Hi folks, Ned here again and today’s topic is short and sweet:
Stop using SMB1. Stop using SMB1. STOP USING SMB1!
In September of 2016, MS16-114, a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.
The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle :).
If you don’t care about the why and just want to get to the how, I recommend you review:
Otherwise, let me explain why this protocol needs to hit the landfill.
SMB1 isn’t safe
When you use SMB1, you lose key protections offered by later SMB protocol versions:
- Pre-authentication Integrity (SMB 3.1.1+). Protects against security downgrade attacks.
- Secure Dialect Negotiation (SMB 3.0, 3.02). Protects against security downgrade attacks.
- Encryption (SMB 3.0+). Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing!
- Insecure guest auth blocking (SMB 3.0+ on Windows 10+) . Protects against MiTM attacks.
- Better message signing (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.
The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!
As an owner of SMB at MS, I cannot emphasize enough how much I want everyone to stop using SMB1 https://t.co/kHPqvyxTKC
— Ned Pyle (@NerdPyle) April 12, 2016
US-CERT agrees with me, BTW: https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
SMB1 isn’t modern or efficient
When you use SMB1, you lose key performance and productivity optimizations for end users.
- Larger reads and writes (2.02+)- more efficient use of faster networks or higher latency WANs. Large MTU support.
- Peer caching of folder and file properties (2.02+) – clients keep local copies of folders and files via BranchCache
- Durable handles (2.02, 2.1) – allow for connection to transparently reconnect to the server if there is a temporary disconnection
- Client oplock leasing model (2.02+) – limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
- Multichannel & SMB Direct (3.0+) – aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server, plus usage of modern ultra-high throughout RDMA infrastructure
- Directory Leasing (3.0+) – Improves application response times in branch offices through caching
Running SMB1 is like taking your grandmother to prom: she means well, but she can’t really move anymore. Also, it’s creepy and gross
— Ned Pyle (@NerdPyle) September 16, 2016
SMB1 isn’t usually necessary
This is the real killer: there are far fewer cases left in modern enterprises where SMB1 is the only option. Some legit reasons:
- You’re still running XP or WS2003 under a custom support agreement.
- You have old management software that demands admins browse via the so-called ‘network’ aka ‘network neighborhood’ master browser list.
- You run old multi-function printers with old firmware in order to “scan to share”.
These will only affect the average business or user if you let them. Vendors are moving to upgrade their SMB2 support – see here: https://aka.ms/stillneedssmb1 For the ones who aren’t, their competitors are. You have leverage here. You have the wallet.
We work carefully with partners in the storage, printer, and application spaces all over the world to ensure they provide at least SMB2 support and have done so with annual conferences and plugfests for six years. Samba supports SMB 2 and 3. So does OSX and MacOS. So do EMC, NetApp, and their competitors. So do our licensed SMB providers like Visuality and Tuxera, who also help printer manufacturers join the modern world.
A proper IT pro is always from Missouri though. We provide SMB1 usage auditing in Windows 10, Windows Server 2016, and Windows Server 2012 R2/Windows 8.1 via an update, just to be sure. That way you can configure your Windows Servers to see if disabling SMB1 would break someone:
Set-SmbServerConfiguration –AuditSmb1Access $true
Then just examine the SMBServer\Audit event log on the systems. If you have older servers than WS2012 R2, now is good time to talk upgrade. Ok, that’s a bit extortionist – now is the time to talk to your blue teams, network teams, and other security folks about if and where they are seeing SMB1 usage on the network. If they have no idea, they need to get one. If you still don’t know because this is a smaller shop, run your own network captures on a sample of your servers and clients, see if SMB1 appears.
Day 700 without SMB1 installed: nothing happened. Just like last 699 days. Because anyone requiring SMB1 is not allowed on my $%^&%# network
— Ned Pyle (@NerdPyle) September 13, 2016
Update April 7, 2017: Great article on using DSC to track down machines with SMB1 installed or enabled: https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-dscea/
Update June 19, 2017 – Group Policy to disable SMB1: https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/
Update June 30, 2017 – You have probably seen me announce this on twitter and in other public venues: Windows 10 RS3 (Fall Creators Update) and Windows Server 2016 RS3 have SMB1 uninstalled by default under most circumstances: https://aka.ms/smb1rs3. The full removal has begun. Make sure you check https://aka.ms/stillneedssmb1 for products that may require updates or replacement to be used without the need for SMB1.
Update July 7, 2017: if your vendor requires disabling SMB2 in order to force SMB1, they will also often require disabling oplocks. Disabling Oplocks is not recommended by Microsoft, but required by some older software, often due to using legacy database technology. Windows 10 RS3 and Windows Server 2016 RS3 allow a special oplock override workaround now for these scenarios – see https://twitter.com/NerdPyle/status/876880390866190336. This is only a workaround – just like SMB1 oplock disable is only a workaround – and your vendor should update to not require it. Many have by now (I’ve spoken to some, at least) and their customers might still just be running an out of date version – call your suppliers.
SMB1 removal isn’t hard
Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.
On Server, the Server Manager approach:
On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):
On Client, the add remove programs approach (appwiz.cpl):
On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)
On legacy operating systems:
When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
A key point: when you begin the removal project, start at smaller scale and work your way up. No one says you must finish this in a day.
Explorer Network Browsing
The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka “Network Neighborhood”). This legacy protocol is long deprecated, doesn’t route, and has limited security. Because it cannot function without SMB1, it is removed at the same time.
However, some customers still use the Explorer Network in home and small business workgroup environments to locate Windows computers. To continue using Explorer Network, you can perform the following steps on your Windows computers that no longer use SMB1:
1. Start the “Function Discovery Provider Host” and “Function Discovery Resource Publication” services and set them to delayed start.
2. When the user opens Network, they will be prompted to enable network discovery. Do so.
Note: we highly recommend you map drives and printers for your users instead of enabling this feature, which still requires searching and browsing for their devices. Mapped resources are easier for them to locate, require less training, and are safer to use, especially when provided automatically through group policy.
SMB1 isn’t good
Stop using SMB1. For your children. For your children’s children. Please. We’re begging you. And if that’s not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is here folks: https://aka.ms/smb1rs3
– Ned “and the rest of the SMB team at Microsoft” Pyle
Hey Ned,
I’ve been turning it off for the past few years. How about you at MSFT disable it by default? It’s still on by default even in 2016 TP5 Nano!!
See my recent survey here 🙂
Also, it is not installed in Nano.
Please, take note that some “big” partners or technologies uses SMBv1 (for example, EMC storgage use it; disable SMB 1 brokes some functionalities).
Regards!
Yes, and we work with them continuously to knock it off (including EMC). It’s a long process.
