Heya folks, Ned here again. Many years ago, we made configuring SMB signing in Windows pretty complicated. Then, years later, we made it even more complicated in an attempt to be less complicated. To...
Updated Nov 09, 2023
Version 14.0
Blog Post
Hi Alban,
Thanks for your response. I understand your point regarding legacy devices. However, I'd like to address those here:
- outdated non Microsoft servers (Unix, Linux, NAS, appliances etc...) - If it is outdated so badly that it can't upgrade to SMB2+, it is very old and a big security risk and should be replaced. If they choose to stay with SMB1, they do at their own risk. These devices are probably all end of life or almost there anyway.
- equipments (like industrial or medical computers, with the provider out of existence years ago - Again, if it is this far outdated that it can't even support SMB2+ it is a big security risk and should be replaced... especially if the provider went out of existence years ago. I don't think I would want anything medical related to me to be done on a "medical computer" that it is that ridiculously old and outdated.
- Printers - Again, same thing. If a printer is so old that it can only support SMB1, it's time to get a new printer. These devices are probably all end of life or almost there.
I understand that you have to allow time for old equipment to age out. But, in my opinion, it's been long enough. Given the huge security risk that using SMB1 presents, Microsoft would be doing owners of those ancient devices a favor by completely phasing it out now. They really need to change out that equipment.
Customers may have a hard time removing SMB1 entirely. But, they will have a much harder time removing ransomware entirely.
Also - I downloaded the Microsoft Baseline Security guidances and tools and I find comments like this regarding SMB1.
- APPLIES ONLY TO: Windows 7 and Windows Servers 2008, 2008R2 and 2012 (NOT 2012R2): To disable client-side processing of the SMBv1 protocol (recommended), do ALL of the following:
- Configures the SMB v1 client driver's start type. To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown.
- Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)
See a pattern here? The baselines seem to be recommending disabling SMBv1.
And maybe you didn't notice my point previously that the recommendations that I referred to above conflict with each other.
And we can also look at this article by the same author here, Mr. Ned Pyle. (link below) Notice that it was first published in 2016 (6 years ago) and last updated in 2022.
Stop using SMB1
https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
I appreciate your feedback. But, I disagree with your opinion that it is OK to keep SMB1 registry keys (and along with that, SMB1) available. If you are keeping SMB1 registry keys available, you are keeping SMB1 available. And I disagree with the "if it aint' broke, dont fix it." If the locks on all the doors to your house or business were found to be easily hacked open by criminals and it was happening, would you say "Well, they ain't broken. So, don't fix them."?
If SMB1 didn't have such such a huge security vulnerability, I would tend to agree with you. But, it isn't a matter of whether it is broken or not. It is a matter of whether it is a huge security vulnerability or not. And it is. And it's been long enough. Microsoft needs to phase out SMB1 completely in my opinion. The time has come.