Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
Stop using SMB1
Published Apr 10 2019 04:21 AM 650K Views
Microsoft

First published on TECHNET on Sep 16, 2016


Hi folks, Ned here again and today’s topic is short and sweet:

Stop using SMB1. Stop using SMB1 . STOP USING SMB1!


In September of 2016, MS16-114 , a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.

The original SMB1 protocol is nearly 30 years old , and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle :).

If you don't care about the why and just want to get to the how, I recommend you review:


Otherwise, let me explain why this protocol needs to hit the landfill.

 

SMB1 isn’t safe

When you use SMB1, you lose key protections offered by later SMB protocol versions:

 

The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above . All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!


As an owner of SMB at MS, I cannot emphasize enough how much I want everyone to stop using SMB1 https://t.co/kHPqvyxTKC


— Ned Pyle (@NerdPyle) April 12, 2016


US-CERT agrees with me, BTW: https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

 

SMB1 isn’t modern or efficient

When you use SMB1, you lose key performance and productivity optimizations for end users.

  • Larger reads and writes (2.02+)- more efficient use of faster networks or higher latency WANs. Large MTU support.
  • Peer caching of folder and file properties (2.02+) - clients keep local copies of folders and files via BranchCache
  • Durable handles (2.02, 2.1) - allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • Client oplock leasing model (2.02+) - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • Multichannel & SMB Direct (3.0+) - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server, plus usage of modern ultra-high throughout RDMA infrastructure
  • Directory Leasing (3.0+) - Improves application response times in branch offices through caching

 

Running SMB1 is like taking your grandmother to prom: she means well, but she can't really move anymore. Also, it's creepy and gross


— Ned Pyle (@NerdPyle) September 16, 2016

 

SMB1 isn’t usually necessary

This is the real killer: there are far fewer cases left in modern enterprises where SMB1 is the only option. Some legit reasons:

    1. You’re still running XP or WS2003 under a custom support agreement.
    2. You have old management software that demands admins browse via the so-called ‘network' aka 'network neighborhood’ master browser list.
    3. You run old multi-function printers with old firmware in order to “scan to share”.

 

These will only affect the average business or user if you let them. Vendors are moving to upgrade their SMB2 support - see here: https://aka.ms/stillneedssmb1 For the ones who aren't, their competitors are. You have leverage here. You have the wallet.

We work carefully with partners in the storage, printer, and application spaces all over the world to ensure they provide at least SMB2 support and have done so with annual conferences and plugfests for six years. Samba supports SMB 2 and 3. So does OSX and MacOS. So do EMC, NetApp, and their competitors. So do our licensed SMB providers like Visuality and Tuxera, who also help printer manufacturers join the modern world.

A proper IT pro is always from Missouri though. We provide SMB1 usage auditing in Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 (the latter two received via backported functionality in monthly updates several years ago) plus their client equivalents, just to be sure. That way you can configure your Windows Servers to see if disabling SMB1 would break someone:


Set-SmbServerConfiguration –AuditSmb1Access $true

 

On Windows Server 2008 R2 and Windows 7 you must edit the registry directly for this DWORD value, there is no SMB PowerShell:

 

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" AuditSmb1Access -Type DWORD -Value 1 –Force

 

Then just examine the SMBServer\Audit event log on the systems. If you have older servers than WS2012 R2, now is good time to talk upgrade. Ok, that’s a bit extortionist – now is the time to talk to your blue teams, network teams, and other security folks about if and where they are seeing SMB1 usage on the network. If they have no idea, they need to get one. If you still don’t know because this is a smaller shop, run your own network captures on a sample of your servers and clients, see if SMB1 appears.

 

Day 700 without SMB1 installed: nothing happened. Just like last 699 days. Because anyone requiring SMB1 is not allowed on my $%^&%# network

— Ned Pyle (@NerdPyle) September 13, 2016


Update April 7, 2017: Great article on using DSC to track down machines with SMB1 installed or enabled: https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-d...

