SMB v1 Put it out to pasture now

Image: SMB v1 blog. Dominoes falling mono reflected
By Peter Holland on

Come in SMB v1, your time is up!

 

Back in 2016, hot on the heels of some fairly serious ransomware outbreaks, Microsoft released guidance that SMB v1 should be disabled.

Some of the identified vulnerabilities in the SMB v1 protocol cannot, and will not, be resolved, others have hotfixes and patches released, relying on ensuring that all systems are fully patched with Security and Feature updates, often not the case.

So what is SMB v1?

SMB v1 is the protocol that is used by all Windows network shares, the only option for Server 2003/XP through 2008/Vista. Since superseded by later iterations of SMB (currently on 3.1.1 for Server 2019) for backwards compatibility reasons it was retained on all client and Server OSes, installed by default, up to and including Server 2016 and Windows 10.

The presence of SMB v1 as a role on a Server or client means that the system is vulnerable to compromise or attack through SMB v1.

Microsoft has only stopped installing SMB v1 on Server 2019 and Windows 10 1809.

All other OSes require intervention to be protected from SMB v1.

What can we do?

Thankfully it is quite straightforward to kill off SMB v1, the methods are highly scaleable and adaptable to all sizes of organisation.

There are two down sides to dealing with SMB v1 properly

  1. It requires a reboot
  2. It hammers a large nail in the coffin of Server 2003 and Windows XP.

More on the 2003/XP issue later…

Kill it!

The first step is generally to confirm where SMB v1 is installed, this can then be used to validate removal.

The methods to check for the presence of SMB v1 vary depending on the OS

Server 2012 R2 and 2016

A nice simple PowerShell feature query:

Get-WindowsFeature FS-SMB1

Install State is Installed, quite self-explanatory.

To kill it, we remove the role …

Remove-WindowsFeature -Name FS-SMB1

Following a reboot, all is well.

Server 2008 (R2) and 2012

Slightly more convoluted, the older OS requires a delve into the registry:

PowerShell: Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

No SMB key exists, SMB v1 is enabled (default state)

To disable it the DWORD “SMB1” must be created under the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” subkey in the registry with a value of “0”

This can be accomplished through PowerShell…

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 0 –Force

Where we can now see the SMB1 entry with 0 (disabled) set against it, a reboot of the system and no more SMB v1.

At Scale

These methods can be deployed at scale through device management, group policy, Desired State Configuration, scripting, pretty much whatever methods you have available or prefer.

You mentioned something about 2003/XP?

For those still propping up the crumbling facades of legacy OSes there is some further bad news, as SMB v1 is the only version of SMB that is supported by Server 2003, Windows XP and older disabling will result in these systems being unable to access any and all network file shares.

This includes user profile shares, Sysvol, Netlogon, etc, as a result these systems are unable to receive Group Policy or act as a part of the Domain fully!

If anything, this is a very good justification to get those remaining legacy systems dealt with.

How Can Silversands Help?

Given the potential complexity and time involved to identify and deal with potential risks and dependencies of something as innocuous yet dangerous as SMB v1 it is worthwhile working with a trusted partner to provide a holistic view of your systems.

To discuss securing your systems, migrating workloads from legacy systems, or reviewing the wide array of Microsoft security options, do not hesitate to contact Silversands. Our range of subject matter experts can assist your organisation to modernise and secure your systems.

Please complete and submit the form below and we’ll be in touch shortly. And don’t forget to check out our latest security events.

Contact us

  • This field is for validation purposes and should be left unchanged.

We have the expertise and the experience to provide specialist solutions and drive your business forward

Get in touch