Published: Nov 17, 2023
Key Takeaways:
- Microsoft is planning to integrate SMB over QUIC into all editions of Windows Server 2025.
- SMB over QUIC creates a secure “SMB VPN,” offering encrypted communication and enhanced performance for users.
- The feature is currently being tested in Windows Server Insider Datacenter and Standard editions.
Microsoft is planning to add the Server Message Block (SMB) over QUIC technology to all editions of Windows Server 2025. The company is currently testing the feature with select users in Windows Server Insider Datacenter and Standard editions.
SMB (Server Message Block) is a network file-sharing protocol that allows users to share printers, files, and other resources among computers. On the other hand, QUIC (Quick UDP Internet Connections)is a transport layer protocol that uses User Datagram Protocol (UDP) rather than Transmission Control Protocol (TCP). It supports security features (such as encryption and enhanced performance) to provide low-latency communication.
Microsoft introduced SMB over QUIC in Windows Server 2022 Azure Edition as an alternative to TCP/IP and RDMA (Remote Direct Memory Access). SMB over QUIC can serve as a file transfer-specific virtual private network (VPN) between on-premises servers and Azure. The protocol is designed to prevent spoofing and man-in-the-middle attacks.
Currently, SMB over QUIC is only limited to Windows Server 2022 Azure Editions. Microsoft says that the upcoming release will allow customers to configure SMB over QUIC on all editions of Windows Server 2025, including Datacenter and Standard.
“SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and on highest security internal networks. The server certificate creates a TLS 1.3-encrypted tunnel over a UDP port instead of the legacy TCP/445. No SMB traffic – including authentication and authorization – is exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change and capabilities like multichannel and compression continue to work,” Microsoft explained.
Microsoft notes that the feature is disabled by default, and file server administrators will need to enable SMB over QUIC manually. However, this capability is not available in the current version of Windows Admin Center (WAC), and administrators will need to use the following PowerShell commands to configure this feature:
New-SmbServerCertificateMapping -Name server FQDN -ThumbPrint certificate thumbprint -Storename My
Over the past year, Microsoft has announced several SMB security changes to protect Windows Server users against emerging threats. Last month, the company started testing a new Client Access Control (CAC) feature that lets IT admins block select client devices from accessing file servers. Microsoft highlighted that these changes are part of its efforts to boost the security of Windows Server machines.