Update June 19, 2017 - Group Policy to disable SMB1: https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

Update June 30, 2017 - You have probably seen me announce this on twitter and in other public venues: Windows 10 RS3 (Fall Creators Update) and Windows Server 2016 RS3 have SMB1 uninstalled by default under most circumstances: https://aka.ms/smb1rs3 . The full removal has begun. Make sure you check https://aka.ms/stillneedssmb1 for products that may require updates or replacement to be used without the need for SMB1.

Update July 7, 2017: if your vendor requires disabling SMB2 in order to force SMB1, they will also often require disabling oplocks. Disabling Oplocks is not recommended by Microsoft, but required by some older software, often due to using legacy database technology. Windows 10 RS3 and Windows Server 2016 RS3 allow a special oplock override workaround now for these scenarios - see https://twitter.com/NerdPyle/status/876880390866190336 . This is only a workaround - just like SMB1 oplock disable is only a workaround - and your vendor should update to not require it. Many have by now (I've spoken to some, at least) and their customers might still just be running an out of date version - call your suppliers.

 

SMB1 removal isn’t hard

Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.

On Server, the Server Manager approach:



On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):



On Client, the add remove programs approach (appwiz.cpl):



On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)



On legacy operating systems:

When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008...

A key point: when you begin the removal project, start at smaller scale and work your way up. No one says you must finish this in a day.

 

Explorer Network Browsing

The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka "Network Neighborhood"). This legacy protocol is long deprecated, doesn't route, and has limited security. Because it cannot function without SMB1, it is removed at the same time.

However, some customers still use the Explorer Network in home and small business workgroup environments to locate Windows computers. To continue using Explorer Network, you can perform the following steps on your Windows computers that no longer use SMB1:

1. Start the "Function Discovery Provider Host" and "Function Discovery Resource Publication" services and set them to delayed start.

 


2. When the user opens Network, they will be prompted to enable network discovery.  Do so.
 

 

 

3. Now all Windows devices within that subnet that have these settings in place will appear in Network for browsing. This uses the WS-DISCOVERY protocol. Check with your other vendors and manufacturers if their devices still do not appear in this browse list after Windows devices appear; it is likely they have this protocol disabled or only support SMB1.

 

Note: we highly recommend you map drives and printers for your users instead of enabling this feature, which still requires searching and browsing for their devices. Mapped resources are easier for them to locate, require less training, and are safer to use, especially when provided automatically through group policy.

 

SMB1 isn’t good

Stop using SMB1. For your children. For your children’s children. Please. We’re begging you. And if that's not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is here folks: https://aka.ms/smb1rs3

- Ned “and the rest of the SMB team at Microsoft” Pyle

21 Comments
Copper Contributor

Your easy dismissal of the necessity the need for SMB1 or an acceptable substitute is annoying. Some of us work for small businesses that nonetheless have multiple locations and subnets and are stuck with old software that when browsing to find data on the network needs SMB1. It's also just too convenient to give up the ability to browse to a system on the network to check if everything seems to be OK with it when it's at another location that has another subnet so our intracompany gateway-to-gateway VPN will work properly. People who completely dismiss the validity of this viewpoint seem to me to have no idea of the variety of small business environments that aren't large, don't have large budgets, but still are a domain network.

Iron Contributor

Hey Ned, 

 

I am a little confused on the Singing and SMB 3.0. If SMB 3.0.2 is enabled is it also necessary to enable SMB Signing as well? For instance as you know Windows Domain Controllers require signing, should the same be done on Windows File Servers that have SMB 3.0 Enabled and SMB1 Set to disable, with reject unencrypted connections set to true? 

