accounts to be attached to fileservers in-house, enabling a hybrid storage cloud that syncs wherever anyone needs it. It's fast and secure, and remote users don't need to hit your fileserver in order to get remote files while in-house users don't need to hit your WAN pipe to get at those same files. These solutions take a large burden from you the administrator, and puts it into a cloud that can handle the load no matter what.

Spooler
  • 7,016
  • 16
  • 29
6

Is there any reason? I will leave that up to you.

  1. It can be done. Open port 445 and config SMB and you can access your shared folders over the internet similar to how you would do it over your local network.

  2. It's going to be very slow because the protocol was not designed to work over such environment.

  3. There are known security risks. IP restriction could help.

jarvis
  • 1,956
  • 4
  • 17
  • 31
6

No. Leave the minimum number of ports exposed to the Internet. If you need to use SMB for something (transferring files with a trusted other party, with authentication and timestamps on every action taken), then set up a VPN for them to connect to before making an SMB connection.

Christopher Hostage
  • 255
  • 4
  • 12
  • The thought of **not** using a VPN just boggles the mind. – RonJohn Sep 22 '17 at 23:11
  • @RonJohn: It's a pretty reasonable thought if you don't know about the security holes. It does require password authentication after all. – user541686 Sep 23 '17 at 09:50
  • While it requires authentication, this does not imply encryption. Those are two separate mechanisms. In most cases, encryption is handled via keys rather than passwords, while passwords are typically used to authenticate with user accounts once an encrypted tunnel is established. While what I describe above is a common model, it's not required to be designed this way, of course. – Spooler Sep 26 '17 at 18:32