Hey, but SMB1 has been lame already 20 years ago, it should have been disabled and not used already back then but not possible on wintel.
Please also stop using IE! When will it be possible to uninstall that sheet?
Yes, you can uninstall IE for a long time now (since Windows 7). It was famously in the news. 🙂
Hi Ned, does that mean that even in Windows Server 2016 SMBv1 is enabled by default? Cheers, Ville!
Yes. Sorry. :/
Dism /Image:C:\test\offline /Disable-Feature /FeatureName:SMB1Protocol
Since I don’t think many of us already use Server 2016 in production… is there an alternative for the “Set-SmbServerConfiguration –AuditSmb1Access $true” on Server 2008/2012 to check if we break something?
Unfortunately, not in box. You would need to analyze network traffic. Either promiscuously at switches/servers, or locally on servers, using a filtered capture that only looks for SMB1. NETSH can be used for this. If filtered at the capture (not after capture), the CAP files growing at all is an indication to examine.
Can you provide an example of using netsh trace specifically to capture SMB1 traffic only? I see there is an Microsoft-Windows-SmbClient provider in the FileSharing scenario, but I can’t figure out how to specific capture on SMB1 traffic. Thanks.
I really don’t think this it is possible to filter on SMB1 traffic only, but I’d like to be proven wrong.
Let me see what I can find. I’m also seeing that NetSh/NetEventPacketCapture don’t want to go as granular as I was expecting. Will get back to you.
Perhaps Message Analyzer would be better suited? I don’t really have any experience with it but maybe you could inquire internally with the team?
Ideally I’m looking for something that would capture only SMB1 traffic (so the capture doesn’t become huge) and then I could write some PowerShell code to parse the capture and get a unique list of IPs that are still using SMB1.
Thanks for looking into this.
Hi. Sorry, I lost track of this. I actually went back to the NETSH tracing team about this and they simply deferred to using Message Analyzer with a capture filter, as this would require crazy blob filters. 🙂 So yes. Getting a capture of just SMB1 in Message Analyzer is easy, it’s just a capture filter of “SMB1” and a circular buffer of a size that you specify so as not to fill up the hard drive. That’s it. MA also has PowerShell if you want to automate all this on a bunch of machines.
I was hoping to let you avoid putting the tool all over the place. Sorry. :/
So I’ve got a 2008 R2 file server. I’ve installed Message Analyzer. Can’t run it at all because I keep getting “Enable session “MMA-ETW-Livecapture-22efa55a-e005-4611-ab59-2f23e590eb42” failed.
When you say “Getting a capture of just SMB1 in Message Analyzer is easy, it’s just a capture filter of “SMB1” and a circular buffer of a size that you specify so as not to fill up the hard drive.”, would you mind adding a bit more detail so that I can try to figure out how to capture SMBv1 traffic to see if anything is still using it? I’d love to disable SMBv1, but finding out if it’s still in use isn’t as simple as I’d hoped.
Thanks!
Stephen, this just sounds like a bug. I don’t have insights into why MA might fail to start. Have you contacted the MA team?
Agree with Stephen. More detail would be great especially given the most recent Patch Tuesday fixing a bunch of SMB1 vulnerabilities. I never did figure out how to do this with PowerShell and Message Analyzer.
“smb.dialect.index == 5” filter with wireshark will work for filterin SMBv1 traffic.
I’m thinking a NIDS would be the perfect place to do that.
Would you or one of your colleagues have a Snort rule to detect SMB1 traffic in the network?
Wally, you can audit clients being denied access to your shares after disabling SMBv1 if you’re running Windows Server 2012 or 2012 R2.
“If an SMB client connection is denied because the server running SMB 1.0 has been disabled, event ID 1001 will be logged in the Microsoft-Windows-SmbServer/Operational event log. You can find the name and IP address of the denied client in the event log details.”
The references comes from this MS TechNet article: https://technet.microsoft.com/en-us/library/dn551363(v=ws.11).aspx
Oops. That article is wrong… :/
It will tell you that *someone* connected trying to use SMB1. But it doesn’t provide client name or IP. It’s just a hint we added, but I frankly consider it useless to look for without the name/IP auditing info, unless you are already sure you have zero SMB1 – in which case it is differently useless. 🙂
I’ll run SMB1 if I want to I’m a rebel and you can’t stop me you’re not my real dad Ned
D^X
My peer is a VAX VMS system manager running smbclient 2.2. While this is hardly a rebellion, a little attention to VMS on the part of Microsoft is hardly an unreasonable request.
After all, VMS is the father of (modern) Windows through DEC’s employment of Dave Cutler, who was the VMS project lead.
HP recently spun off VMS. Microsoft would do well to buy it. VMS clustering is second to none.
Nice, but how can we audit on older system like 2008R2? Any replacement for “Set-SmbServerConfiguration –AuditSmb1Access $true” on older version ?
It will require you looking at the network, via captures on servers (See NETSH Scenario tracing) or with your networking team just analyzing at the router or switch points. Unfortunately we don’t have these auditing tools in older OSes – but I’m not opposed to backporting them if you contact me offline and plead your case and business justifications.
Hello Ned,
Well this is very much like Powershell v2, IPv4 and NetBIOS – as an IT admin I wish I could get rid of it but I can’t. Partially, because Microsoft very own software still uses it and no fix (except “wait till you migrate in ten years”) has been provided.
I’m working on old versions of Dynamics/Dynamics CRM/Biztalk etc. and unless I want to get fired I won’t even try to disable SMB1.
Other reasons include non-Windows systems like Mainframe (AS400 by example), old drivers, old Windows OSes, old business applications etc.
If you want to push your customers out of SMB1, why not help them to do with a dedicated diagnostic tool ? And, by example, add it to the Windows Assessment Toolkit, as it is the most likely MS tool you’ll use if you prepare a migration ?
I do understand the security issue tough – no hard feelings. But business apps beat security pretty much everyday.
Regards
I would be very surprised if any of those apps depend on (or are even aware of) the different versions of SMB. Now, if you are running them on old *servers* that are no longer supported, that’s a different story. 🙂 Can you point me to some docs that state those apps will not work with SMB2+? Or some lab evidence? We are eager to wipe out any real blockers on our end.
If you run SMB1, you and your data are trivially owned by even a rudimentary script kiddie attacker – it’s that simple, I’m afraid. You must decide if this is worth the risk. As mentioned above, we do provide some auditing tools. The WAT is an interesting idea, but fundamentally, you already have what you need. It might suck, but you have it. 🙂
There is an issue with OPLOCKS and ISAM databases accessed by multiple users over a network – With OPLOCKS enabled, it can result in database and index corruption. In the past (ie. before SMB2), the solution was to disable OPLOCKS. However, as of SMB2, OPLOCKS can no longer be disabled and therefore the solution is to (1) disable SMB2/3, (2) re-enable SMB1 and (3) disable OPLOCKS.