 

Also is there a way to verify that SMB3 Encryption is actually taking place? Windows 10 and Windows Server 2012 R2

 

Thanks, 

Robert

Brass Contributor
Please consider backporting the ability to uninstall SMBv1 to Windows Server 2012. Both Windows Server 2012 and Windows Server 2012 R2 have the exact same support dates. And IE11 was back-ported. So, there is precedent.
Copper Contributor
Nice article, totally agree about SMB1. This I don’t agree with. “ Mapped resources are easier for them to locate, require less training, and are safer to use, especially when provided automatically through group policy.” 1. We have been trying to move users away from drive letters to UNCs, if windows had ability to map UNC as folder points of /mycomputer York guidance would be sound, it doesn’t. 2. Many server have many shares, in many organizations there literally isn’t enough drive letters, smaller orgs will not to DFS and even if they have just something like a NAS that often has 10+ shares, all those drive letters is not easier than clicking one browsable object If Microsoft thinks browsing computers with WS-discovery is not safe it should remove the ability to use it and move to mDNS ...
Copper Contributor

I doubt anyone disagrees that the sooner SMB1 is gone, the better. However, rather than ridiculing people who continue to use it, take a minute to stop and think who created it in the first place and why. I'm talking about you, Microsoft. The use case for homes and small businesses is obvious. Many homes and most small businesses have multiple computers and a requirement to share files and printers between them. While you seem to be maligning the network neighborhood, it fulfils the file and printer sharing requirement for homes and small businesses. To be honest, I find your suggestion to use mapped drives for file sharing rather than the network neighborhood to be ridiculous. If SMB1 is archaic, then mapped drives is pre-archaic. Setting up mapped drives on any more than a few computers is time-consuming, tedious and error prone. On the contrary, it's trivially easy to share files using the network neighborhood. Rather wasting the effort to implement (and deprecate) the home group feature (which was an unreliable POS), Microsoft should put some effort into implementing a new version of network neighborhood that facilitates users eliminating older versions of SMB as they eliminate their older computers. Surely if this was done, the vast majority of users would not have any reason to continue using SMB1 and the problem would be solved. Instead, you're taking the approach of beating users with a stick to stop using an outdated feature without providing an alternative. Way to go, Microsoft.

Brass Contributor

@Ned Pyle I've done all the hard work and SMB1 is dead to me. Now I want to kill off SMB2 and force SMB3 with the goal of blocking man-in-the-middle attacks (stupid auditors and their poisoned ARP tables). Is there a way I can force my Windows 10 clients to only use SMB3 and not give up hashed creds? My pen testers keep poisoning the ARP table and tricking my workstations to try to attach to them with SMB2. So far they haven't guessed the passwords yet but they keep telling me I need to block this activity. My passwords are secured using Azure Password Protection and I know I can enable Dynamic ARP inspection on the switches but I would prefer to do this from the clients instead of at the switch level. Any suggestion would be helpful. 

Copper Contributor

If you have many shared folders on one server, why not just map the server as a network drive? Sounds a lot simpler and useful to have one mapped drive with all your folders than to browse a network directory. 

Copper Contributor

Yeah....just dump SMB1. Condemn those hundreds of thousands of printers that use the protocol to scan to folder. Great idea.....unless you can deliver another way. Where, exactly, is that?

 

I've got an old dino HP 9500 MFP with barely 6000 sheets through the engine. Just got done beating my head against the wall getting scan to folder to work on a Win10 machine.  Because it's old, HP doesn't want to talk to you, telling you to dump your $6k machine for a newer one. What asinine stupidity. Hubris.

 

No one, including MS, knew crap about it when asked. Finally stumbled across a white paper by HP that listed several hundred printers that would be affected. Buried. Deeeep. One of the claims for deprecation was WannaCry, and yet, MS patched SMB1 so that issue is moot.

 

Thanks MS. Kinda why Linux has another convert.

Copper Contributor

Nice article, I followed the article in the link below. I have a Windows 2012 R2 server and a Windows 10 desktop.
I enabled Lanmanserver and Lanmanworkstations reg keys to be 1, that is, enabled on all four options.
I disabled all four options on the desktop expecting the server will refuse connection to a shared folder since the desktop is not set to smb signing.
But, the desktop is still signing the shared folder despite all reg keys are set to 1.

How do I ensure that the server refuses connection if a desktop is not set to sign?

