Hi folks, Ned here again and today ’ mho topic is short-circuit and angelic :
Stop using SMB1. Stop using SMB1 . STOP USING SMB1!
In September of 2016, MS16-114, a security update that prevents denial of overhaul and remote code execution. If you need this security temporary hookup, you already have a much bigger problem : you are still running SMB1.
The original SMB1 protocol is closely 30 years old, and like much of the software made in the 80 ’ randomness, it was designed for a universe that no longer exists. A world without malicious actors, without huge sets of crucial data, without near-universal computer use. Frankly, its naivete is staggering when viewed though mod eyes. I blame the West Coast hippie life style : ).
If you do n’t care about the why and good want to get to the how, I recommend you review :
Reading: Stop using SMB1
Otherwise, let me explain why this protocol needs to hit the landfill .
SMB1 isn’t safe
When you use SMB1, you lose key protections offered by later SMB protocol versions :
The cruddy bite is that no topic how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your node to ignore all the above . All they need to do is block SMB2+ on themselves and answer to your waiter ’ mho appoint or IP. Your node will happily derp away on SMB1 and share all its darkest secrets unless you required encoding on that share to prevent SMB1 in the first topographic point. This is not theoretical – we ’ ve seen it. We believe this then powerfully that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares !
As an owner of SMB at MS, I can not emphasize adequate how a lot I want everyone to stop using SMB1 hypertext transfer protocol : //t.co/kHPqvyxTKC
— Ned Pyle (@NerdPyle) April 12, 2016
US-CERT agrees with me, BTW : hypertext transfer protocol : //www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
SMB1 isn’t modern or efficient
When you use SMB1, you lose key operation and productiveness optimizations for end users.
- Larger reads and writes (2.02+)- more efficient use of faster networks or higher latency WANs. Large MTU support.
- Peer caching of folder and file properties (2.02+) – clients keep local copies of folders and files via BranchCache
- Durable handles (2.02, 2.1) – allow for connection to transparently reconnect to the server if there is a temporary disconnection
- Client oplock leasing model (2.02+) – limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
- Multichannel & SMB Direct (3.0+) – aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server, plus usage of modern ultra-high throughout RDMA infrastructure
- Directory Leasing (3.0+) – Improves application response times in branch offices through caching
Running SMB1 is like taking your grandma to prom : she means well, but she ca n’t truly move anymore. besides, it ‘s creepy and gross
— Ned Pyle (@NerdPyle) September 16, 2016
SMB1 isn’t usually necessary
This is the real killer whale : there are far fewer cases left in modern enterprises where SMB1 is the only choice. Some legit reasons :
- You’re still running XP or WS2003 under a custom support agreement.
- You have old management software that demands admins browse via the so-called ‘network’ aka ‘network neighborhood’ master browser list.
- You run old multi-function printers with old firmware in order to “scan to share”.
These will only affect the average clientele or user if you let them. Vendors are moving to upgrade their SMB2 support – see here : hypertext transfer protocol : //aka.ms/stillneedssmb1 For the ones who are n’t, their competitors are. You have leverage here. You have the wallet.
We work carefully with partners in the storehouse, printer, and lotion spaces all over the populace to ensure they provide at least SMB2 confirm and have done so with annual conferences and plugfests for six years. Samba supports SMB 2 and 3. then does OSX and MacOS. then do EMC, NetApp, and their competitors. so do our accredited SMB providers like Visuality and Tuxera, who besides help printer manufacturers join the modern populace.
A proper IT pro is constantly from Missouri though. We provide SMB1 usage auditing in Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 ( the latter two received via backported functionality in monthly updates several years ago ) plus their customer equivalents, just to be sure. That way you can configure your Windows Servers to see if disable SMB1 would break person :
Set-SmbServerConfiguration –AuditSmb1Access $true
On Windows Server 2008 R2 and Windows 7 you must edit the register immediately for this DWORD value, there is no SMB PowerShell :
Read more: Apollo for Reddit
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” AuditSmb1Access -Type DWORD -Value 1 –Force
then equitable examine the SMBServer\Audit event log on the systems. If you have older servers than WS2012 R2, now is dependable time to talk upgrade. Ok, that ’ s a sting blackmailer – immediately is the time to talk to your blue teams, network teams, and other security folks about if and where they are seeing SMB1 use on the net. If they have no theme, they need to get one. If you even don ’ thymine know because this is a smaller shop, run your own network captures on a sample of your servers and clients, see if SMB1 appears .
Day 700 without SMB1 installed: nothing happened. Just like last 699 days. Because anyone requiring SMB1 is not allowed on my $%^&%# network
— Ned Pyle (@NerdPyle) September 13, 2016
Update April 7, 2017: Great article on using DSC to track down machines with SMB1 installed or enabled : hypertext transfer protocol : //blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-d …
Update June 19, 2017 – Group Policy to disable SMB1 : hypertext transfer protocol : //blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/
Update June 30, 2017 – You have probably seen me announce this on chirrup and in early populace venues : Windows 10 RS3 (Fall Creators Update) and Windows Server 2016 RS3 have SMB1 uninstalled by default under most circumstances: https://aka.ms/smb1rs3 . The full removal has begun. Make sure you check https://aka.ms/stillneedssmb1 for products that may require updates or replacement to be used without the need for SMB1.
Update July 7, 2017: if your seller requires disabling SMB2 in order to force SMB1, they will besides much require disabling oplocks. Disabling Oplocks is not recommended by Microsoft, but required by some older software, much ascribable to using bequest database engineering. Windows 10 RS3 and Windows Server 2016 RS3 allow a special oplock override workaround nowadays for these scenarios – see hypertext transfer protocol : //twitter.com/NerdPyle/status/876880390866190336. This is only a workaround – just like SMB1 oplock disable is alone a workaround – and your seller should update to not require it. many have by now ( I ‘ve spoken to some, at least ) and their customers might however good be running an forbidden of date translation – call your suppliers .
SMB1 removal isn’t hard
Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.
On Server, the Server Manager approach:
On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):
On Client, the add remove programs approach (appwiz.cpl):
On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)
On legacy operating systems:
When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can ’ thymine remove SMB1 – but you can disable it : KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008 …
A key point : when you begin the removal stick out, start at smaller scale and work your manner up. No one says you must finish this in a day.
Explorer Network Browsing
The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network ( aka “ Network Neighborhood ” ). This bequest protocol is long deprecated, does n’t route, and has limited security. Because it can not function without SMB1, it is removed at the same meter .
however, some customers still use the Explorer Network in home and little business workgroup environments to locate Windows computers. To continue using Explorer Network, you can perform the watch steps on your Windows computers that no longer use SMB1 :
1. Start the “ Function Discovery Provider Host ” and “ Function Discovery Resource Publication ” services and set them to delayed beginning.
2. When the drug user opens Network, they will be prompted to enable network discovery. Do so .
3. now all Windows devices within that subnet that have these settings in position will appear in Network for browsing. This uses the WS-DISCOVERY protocol. Check with your other vendors and manufacturers if their devices hush do not appear in this browse number after Windows devices appear ; it is likely they have this protocol disabled or only support SMB1 .
Read more: Best Free Karaoke Software for Windows
notice : we highly recommend you map drives and printers for your users alternatively of enabling this feature, which still requires searching and browsing for their devices. Mapped resources are easier for them to locate, require less prepare, and are safer to use, specially when provided automatically through group policy .
SMB1 isn’t good
Stop using SMB1. For your children. For your children ’ sulfur children. Please. We ’ ra solicit you. And if that ‘s not enough : SMB1 is being removed ( amply or partially, depending on SKU ) by default in the RS3 release of Windows and Windows Server. This is here folks : hypertext transfer protocol : //aka.ms/smb1rs3
– Ned “ and the stay of the SMB team at Microsoft ” Pyle