However, as mentioned here, disabling SMB2/3 has security issues.
I asked Microsoft about this and they suggested disabling Leasing. However, I later found another Microsoft article that stated that disabling Leasing does NOT disable OPLOCKS so Microsoft then said my only option was to disable SMB 2/3 and re-enable SMB1 with OPLOCKS disabled (but they did not mention these security issues!)
Is that true or is there another way to keep SMB2/3 enabled but prevent the problems associated with OPLOCKS on ISAM databases?
Thank you for any clarification on this!
We are working with vendors that open their files in ways that cause these problems. If you share the vendor name with me – in private if you prefer – I can tell you if we’ve been chatting with them. Disabling leasing is always the wrong answer – the right answer is fixing the app or fixing a bug in SMB.
Hi Ned,
Thanks for the reply!
Unfortunately, we do not have a reproducible test case to share with you. Since we also offer a SQL alternative to ISAM, we always recommend that our clients use that instead which is not affected by these issues. Some of our smaller clients, who are more price-sensitive or lack the necessary IT skills/resources, prefer our ISAM embedded database to that of SQL. These clients are typically smaller with only a handful of concurrent users. However, a few of them can have more users (eg. 10) and, under heavy usage, can result in index file corruption and sometimes database corruption also. We have never seen these issues in our SQL installations so we have to assume it’s caused by the oplocks issue in addition to this being a well known issue in the ISAM database community. As it stands, the ISAM community’s solution for this is to re-enable SMB1 with oplocks disabled and no one mentions the security issues in their documentation!
So, ideally, it would be great if SMB 2/3 could be modified so that it could distinguish between regular files (eg. a Word doc) being accessed over the network as opposed to a database file that can be updated frequently in a very short period of time – In that case, it would automatically disable all local caching and oplocks features. Perhaps this could be accomplished by allowing specific folders to be identified to Windows Server to be excluded from these performance features or maybe a new value passed to the Windows function when opening the database file (eg. CreateFile) to instruct Windows Server from including it in the caching/oplock framework. Failing that, it would be great if we could disable oplocks and any other related features (Leasing?) while still being able to use SMB 2/3.
Thanks,
Randy.
Too bad the ISAM community is wrong. They are corrupting data with this old-style implementation. 😐 They are not writing through data, they are caching everything, they are opening handles unsafely, they are not using byte-range locks – all of it is a massive data loss scenario, even on a lone local computer if it loses power. They are simply magnifying the problem by adding more users and more points of failure, and making the loss more likely to affect more people at once and be more noticeable. These are all bad practices that have been solved for decades by most other apps (as you mentioned, SQL not having any problems, for instance).
We’re noodling on a similar idea to allow you to say “no, I want these clients connecting to this server to do their crazy bad crap and everyone else gets safe proper SMB semantics.” We have another vendor doing similar dangerous things and if we can make them happy, it should work for all the others. Your data will still be unsafe, but it won’t be anything to do with SMB at that point. More info when I have some to share (it will rate its own blog post, TBH).
Sorry if I come across all edgy here, it’s just that this whole scenario really ticks me off. Rather than writing good code in an app, the whole OS has to change and everyone else’s apps have to become slow and unsafe. It’s really unfair to a bunch of innocent bystanders.
Yup, that’s why we always recommend SQL to all our clients, even the small ones. However, the client (sometimes) wants what they want regardless of what you tell them. It’s too competitive these days to force your opinion on the client so we must give them what they want.
Keep in mind that Windows has been around for a very long time and there are many legacy apps out there that have stop being developed but companies still rely on them to run their businesses and therefore they need Windows to support them too. Yes, I know this is frustrating but it’s a fact of (business) life.
A solution that would allow a per file/folder/instance as opposed to a complete disabling of the SMB features (eg. oplocks, leasing, caching, etc) would be ideal as it would help with ISAM apps but not adversely affect the other ones.
Where should I look for updates on the development of this “noodling” you are contemplating?
Thanks!
Cool. I’ll shout the change loud and clear if we make it, don’t you worry. 🙂 Here, KB, Twitter, sky writer, direct mail, etc.
One of our products is developed in a very old database software called FilePro. Filepro is an ISAM database with indexes and all that b-tree and c-tree searching stuff.
I am trying to find a way to get it to work with SMB3. Our usual practice on new deployments is to disable everything but smbv1 and disable opportunistic locking. But doing this makes queries and reporting run very slow.
However we recently upgraded to server 2016 and I noticed that you can turn off opportunistic locking and file leasing and caching via powershell. I have done this and powershell still shows that SMB client connections are still communicating with SMB3 dialect.
So far I have only done basic testing and havent simulated many users on the system to see if data corruption and other issues occur. However, with SMB3 enabled, database queries and reporting performance is extremely fast!
My comment is in reply to Ledhead.
Is it really possible to disable op locks on server 2016 with smb3.1.1?
What are the PS commands or reg entries to do this. I would love to pass this info on to our software vendor, Applied Systems. Though I would hope they are already aware of this if it’s true.
We pay a couple thousand dollars a month in support, maintenance and licensing fees for software that requires SMB1 be enabled. They have a modern SQL backed system but we aren’t changing any time soon. SMB1 is particularly bad over a wan. Luckily we have a decent Citrix infrastructure and they support terminal services environments.
I would love to disable SMB1 in the worst way. The sad thing is the vendor supports hosting the DB files on server 2012R2 and supports windows 10/server 2016 clients! Ugh…
Hey Ned,
It’s been 9 months since you’ve been “noodling” for a solution to help the ISAM community. Has there been any progress?
Thanks,
Randy.
Ack! Yes, sorry for not responding – I tweeted it but didn’t come back here 🙁
Windows Insiders build 16215 now have option called “LeasingMode”. This allows admins to stop leases & oplocks, like SMB1. This is a share-level feature (i.e. a flag you set on a share), so to test for now you’d need to use a Win10 client as a “server”. If you have access to the Windows Server 2016 TAP it’s there too, naturally. There is no need to run a modern Windows Client to make use of this.
More info on how to set, when to set, why not to set: https://twitter.com/NerdPyle/status/876880390866190336
Hi Ned, thanks for the great support on this!
Is there any way to progammatically set the leasingmode parameter via netapi32.dll?
Is there any share info level that support that?
I can’t see any reference to it on the NetShareAdd or the NetShareSetInfo ref pages ( https://msdn.microsoft.com/en-us/library/windows/desktop/bb525389(v=vs.85).aspx ) .
Thanks very much!
Oh my, what a great question. I will have to get back to you on this. Certainly through WMI but I don’t even know the method – I sux. 😀
Thank you very much for your support, I’ll be waiting for any advice on the subject!
Hi Ned,
Could you shed some light on how to fix the issue in the app? Is there a way to open a file without writes caching?
Or perhaps a way for the app to request that the redirector flushes the locally written data to the server? I suppose FlushFileBuffers() would do it, but since that also flushes to physical media it seems like an expensive price to pay.
Thanks!
I suppose the real question is, if y’all feel this strongly, why is SMB1 still enabled by default on Server 2016 and Windows 10 1607? I’d think that having the component there as an optional install is good, but having it on by default is bad. Why not have security first. Those who need it can enable it.
Because when your protocol runs on 2 billion computers and you decide after 25 years to turn it off, if only 1% of machines are affected, people get upset. Because people love their terrible networked printers and NAS appliances and legacy storage arrays, with their terrible firmware, from their terrible manufacturer, who does not give a crap about security or updates or modern protocols or anyone.
Don’t you think I’d just turn this off if I didn’t have a compelling reason? I’m not a complete ass-hat. Maybe a partial one… 🙂
In the SMB1 survey I ran here, about 10% of customers threatened me with death if I turned it off by default: https://blogs.technet.microsoft.com/filecab/2016/09/16/the-not-future-of-smb1-another-ms-engineering-quickie-survey/. I’m still trying to decide if they were compelling enough. Because I really, really want to turn it off. Already did so in Nano server.
Fairly sure some of the people who threatened death if SMBv1 was removed work where I work :-/
I’d love to know why, though, Micrsoft makes us jump through several hoops to get .NET 3.5 on 2012+ though (not just enabling it, but having to pull it from a disc/image(/and eventually WSUS))….
You have reached the SMB1 complaints department. Our hours are from 9-5, eastern standard time. If you wish to leave a message about something Ned’s team doesn’t own, please hang up and call 1-800-DOT-NET
😛
Ned,
If we have enabled the policy:
Security Settings/Local Policies/Security Options/Microsoft Network Server/Digitally Sign Communications (always)
then have we effectively disabled the use of SMB1.0 on our servers? If so, then is removal of the protocol still necessary?
Also, would you recommend that we enable this for clients as well? Thanks!
Nope, that turns on SMB Signing (i.e. packet integrity that guarantees there is no man-in-the-middle tampering). It applies to SMB1-3, although with SMB1s bad design, it is trivial for an attacker to disable it! SMB 2 and 3 make this much harder, with SMB 3.1.1 making it effectively impossible. For more info, see: https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/
So we have a problem with Windows 10 and SMB. Someone seemingly by accident configured all the print servers behind a firewall with port 139 open but not 445. The interesting thing is that no one ever noticed, because Windows 7 clients can connect to the shares and printers with no issues. However, we are now testing Windows 10, and Windows 10 cannot connect to the shares at all, they just get a network path not found error.
So the obvious fix is a firewall change to open up 445, which we will do. As a temporary work around you can also force SMB1 on the Win10 clients and they can then connect, however obviously this is less than ideal.
So what is happening is that Win7 clients are dropping down to SMB over NetBIOS over TCP on 139 (presumably using SMB1), however the Win10 clients are unable to do that.
Is this by design? I cannot find anything that indicates that this is intentional behaviour. If SMB 1 was disabled by default on Win10 it would be understandable, but otherwise it looks like an SMB bug in Windows 10. Or was support for NetBIOS over TCP dropped in Win10?
Thanks
It’s by design, this behavior change was intentional. 139 and SMB over NetBT is dead. Some very well-hidden docs on this:
https://technet.microsoft.com/windows-server-docs/get-started/deprecated-features
Here is the excerpt in our protocol specification covering this:
https://msdn.microsoft.com/en-us/library/cc246682.aspx
If the client implements SMB 3.1.1, the DialectRevision in the SMB2 NEGOTIATE Response is 0x02FF, and the Connection is NetBIOS over TCP, the client MUST close the connection. The client MUST establish a new connection to the server, as specified in section 3.2.4.2.1, by providing the ServerName and TransportIdentifier indicating Direct TCP transport.
So easy! 😛 I need to write a KB or blog post on this, for reals :/
Totally not your problem, but I had to force Macs running Sierra to use SMB1 when talking to our NetApp running 7-mode 8.2.4. Otherwise it’s super-slow when enumerating folders you don’t have access to. 8.2.4 is the last 7-mode release, so it’ll never be fixed by NetApp, and good luck getting Apple to fix bugs. Fortunately we’re going to migrate the shares to a Windows VM soon, but it still sucks.
Good for folks to know, thanks!
Echoing previous comments, NetBT & SMB1 should all be disabled by default
By all means allow a user/administrator to enable them but on a clean install should not be present or enabled, this would allow the protocol to slowly ‘die’
Yes! If one still needs the legacy support when doing a clean install of the latest and greatest server platform then it seems quite sensible to simply require them to add the roles/features.
Our standard approach for turning off old functionality is Group Policy. We have a mixture of Windows 7, 8.1 & 10 clients, 2008 R2 and up servers. We want SMBv1 gone everywhere.
The articles describe 5 different things we’d have to do, only 1 easy in a GPO (the server registry key).
If I had a wish for this, I’d like a GPO setting which disables the SMBv1 client, and another to disable the SMBv1 server, both of which work on all the versions of Windows client and server we have.
The stuff below is not a recipe for success.
Server
======
Win 7, Server 2008 R2:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 1 -Force
Win 8, Server 2012:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Win 8.1, Win 10, Server 2012 R2, Server 2016:
Remove-WindowsFeature FS-SMB1
Client
======
Win 7, Win 8, Server 2008 R2, Server 2012:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Win 8.1, Server 2012 R2, Server 2016:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Hi,
Can someone create the script or GPO instructions for this?
As
I have this wish as well. Any chance of proper group policy support for disabling SMBv1?
Here is the script I am using for our clients, it would be easy to modify for servers if you need to. It creates a file C:\SMB1Gone that it uses to know it has been ran on that machine since Get-SmbServerConfiguration | Select EnableSMB1Protocol always shows true 😉
$os = [environment]::OSVersion.Version
$major = $os.Major
$minor = $os.Minor
if (($major -eq 6) -and ($minor -eq 1) )#win 7
{
$DONE = test-path c:\SMB1Gone
if($DONE -ne $true)
{
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi #for client
sc.exe config mrxsmb10 start= disabled
}
}
if (($major -eq 6) -and ($minor -eq 3) )#win 8.1
{
$DONE = test-path c:\SMB1Gone
if($DONE -ne $true)
{
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol #for client
New-Item c:\SMB1Gone -type file
}
}
if ($major -eq 10)# win 10
{
$DONE = test-path c:\SMB1Gone
if($DONE -ne $true)
{
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol #for client
New-Item c:\SMB1Gone -type file
}
}
First, an important new link to an excellent summary on GPO deployment to disable SMBv1 in the Microsoft “Stay Safe” blog published today (March 17, 2017), https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/
Regarding Richard’s SMB1Gone cmd script example above in comments, wanted to note that I believe it only completes half the work required to fully disable SMBv1 on Windows 7. After attempting similar script project myself and re-reading the linked KB2696547 describing methods to disable SMBv1 for various Windows flavors, my current understanding is that for the older Win OSes (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012), there are two independent actions needed to restrict SMB protocols used:
1. disable the SMB client component from using SBMv1 protocol.
• On Win 7, Vista, Server 2008 / 2008 R2, Win 8, and Server 2012 reconfigure the LanmanWorkstation and mrxsmb10 services using sc.exe
2. disable the SMB server component (File and Printer Sharing) from using SMBv1 protocol.
• On Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 modify registry …\LanmanServer\Parameters\SMB1 value
• On Windows 8 and Windows Server 2012 modify SMB Server Configuration using Set-SMBServerConfiguration cmdlet using PowerShell.
For later Win OSes (Windows 8.1 and later, Server 2012 R2 and later), a single action can be used removing SMBv1, uninstalling Windows Feature “SMB1.0/CIFS File Sharing Support” but the details to implement are slightly different on Server SKUs vs Non-Server SKUs.
Although Andrew’s methods summary in comments above helped me with older OS versions, the new OS versions don’t break down the way he described because the Server Manager cmdlet Remove-WindowsFeature does not apply to non-Server SKUs (no such cmdlet), and the DISM cmdlet Disable-WindowsOptionalFeature -Online cmdlet works on Server but seems redundant with the other recommended option cmdlet for the Server flavors.
I’m disappointed that Microsoft has not provided a comprehensive PowerShell script to quickly disable SMBv1 across all supported OS versions and another script to re-enable. Given Ned’s dire warnings in this blog post and recent widespread RCE incident, why is large-scale removal of SMBv1 support being left as a tedious, complicated exercise for the readers ?? (as evidenced by comments here and on forum link below to other scripting/deployment attempts)
https://social.technet.microsoft.com/Forums/windows/en-US/d47d4282-8a44-4fa9-9ace-0a64b3f454fc/windows-clients-disable-smbv1-via-gpo?forum=win10itprosecurity
Because if I gave out a widespread removal script, it would be like throwing a bomb over my shoulder. People would simply run it without thought because it came from MS. You must always approach protocol removal with caution when you are responsible for 2 billion computers. That’s why I provided all the necessary info on how in 2696547 and leave it to IT pros to decide how they want to do it with their umpteen hundred methodologies and 3rd parties. 12% of all SMB communication worldwide is still SMB1.
In the coming days I’ll be outlining what we’ll do to alter future OS releases. But touching all existing machines automatically when there is significant ‘legitimate’ (at least to 3rd parties) reasons for running SMB1 requires caution. Unless you want me shutting off heart monitors without anyone knowing about it! 🙁
Hello Ned! Would you be able to help get KB2696547 (the KB article that discusses disabling SMBv1 linked in your article) updated to include modern OS versions. Specifically:
1. The Applies To section includes Windows 10, but does not include Server 2016.
2. Neither the title nor the body of the article include any information on Windows 10, Server 2016
3. Neither the title nor the body of the article include any information on disabling SMBv1 on Server 2012r2 nor Windows 8.1.
I posted this as feedback on the KB article page, but I don’t know if those comments are read so I figured I would let you know also. This will help offer an official, single and complete article that discusses how to disable SMBv1 on all currently supported Windows versions.
I will echo what some others have stated and would love to see a GP for this too.
Thanks Ned!
My psychic powers knew you wanted this and updated the article last week, even though I had missed your request due to our commenting system alerts being broken. 🙂 Hopefully this takes care of everything.
I have been reading the available information on disabling SMB1. It feels a bit like Microsoft support in writing KB2696547 got very caught up in detailing the different commands available in their different operating systems.
When you boil it down however. . . there are in fact only 3 registry changes required to disable SMB1 on all windows systems.
I am posting here requesting that this be confirmed by MS support if possible, because KB2696547 as it’s written doesn’t spell this fact out. Instead it makes the process for disabling SMB1 look much more confusing than it is.
If you’re using Powershell, the following 3 registry set commands will enact the required values to disable SMB1. Server reboots will still be required after these settings are enacted.
Set-itemproperty -path “HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type Dword -Value 0 -Force
Set-itemProperty -path “hklm:\SYSTEM\CurrentControlSet\services\lanmanworkstation” -name “DependOnService” -value “Bowser”, “MRxSmb20”, “NSI” -type MultiString
Set-itemProperty -path “hklm:\SYSTEM\CurrentControlSet\services\lanmanworkstation” -name “Start” -type Dword -Value 4 -Force
You are partially correct – in the end, disabling and enabling is controlled by registry values; however, the recommendation on later OSes is to remove the feature, not disable, so those registry examples are not optimal. The real recommendation is to use the *one* step of removing SMB1 as a feature, starting in Win8.1/2012 R2. That is better than disabling services.
More procedurally though: using registry edits is not our preference – using the actual SMB PowerShell is our preference. We document all of the methods based on OS, and some OSes simply didn’t allow a clean experience. So there are a bunch of examples here. The article is designed to be comprehensive, not minimal.
I’ve posted a way of doing this using ConfigMgr DSC to automate it across your entire estate, including all supported OS versions here:
https://alexpooleyblog.wordpress.com/?p=404
For newer OS’s the baseline uses the ability to disable and remove via PowerShell and for older OS is uses registry and sc.exe.
Ned,
Thank you for the reply and your insight. I do appreciate how comprehensive the KB is, and that there’s a focus on using SMB powershell for corrective actions.
In my case, I began looking at the KB from the perspective of wanting to enact specific changes at an organizational level across the spectrum of listed windows operating systems. As I reviewed the KB, I believed I needed to work up a scripted solution that would accomplish sifting through my AD computer lists, recognize operating system versions and then enacting required commands for those systems. Working through my script build logic, I found that the commands for each OS translated into the same reg values on each OS I needed to change. . . having spent a bit of time before reaching this conclusion I likely posted here a bit more annoyed about it than I should have. Sorry about that.
However I still feel that it should be noted somewhere that these registry values can at least be used to Disable / Enable SMB settings across all supported MS operating systems. Registry values being a preferred methodology of change or not; if it’s made more clear that those values can affect disable / enable of SMB on all supported OS’s, Admins / support staff can build group policies, or make scripts which affect those values at more organizational levels, and not get mired in “different controls for different systems” thinking.