 

https://docs.microsoft.com/en-us/archive/blogs/josebda/the-basics-of-smb-signing-covering-both-smb1-...

Copper Contributor

Hi @Ned Pyle! So I didn't have SMB1 enabled, but thank you for reminding me to turn off all sorts of other "features" I don't want on my windows box. What I don't get is why in the "Shared Folders / Shares" section of Computer Management I always see all my internal drives exposed / listed as C$, D$, and also there is IPC$ and ADMIN$.  Under the description it says "default share" - but I never enabled anything like that, and was sure to turn anything unnecessary off when hardening this system.  Are my drives really exposed to the open internet somehow by some other CIFS related protocol (or anything else) do you think?  Sorry for the newb question.. I'm much more comfortable with GNU/linux.

 

Oh yeah also if you are going to blame the California hippies for their laxity, you may as well blame the MIT and their exclusive mega-nerds too.  I mean MIT should take 1/3 of the blame for naive lack of sophistication, since they were 1 of the 3 nodes in the primordial internet. (AKA Arpanet).  The other two were indeed Californian hippies at UC Berkeley at a RAND Corp spinoff in LA.   The history of the internet is weird.  Not many people considered security an issue because for along time we considered Moscow much less sophisticated (eg no networking)- despite the fact they won the space race.

 

Then a man who is famous for attracting idiotic alt-right conspiracy theories to him (not Bill this time.. but George) built a data corridor between San Francisco and Moscow.  Here, if you want some funny history of the early internet (pasting from wikipedia):

 

At the time, Western users of Usenet were generally unaware of that, so one of them on April 1, 1984 made an "April fool" hoax about "Kremvax" ("Kremlin VAX") that gained some popularity for subsequent years.  It was funny because the notion that Usenet might ever penetrate the Iron Curtain seemed so totally absurd at the time. The thing is, there was still no need for security then because no top secret data moved over usenet, or even arpanet.  

 

Six years later Usenet was joined by demos.su, the first genuine site based in Moscow. Some readers needed convincing that the postings from it were not just another prank. The senior programmer at Demos and the major poster from there until mid-1991, was quite aware of all this, and referred to it frequently in his own postings. Antonov later arranged to have the domain's gateway site named kremvax.demos.su, turning fiction into truth and, according to one account, "demonstrating that the hackish sense of humor transcends cultural barriers".   =)

Brass Contributor

Hi,

 

Great article!

 

Perhaps 1 thing to fix (perhaps through an explicit update within the blog post)? The link for "Insecure guest auth blocking (SMB 3.0+ on Windows 10+) " refers to a PNG (https://msdnshared.blob.core.windows.net/media/2016/09/2016-09-14_17-15-54.png), but it doesn't seem to work (anymore?). I suspect the new URL with the latest related information is https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disa...? Is the PNG still available somewhere, BTW?

 

Ciao!

Padre Pedro

 

Copper Contributor

Ned, what is the replacement for the functionality we illiterate SMB1 users want and need? All I see is preaching from you and your professional fanboys.

Copper Contributor

Thank you, late to the game here, but I came-across a script today that has been relying on net view for a long time. Net View is a COMMAND LINE function/utility that millions of admins have relied on for 25 years. Therefore what is the COMMAND LINE replacement for net view? Micro$oft industry leaders seem to be out-of-touch.

Copper Contributor

SoftwareRespect

 

Try a PowerShell script...

 

https://ss64.com/nt/net-view.html

Copper Contributor

In my Windows 10 SMB1 is gone, not in the features list, I bought a NAS server, and when trying to communicate with it I get the message that I can't because I don't have SMB 2, what can I do?

