WHY is it discouraged to expose SMB via Port Forward?

coolaj86 · August 12, 2025, 9:50pm

I want to sift the 1990s SMB1 and 2000s SMB2 dogma from the 2020s SMB3 practical applications.

As far as I’ve been able to research, there is no reason that a VPN or SSH tunnel should be necessary for access to SMB3 provided that:

it’s a recent version of TrueNAS
SMB1 is disabled
encryption is required (i.e. SMB2 is disabled)
passwords are admin managed (i.e. the admin sets a key which is saved in Windows or macOS keychain manager, and the user doesn’t typically view or use the key)
you believe that, since Microsoft exposes SMB3 publicly for Azure, Microsoft is confident in the security model of SMB3

Is the “never expose smb to the Internet” still relevant in 2025? Is there a credible threat to security? Is the fear simply that the Linux SMB suite isn’t as secure as the Microsoft/Azure SMB suite?

neofusion · August 12, 2025, 10:25pm

Yes.

Not really, Microsoft/Azure SMB isn’t meant to be used directly over the Internet either. (QUIC is a sort of VPN, which is different from straight up SMB)

awalkerix · August 13, 2025, 1:00am

QUIC support is on the roadmap for samba soon-ish. SMB over WAN would make more sense then.

coolaj86 · August 13, 2025, 2:14am

Let’s say I don’t believe you on the basis of the single word “yes”. Do you have any technical consideration, reasoning, or evidence?

According to the Azure documentation, it is intended to connect directly over the internet on port 445. See “Learn / Azure / Storage / Files / Mount SMB Azure file share on Windows” (I can’t provide the link due to my account being new). Note how the public internet URL is shown in the connect documentation, and VPN is listed as a workaround for ISPs that block 445, but that 445 is the primary mode of access.

As far as I can tell, QUIC is only similar to a VPN in the way that TLS and SMB3 are also similar to a VPN - it provides session state and encryption. As far as I’m aware it’s just a workaround for certain network loads that can behave under UDP than TCP, but still need most of the advantages of TCP+TLS (including session state, SNI+ALPN routing, etc).

Why? What characteristics of QUIC do you believe provides better protection than SMB3?

squirrel627 · August 13, 2025, 12:24pm

You asked why it’s discouraged to expose SMB to the Internet, and then asked to differentiate replies based on versioning. Given that Azure will happily expose SMB to the public Internet, I suppose that’s a fair question.

Microsoft used to recommend not exposing SMB to the Internet. Then they went silent on the matter (please correct me if I’m wrong).

It’s important to keep in mind that Microsoft has made many poor security choices for self-interest and does so with some regularity. They also have an organizational culture of “yes but we can do it”.

Speaking as a professional sysadmin, I don’t expose any service to the Internet that is not designed for and intended (by use case) to be exposed to the Internet. While I might not ever expose SMB, I might expose SSH on a bastion host so I can access it.

SSH, internal tools, CIFS/SMB, KBs, etc, are all behind some kind of SASE, VPN, or bastion and IP allowlist.

The reasons are varied, but the themes are broad. The fewer the protocols exposed to the open Internet, the lower your attack surface. Exposed SMB has historically been something of (either) a honey pot or a signal that a network has subpar security management, and so you may see a commensurate increase in malicious traffic. This holds true today.

That also means if you decide to expose SMB to the Internet, your credential policies and management should be excellent. Every endpoint accessing the same share with the same credentials means everyone has the same identity from the server’s perspective.

Do you need to use SMB exposed to the Internet to achieve your goals? If so, setup a host specifically for that and put it in your DMZ. Make sure SMB is the only thing exposed. In the alternative, go with something that was architected with the assumption of Internet exposure being the default, like SFTP. You can manage some SFTP applications just like you can manage GPO/MDM and drive mapping.

Another way of thinking about this is trust levels. If you need to maintain some kind of highly trustworthy environment in one area of your network, you’d do well not to expose potentially sensitive services like file sharing to the Internet. At least not services in the same network segments. You cannot assume that all malicious activity will be obvious or detectable (or detected!), and you also can’t assume there won’t be another SMB zero day like WannaCry.

TrueNAS is designed with the assumption and accompanying admonition that it’s not designed to be exposed to the Internet, so there’s also that. If you still want to do that, you should personally review the generated Samba configuration to make sure it meets with your security assumptions.

Another thing worth thinking about is MFA. It’s trivial to protect a VPN with MFA. It’s far less trivial to protect SMB with MFA, but if you’re in a scenario where you have to have users sharing identities, you’re already up against some challenging requirements to keep secure.

coolaj86 · August 14, 2025, 4:04am

This makes sense. I do wish that all enterprise network software were written with the understanding that all networks are hostile environments rather than assuming that, just because you wish that there weren’t rogue devices on a network attacking everything possible thing, that somehow there aren’t.

Yes… in this case everything is tightly controlled, so the users either won’t ever even see the unique passphrase - because it will be put into their keychain for them - or they’ll only see it once. Unless they’re technically savvy enough (which they aren’t), they won’t be extracting from their keychain to share a passphrase with other users.

I appreciate the objective answer, rationale, etc. Thank you.

squirrel627 · August 15, 2025, 6:22am

Agreed. Or for that matter, all software altogether. It’s too frequently the case that the software deployed in smaller environments is explicitly hostile to privacy and security. IoT vendors come to mind.

I caution against this unless you have really fantastic auditing. Although users will always find new and exciting ways to prove IT wrong in general, this kind of setup opens a door to social engineering vulnerabilities. If a threat actor discovers this during reconnaissance then they’re just a phone call, screen share, or spoofed KB article and email away from having a user walk them right to the credentials and Internet-accessible hostname. Alternatively, with local access, they can just grab a credential themselves. In that scenario, with a shared account, the only differentiating piece of data is the IP address. If your office uses IPv4 behind NAT and the traffic has to leave the LAN to route to the server, all you’ll ever know is that the call came from inside the building. This could be a problem if that is the difference between knowing you have to rotate credentials for shares and users and potentially wipe/reimage any system that had the old credentials.

But then again we don’t always get to choose the orders we have to follow. Sometimes we can only object.

Always happy to help and game out security scenarios. It’s a lot of fun!

dan · August 15, 2025, 10:56am

Remember, the S in IoT is for security.

squirrel627 · August 15, 2025, 2:15pm

And the L is for longevity

Topic		Replies	Views
A rant: "Don't put TrueNAS on the internet" - "Backup your NAS" TrueNAS General SCALE	28	1773	April 5, 2025
Fail2ban? What else? TrueNAS General	8	87	January 16, 2026
Windows 10 End-of-Life and SMB TrueNAS General SCALE , SMB	14	250	July 29, 2025
SMB vs. NFS with macOS clients... FIGHT! TrueNAS General Performance , SMB , NFS , 24_04-Dragonfish , macOS-Client	26	3055	November 12, 2024
HexOS: Powered by TrueNAS Announcements SCALE	111	5357	August 13, 2024

WHY is it discouraged to expose SMB via Port Forward?

Related topics