I appreciate that the recommendation with newer operating systems is to remove old SMB feature entirely. And yet on a brand new install, it’s there by default. :/ Of course with sysprep and imaging it’s possible to ensure new servers / workstations don’t have the feature. . . but honestly, my first approach to turning off something like SMB1 on my existing windows servers, it’d disable the services it for a week or more, and then remove the feature.
Lan
I want to clear up my own spreading of mis-information on this issue. The registry keys I listed are on the right track, but I was mis-understanding a bit. The goal is disabling SMB1, but allowing SMB2/3 to function.
The right commands should look like this:
Set-itemproperty -path “HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type Dword -Value 0 -Force
Set-itemProperty -path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type Dword -Value 1 -Force
Set-itemProperty -path “HKLM:\SYSTEM\CurrentControlSet\services\lanmanworkstation” -name “DependOnService” -value “Bowser”, “MRxSmb20”, “NSI” -type MultiString
Set-itemProperty -path “HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb10” -name “Start” -type Dword -Value 4 -Force
Set-itemProperty -path “HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb20” -name “Start” -type Dword -Value 2 -Force
Those commands will:
-flag SMB1 for disabled on the Server service.
-flag SMB2 for enabled on the Server service.
-changes the dependencies for the workstation service to no longer require SMB1 services (mrxsmb10).
-disables the mrxsmb10 service from starting.
-sets the mrxsmb20 service to auto-start
Thanks again to Ned and MS support.
Lan
I see your point. I’ll see if I can make the KB a bit more clear for the ‘one registry to disable them all’. That might be more of a blog thing – KBs have different rules.
See this (and others like it from me) about your final point: https://twitter.com/NerdPyle/status/839647147209338880 🙂
Ned –
Thank you for a great article, hopefully more IT managers will find it and implement your recommendations; if it isn’t already, this information should be added to Windows security “best practices” guides. We have been disabling SMBv1 on all of our Windows boxes but have run into an issue on Windows Server 2016. We were hopeful the issue would be resolved in the March 2017 Windows Updates given there were 2 patches addressing SMB specifically, but the issue still is present.
Prior to disabling SMBv1, we have been “hardening” SMB to prevent SMB relay attacks:
Microsoft network server: Server SPN target name validation level
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level
We configured this group policy as ‘Required from client’ across all Windows boxes in our domain without issue.
Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Microsoft network server: Server SPN target name validation level
Off = 0
Accept if provided by client = 1
Required from client = 2
Registry:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\smbservernamehardeninglevel
After adding the additional security step of disabling SMBv1, we had no issues on Windows 7 SP1, Windows 8.1, Windows 10, Server 2012, or Server 2012 R2.
However, when we disabled SMBv1 on Server 2016 (Remove-WindowsFeature FS-SMB1), all SMB shares broke, no shares were accessible from any Windows clients, instead of connecting to the share, a credential pop-up box is presented and even valid credentials don’t work. The error logged is:
Log Name: Microsoft-Windows-SMBServer/Security
Event ID: 551
Description: SMB Session Authentication Failure
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
SPN Validation Policy: SPN required / validate full
On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.
To recreate this:
1) Domain-joined Server 2016
2) Remove-WindowsFeature FS-SMB1
3) Server SPN target name validation level = Required from client (2)
4) Reboot Server 2016
Domain Admins are now unable to connect to the \\Server2016\C$ default share or any other shares from other domain-joined Windows computers.
The “temporary” fix is to configure Server SPN target name validation level = Off (0) & Reboot on Server 2016 boxes. SMBv1 is disabled but SMB relay attacks are possible again. :/
Just an update: The issue is not present in Windows 10 1607, however, it _is_ present in Windows 10 1703. Ned is aware of the issue and it’s looking like it might be a bug.
A fix for this issue was included in the August 8, 2017 cumulative update for Windows 10 version 1703, but it did not get called out in the release notes.
https://support.microsoft.com/en-us/help/4034674
A fix for this issue was included in the September 12, 2017 cumulative update for Server 2016:
2017-09 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4038782)
Thank you Microsoft (especially Ned’s team!) for fixing this in Server 2016 & Windows 10!
Man, I *still* can’t disable it at home. Got a Windows XP print server box for compatibility reasons. 🙁 Someday though…
2.You have some decrepit management software that demands admins browse via the ‘network neighborhood’ master browser list.
So, support for network neighborhood browsing is going away with the new versions of SMB v2>? How do applications or users file explore the network for shares that they can’t remember the path or they don’t have a mapped drive to it going forward?
It went away 10 years ago. The computer browser never had support for SMB2 or later; most apps and interfaces changed to things like UPnP, MDNS, Bonjour, etc. All your computers also blocked this by default at the firewall. If your users browse this way, you will have to turn SMB1 back on and let the browser come back, and accept all the security risks of anonymous device browsing and connections. As with everything I mentioned, you have the option to run legacy forever.
Note: we have broken this browsing multiple times through bugs in W10, and hardly anyone complained. This particular aspect of network browsing is used by almost no software in years, because it doesn’t scale and users in all but the tiniest environments cannot browse due to network router and switch rules. Plus IT pros preferred to map them drives unless the users themselves were IT pros.
For most home users the HomeGroup may suffice, but just about every small(er) business that I have seen regularly uses the network neighborhood for browsing. Without AD and SMB1 there will be no graphical way to browse computers, right? Or did I miss some option?
In a smaller business seems like it would be much better just to automatically map the users some drives instead of making them learn browsing (which won’t work if they add networks, change workgroups, etc.). Computers will still appear in NN via UPnP, MDNS, Bonjour, and other tech, just not computer browsing via NetBIOS. If they want to keep it, SMB1/browser can be turned on/left on. When we start to disable SMB1 in coming Windows release, this will not affect small business or home users though, as those Home and Pro SKUs will not have SMB1 removed by default.
While I get the logic of keeping SMB1 installed for Home and Pro SKUs, I certainly don’t agree with it and plead to have it removed by default for fresh installs of all modern Windows SKUs. Having to support a diverse population of enterprise, small business, and home office/personal systems, I cannot stress how much I’d prefer to get a call from a home user having just freshly installed the latest OS or having received a new computer from a retailer and not being able to connect to an antiquated MFP or NAS device or browse via NetBIOS. Explaining the pros/cons of adding the legacy protocol and how to mitigate the risks before doing so is much better than getting the call about a malware infection via an SMB1 attack. Please make this change for all SKUs!
Added some new steps to keep using Network Neighborhood, see updated article
All the more reason to nix SMB1 on all new installs, even Home and Pro!
Ned said: Added some new steps to keep using Network Neighborhood, see updated article
Oh, we noticed (when you broke Network browsing in Win10)!
It’s not only GUI browsing file shares via Explorer, but also business software that no longer “sees” its network targets – and fixing the first issue, fixed the second (involved adding back SMB1 to Win10, so XP could see and reach it via LAN).
Not so keen on mapped drive letters, as opens that up to simpler D:\Dir\etc. syntax, plus these drive letter mappings were brittle back in the Win9x days when we last used them. In those days, failure to reach a share via a mapped letter (e.g. when target PC was switched off) would prompt the user to delete the mapping, which meant someone would have to go and set it up again… is it still that brittle?
I think for small businesses and home networks, it’s best to be upfront about the link between SMB1 and browsing file shares via the shell’s Network folder. I’m surprised that functionality hasn’t been rebuilt on later versions of SMB – kludging fake drive letters and scratching around command prompts seems regressive to me.
I’m here from this thread (running from April to right now) where folks are struggling with broken networking from 2016 and now Build 1703…
https://social.technet.microsoft.com/Forums/en-US/1add7d03-2bc0-4d1e-9248-fef090d9ba0e/anyone-else-notice-the-network-issues-with-windows-10-creators-edition?forum=win10itpronetworking
…those folks could do with some help, and I think would be very surprised that “we have broken this browsing multiple times through bugs in W10, and hardly anyone complained”
Hi Ned,
I don’t understand – when the SMB 1.0 feature is removed and the server rebooted (Windows Server 2012 R2) Get-SmbServerConfiguration set reports EnableSMB1Protocol as True!
We’re trying to document these things and want to make sure we’re being consistent.
https://www.centrel-solutions.com/xiaconfiguration/capabilities.aspx?capability=microsoft-azure-reporting-and-inventory-tool-audit-settings-and-create-documentation
Thanks,
Dave
David, you just found a nice and extremely dumb bug. 🙂 SMB1 is gone, the problem is that we also offer a separate enable/disable toggle from a previous OS version. To get this aligned: when you uninstall SMB1, also set that to false in the same batch processing. I will file a bug to fix this here in a later release. If you would like to get this fixed downlevel, please email me at nedpyle@microsoft.com and we can chat about the process.
Hey Ned, thanks for the update. We now document the setting as a security setting and the feature as a feature separately.
Thanks,
Dave
Well dang, I was going to use this for a script to make sure we don’t run the removal unnecessarily 🙁
any way to detect if SMB1 is enabled on 7,8.1,and 10 in a powershell script?
I’d say to check the values being set in kb2696547 are set. If not, it’s still running. They only trouble is when you uninstall, the values might be dangled; in which case, simply check to see that the feature is in fact removed by asking powershell/dism.
Also, if you remove SMB1, the mrxsmb10.sys and srv.sys will cease to exist on the system and not be in the list of services to start anymore, on a Win8.1/2012R2+ system. BUt in that case I’d just be querying for the installed feature, tbh
Hi, we are planning to remove SMBv1 via GPO part of Ransomware. but any luck to enable some registry value and track SMBv1 traffic on security log before going with the action. More worried about if some thing is still using.
On Windows Server 2016/Windows 10 you can enable SMB1 auditing. We will also be releasing that as a backported patch to Windows 8.1/Windows Server 2012 R2, probably in the near future. After that, you can use network analysis to watch for SMB1 usage. Or just turn it off then see who complains. They will find you much faster than any logging!
Ned,
Great article. One question about the instructions in article 2696547. For Windows 2008 R2, what does it mean if the registry key does not exist currently? Is SMBv1 running?
Thanks
I receive warnings from colleagues that removing the SMB 1.0 feature can lead to Windows Explorer losing the list of remote computers and never get them back again. Is that true?
You’ll have to explain what you mean, that doesn’t make any sense to me. 🙂
You are perhaps aware that File Explorer (nee Windows Explorer) has a Network root (formerly known as My Network Place or Network Neighborhood). This area lists computers on the network. My colleagues have warned me that no network computers would appear in this area if I remove the SMB 1.0/CIFS File Sharing Support feature from that copy Windows. (See your one-before-last screenshot.)
Currently, I’m testing this on a copy of Windows 10 1607. I see phones and routers listed but no computers.
Yes, as mentioned in the blog post above. Devices that do UPnP and the like will appear, while the old (frequently broken and unreliable and unreliable and DDoS’able) SMB1-based computer browser goes away when SMB1 goes away. For users, I recommend mapping them drives through automation and not having them browse around exploring the network with an unsafe protocol. For admins, they should know ways to find servers like AD and their brain :).
Or you can leave SMB1 on – and keep the computer browser from 1996. 😐
I want a computer browser. I don’t care whether it is based on SMB1 or some awesome new tech.
Added some new steps to keep using Network Neighborhood, see updated article
Well, thanks a lot. It seems this feature has been part of Windows since the notorious Windows Vista!
By the way, I visited KB4034314. You really mustn’t use “Network Neighborhood” in an official article like that. “Network Neighborhood” died 10 years ago with Windows 98.
It’s a fair point. Unfortunately, everyone using this vile ancient turd knows it as “Network Neighborhood”, and simply calling “network” is an exercise in mass confusion. I tried to split the difference just now by calling it both. This will of course fail 🙂
When I switched to Storage server 2012 / 2012R2 running SMB3.0 ( 2.2 ) I had problems with my main application which is a Radio Broadcast Automation application. we exprienced a lot of time-out’s and hour glasses in the application, I previously did not have this problem running W2008R2 storage server and W7 clients. By forcing the 2012R2 servers to use SMB 1.0 the problem disappeared.
when i wiresharked the 2012 comms with the W7 client I saw a lot of time was used in negotiating the SMB ‘ dialect ‘ between server and client, resulting in renegotiations on the Kerberos level also. also this broadcast application is very sensitive to latency switch back to SMB1.0 did not show this negotiation. now years later I need to reinvest in a new storage solution and are not sure if the problem is realy related to the SMB level.
Can It also be a problem of oplocks ?
when I talk to the vendor of the software which is DALET, a well used vendor in the Video and audio play out and MAM systems, the say to are using the standard MS libraries ( C# and C++ ) to write there appications, so they do not interveen in the client to server comms.
I would very much like to change to server 2016 and S2D for my next storage project.
anyone can help out with the above problem ?
thanks
This is usually caused by the vendor using the ancient ISAM database format. Any chance you can find out from vendor? We have been talking to various ones about this, and most offer replacements that they themselves want customers to use.
Database is sql2008 sp3
The time out’s occure when opening the media files like .wav or .txt
I will ask the vendor regarding ISAM
Thx
That doesn’t make sense then if they are using SQL; ISAM is a non-relational file-based DB, SQL won’t be using SMB at all.
