First published on TECHNET on Sep 16, 2016
Hi folks, Ned here again and today’s topic is short and sweet:
Stop using SMB1. Stop using SMB1 . STOP USING SMB1!
In September of 2016, MS16-114 , a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.
The original SMB1 protocol is nearly 30 years old , and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle :).
If you don't care about the why and just want to get to the how, I recommend you review:
Otherwise, let me explain why this protocol needs to hit the landfill.
When you use SMB1, you lose key protections offered by later SMB protocol versions:
The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above . All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!
As an owner of SMB at MS, I cannot emphasize enough how much I want everyone to stop using SMB1 https://t.co/kHPqvyxTKC
— Ned Pyle (@NerdPyle) April 12, 2016
US-CERT agrees with me, BTW: https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
When you use SMB1, you lose key performance and productivity optimizations for end users.
Running SMB1 is like taking your grandmother to prom: she means well, but she can't really move anymore. Also, it's creepy and gross
— Ned Pyle (@NerdPyle) September 16, 2016
This is the real killer: there are far fewer cases left in modern enterprises where SMB1 is the only option. Some legit reasons:
These will only affect the average business or user if you let them. Vendors are moving to upgrade their SMB2 support - see here: https://aka.ms/stillneedssmb1 For the ones who aren't, their competitors are. You have leverage here. You have the wallet.
We work carefully with partners in the storage, printer, and application spaces all over the world to ensure they provide at least SMB2 support and have done so with annual conferences and plugfests for six years. Samba supports SMB 2 and 3. So does OSX and MacOS. So do EMC, NetApp, and their competitors. So do our licensed SMB providers like Visuality and Tuxera, who also help printer manufacturers join the modern world.
A proper IT pro is always from Missouri though. We provide SMB1 usage auditing in Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 (the latter two received via backported functionality in monthly updates several years ago) plus their client equivalents, just to be sure. That way you can configure your Windows Servers to see if disabling SMB1 would break someone:
Set-SmbServerConfiguration –AuditSmb1Access $true
On Windows Server 2008 R2 and Windows 7 you must edit the registry directly for this DWORD value, there is no SMB PowerShell:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" AuditSmb1Access -Type DWORD -Value 1 –Force
Then just examine the SMBServer\Audit event log on the systems. If you have older servers than WS2012 R2, now is good time to talk upgrade. Ok, that’s a bit extortionist – now is the time to talk to your blue teams, network teams, and other security folks about if and where they are seeing SMB1 usage on the network. If they have no idea, they need to get one. If you still don’t know because this is a smaller shop, run your own network captures on a sample of your servers and clients, see if SMB1 appears.
Day 700 without SMB1 installed: nothing happened. Just like last 699 days. Because anyone requiring SMB1 is not allowed on my $%^&%# network
— Ned Pyle (@NerdPyle) September 13, 2016
Update April 7, 2017: Great article on using DSC to track down machines with SMB1 installed or enabled: https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-d...
Update June 19, 2017 - Group Policy to disable SMB1: https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/
Update June 30, 2017 - You have probably seen me announce this on twitter and in other public venues: Windows 10 RS3 (Fall Creators Update) and Windows Server 2016 RS3 have SMB1 uninstalled by default under most circumstances: https://aka.ms/smb1rs3 . The full removal has begun. Make sure you check https://aka.ms/stillneedssmb1 for products that may require updates or replacement to be used without the need for SMB1.
Update July 7, 2017: if your vendor requires disabling SMB2 in order to force SMB1, they will also often require disabling oplocks. Disabling Oplocks is not recommended by Microsoft, but required by some older software, often due to using legacy database technology. Windows 10 RS3 and Windows Server 2016 RS3 allow a special oplock override workaround now for these scenarios - see https://twitter.com/NerdPyle/status/876880390866190336 . This is only a workaround - just like SMB1 oplock disable is only a workaround - and your vendor should update to not require it. Many have by now (I've spoken to some, at least) and their customers might still just be running an out of date version - call your suppliers.
Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.
On Server, the Server Manager approach:
On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):
On Client, the add remove programs approach (appwiz.cpl):
On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)
On legacy operating systems:
When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008...
A key point: when you begin the removal project, start at smaller scale and work your way up. No one says you must finish this in a day.
Stop using SMB1. For your children. For your children’s children. Please. We’re begging you. And if that's not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is here folks: https://aka.ms/smb1rs3
- Ned “and the rest of the SMB team at Microsoft” Pyle
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.