Copper Contributor

Yeah....I really need to throw away (and I mean that in the most literal sense) a perfectly fine $10k HP printer because everybody is too lazy to make an SMB work around. You guys make me see red every time you start preaching about how superior you are by not giving a くそ for the consumer. Hundreds of thousands of printers were affected, not just mine. MS and HP and several other printer manufacturers gave us this.....:middle_finger:

Copper Contributor

Zwykły domowy zjadacz chleba ma:

- router

- NAS (być może)

- drukarkę

- PC stacjonarny

- 1-3 laptopów

i chciałby te urządzenia po prostu zobaczyć w otoczeniu sieciowym Windows (xp, vista, 7, 10, 11)

NIE DA SIĘ.

Po przekopaniu się przez kilkaset porad i artykułów, przy amatorskim (ale przyzwoitym) poziomie wiedzy na temat, nasuwa się wniosek że trzeba wrócić do AMIGI lub PC486 z Windows 3.11

Windows ma kilkadziesiąt procent udziału w rynku. 

Śmiem twierdzić że ponad 50% tego to zwykli zjadacze chleb, a nie firmy z setkami komputerów i wieloosobowym działem IT.

I co? I nic!  Ich problemów NIE DA SIĘ  rozwiązać.

Fajny artykuł. Poszerza wiedzę. Ale do niczego się nie przyda szarym zjadaczom chleba .

urządzenia się nie widzą i już. NIE DA SIĘ.

Tylko po co nam wszystkim fachowcy, którzy istnieją dla siebie.

Brass Contributor

In my Windows 10 SMB1 is gone, not in the features list, I bought a NAS server, and when trying to communicate with it I get the message that I can't because I don't have SMB 2, what can I do?

 

@GoonerDane

you mean you don't see this SMB1 feature on the "Windows Features" list in your edition of Windows 10?

 

win10-smb1-cifs-filesharingsupport-feature.png

 

I have it listed on my Win10 Home 22H2, Win10 Pro 22H2 & Win10 LTSC 2021 v21H2 computers but not installed by default

 

 

Copper Contributor

Yes, its not in my list, is there a way to install it manually ? Ideally version 2 or 3, because I read first version is not safe ? 

Stupid to have bought a NAS server but being unable to comunicate with it.

Copper Contributor

Hi All!

I would like to throw a spanner in the works! Yes, I know that SMB1 is not a viable communications protocol. I have a My Passport external drive and have had them for many years, so I know I have to have SMB1 activated in the latest versions of Windows. I did not think this would be neccessary when I tried to connect my new Nitro laptop with resources on my PC.

 

On my PC I could see my laptop computer in Network (in Explorer), but not the other way around. I could see no computers at all sometimes not even my own laptop), while experimenting with file access, public and private network settings. It was not until I gave up after some hours and decided to go ahead and change the settings in SMB1 so I could connect the My Passport device, that everything in Network was displayed! Imagine my surprise - and then my dismay when I realised why.

 

Microsoft is already taking steps to remove SMB1, as they should according to my for all the right reasons, BUT because of this I also realised that I do NOT decide what protocol my devices use and NEITHER does Microsoft - the manufacturers do! After realising this I knew I had to get a new external drive that did not use SMB1, so I contacted some manufacturers. The one that answered me (SSK) said that unfortunately there is no present WiFi drive that does not use SMB1.

 

So, the way I see it - DO NOT PUT PRESSURE ON THE USERS - PUT PRESSURE ON THE MANUFACTURERS! They are the ones that have to adapt and change first. We, the users, can only adapt to the devices and protocols used. Yes, we can choose not to use WiFi devices or maybe change to bluetooth instead, but if that is not an option?.... Not only that, but I find it very strange that no newly manufactured devices from 2020 and moving forward does not have SMB2 or 3 and reached the market now in 2024!? SMB1 is over 30 years old, so what is the holdup?

 

(If there are manufacturers that actually do have external wireless drives/devices that use SMB2 and/or 3, then I apologize up front and would like to put in a request for an external drive - 2TB or larger)

: P

/MacD

Copper Contributor

Makes zero sense that a device that would take smb3 and convert it to smb1 bi-directionally at the printer. Can't be that hard....could be implemented on a Pi Zero or similar.

Version history
Last update:
‎Sep 02 2020 10:44 AM
Updated by: