Stop using SMB1

Hi folks, Ned here again and today’s topic is short and sweet:

Stop using SMB1. Stop using SMB1. STOP USING SMB1!

Earlier this week we released MS16-114, a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.

The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle.

Let me explain why this protocol needs to hit the landfill.

SMB1 isn’t safe

When you use SMB1, you lose key protections offered by later SMB protocol versions:

The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!

US-CERT agrees with me, BTW: https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

SMB1 isn’t modern or efficient

When you use SMB1, you lose key performance and productivity optimizations for end users.

  • Larger reads and writes (2.02+)- more efficient use of faster networks or higher latency WANs. Large MTU support.
  • Peer caching of folder and file properties (2.02+) – clients keep local copies of folders and files via BranchCache
  • Durable handles (2.02, 2.1) – allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • Client oplock leasing model (2.02+) – limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • Multichannel & SMB Direct (3.0+) – aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server, plus usage of modern ultra-high throughout RDMA infrastructure
  • Directory Leasing (3.0+) – Improves application response times in branch offices through caching

SMB1 isn’t usually necessary

This is the real killer: there are very few cases left in any modern enterprise where SMB1 is the only option. Some legit reasons:

  1. You’re still running XP or WS2003 under a custom support agreement.
  2. You have some decrepit management software that demands admins browse via the ‘network neighborhood’ master browser list.
  3. You run old multi-function printers with antique firmware in order to “scan to share”.

None of these things should affect the average end user or business. Unless you let them.

We work carefully with partners in the storage, printer, and application spaces all over the world to ensure they provide at least SMB2 support and have done so with annual conferences and plugfests for six years. Samba supports SMB 2 and 3. So does OSX and MacOS. So do EMC, NetApp, and their competitors. So do our licensed SMB providers like Visuality and Tuxera, who also help printer manufacturers join the modern world.

A proper IT pro is always from Missouri though. We provide SMB1 usage auditing in Windows 10 and Windows Server 2016 just to be sure. That way you can configure your Windows Servers to see if disabling SMB1 would break someone:

Set-SmbServerConfiguration –AuditSmb1Access $true

Then just examine the SMBServer\Audit event log on the systems. If you have older servers than WS2016, now is good time to talk upgrade. Ok, that’s a bit extortionist – now is the time to talk to your blue teams, network teams, and other security folks about if and where they are seeing SMB1 usage on the network. If they have no idea, they need to get one. If you still don’t know because this is a smaller shop, run your own network captures on a sample of your servers and clients, see if SMB1 appears.

Update April 7, 2017: Great article on using DSC to track down machines with SMB1 installed or enabled: https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-dscea/

SMB1 removal isn’t hard

Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.

On Server, the Server Manager approach:

image

On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):

image

On Client, the add remove programs approach (appwiz.cpl):

image

On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)

image

On legacy operating systems:

When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

A key point: when you begin the removal project, start at smaller scale and work your way up. No one says you must finish this in a day.

SMB1 isn’t good

Stop using SMB1. For your children. For your children’s children. Please. We’re begging you.

– Ned “and the rest of the SMB team at Microsoft” Pyle