I’d say try again on modern Windows, see if you are still having issues. If so, ping me.
thanks for the advise
i will try it on a staging platform, but the software vendor does not support W10 as client OS for the moment, so I can not try it on a 24/7 24h production system.
I’ll let You know
Sorry for the log time it took to reply. I can not try with modern windows as these are not available for the moment
it seems the problem is caused by the oplocks mechanism.
as there is no way to disable it in SMB2.x and higher on WINDOWS SMB the only way around is my vendor say’s is using SMB1.
It seems that Oplocks CAN be disabled on the Ontap version of SMB from Netapp running SMB2 and higher
extract from the Dalet recommendation to change oplocks on a NetApp Filer
Dalet’s Recommendation concerning OpLocks
It has been a long standing recommendation by Dalet storage experts to disable OpLocks on the storage but not on clients.
Many storage-related performance problems are potentially misdiagnosed as long as oplocks are enabled on the CIFS storage volumes.
Dalet recommends disabling OpLocks on the storage but not on the clients.
SMB 2.1 Recommendations
Depending on the storage trouble, Dalet recommends two strategies:
The first one is to disable SMB 2.1, this can be done via ssh connection to the filer
Note: Disabling SMB 2.1 affects new connections only. Future connections will negotiate at the SMB 2.0 protocol level.
You should restart CIFS on the filer (or terminate CIFS Connections).
The second one is to disable OpLocks on the filer level, this can be done via ssh to the filer
and executing the following command: options cifs.oplocks.enable off
This is a permenant command.
Dalet usually recommend to start with the first one and if you still have issues continue with the second one,
If you want a fire and forget, you can perform both…
It seems we are stuck here. how come Netapp can disable Oplocks on SMB 2 and higher claiming they use the original Microsoft SMB stack and not a Samba Version, and that this is not possible on a Windows fileserver ?
please advise when possible and thanks for your time.
See https://twitter.com/NerdPyle/status/876880390866190336 and my recent ISAM comment reply today. We have created a way to turn off leases and oplocks in latest Windows. For now, this is the only place, so your first point on not using W10 is understood but I can’t do anything about it. If you simply test this and it works, you can open a support case and request a DCR backport of the functionality back to older operating systems.
Disabling oplocks is effectively a hack and dangerous for most applications. That you have to do it means your application needs to modernize its approaches. Most vendors I speak to aren’t actually at fault – they themselves are using other licensed or free code that requires oplocks, and they often have more modern database versions that don’t require it anymore.
Netapp doesn’t use the Windows stack, they have their own stuff. deciding to handle oplocks is not a technical decision – it’s philosophical. Disabling them is bad 99.999% of the time.
We disabled and all our user’s scan to folder locations failed. We have Ricoh copiers. Vendor said Ricoh only supports SMB v1 and no firmware updates are available to update to the newer version.
I wonder what they will say when you tell them you are switching vendors. 🙂 You can contact http://www.visualitynq.com/, to find out which printer vendors they have provided SMB2 firmware to, for instance. Many OEMS will not care about your security – it appears Ricoh does not, in this instance – and now you need to vote with your wallet if you do value security. That’s the only thing a company understands.
Had the exact same issue happen with Toshiba copiers.
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
These system updates solve the problem?
Yes, that stops the attacks against the old SMB1 protocol. You should update your anti-virus software to remove any infections that got installed before patching.
Have you confirmed that you have the latest firmware and are you able to configure the Ricoh (via telnet or ssh) with the following settings:
smb client auth 1
smb client port 445
If so that may fix the issue.
This will also be needed when disabling NTLMv1.
I’d love to I really would, but my file servers (2008 R2) are just demanding to use dialect 1.5! The client can connect to other 2008 R2 servers and show dialect 2.1 but no my file servers refuse to use SMB 2 – they’re enabled – quite forcefully in fact using lanmanserver\parameters but no even then something is stopping them allowing the SMB2 protocol – OK OK I found when they were created they had SMB2 disabled – but you’d think that forcing the issue be making the DWORD 1 would sort it – apparently not!
There should be an option to reset SMB config – or even some tools to get the info out – the 2012 R2 SMB powershell bits are awesome, but can it be back ported to 2008 – no – oh well, life with SMB 1 continues ……….. it’s NetBIOS all over again I tell you!
Hey Ned,
I’ve started the process of switching it off, but I now have BPA throwing several messages back at me about it not being enabled, server.sys should be running etc. What is the best way to deal with these? One thing I hate is Errors/Warnings hanging around when I know they can be ignored.
Hey Ned,
Please confirm that the ID10T that allowed SMB1 to be enabled by default in Win10 and Server 2016 gets fired today. Maybye next time they will actually listen!
I cannot fire executives, sorry.
Kidding! Maybe!
So if we disable SMB1, do we have to do anything else, or is it okay from there? Does something else need to be installed in place of it?
Tis is complicated. If using only Microsoft Windows and Windows Server, the answer is NO.
Bu many third parties and their software use legacy operating systems to run, often with legacy protocols like SMB1. these include NAS appliances, Printers that “scan to share”, etc. I keep a running list of these on Twitter under hashtag #StillNeedsSMB1 and I will be creating a list to track them in a blog post or TechNet in the near future. If that vendor requires SMB1, you will need to contact them about updating their software.
Hey Ned,
What is Windows Server using today to advertise SMB shares now that SMBv1 is out?
(I’ve seen UPnP(SSDP), mDNS, etc. mentioned here.)
Thanks for sharing your expertise – we appreciate it!
Hi Ned,
Please work with HPE to get their StoreOnce deduplication appliances in order.
Agreed. Just discovered our Veeam archives started failing when we disabled SMBV1 on one of our Veeam servers. The HP StoreOnce appliance appears to only support SMBv1 today.
Can you provide me with a vendor doc stating this? I can then update https://aka.ms/stillneedssmb1 and you will have helped out many of your peers.
Hi sir,
I’m using Windows 7 Home Premium bundled with my notebook. Due to Wanna Cry attack, i wanted to completely disable SMB v1 using either all the methods described above BUT i can’t find it!
CMD, Powershell or Windows Client (Turn features On/Off) does NOT list SMB protocol on my computer, it’s missing.
What does it mean?
Thanks a lot.
From an admin-elevated PowerShell console, run:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
If you want to edit with Regedit, go here:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry
Create DWORD value name:
SMB1
Set value:
0
reboot
More info: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
Win7 x64
Ned, I’m confused… I still haven’t updated anything since MS quit releasing individual patches, so I’m trying to understand how to install security updates, but my head hurts and I’m giving up on that for now. For the time being, I’m blocking ports 445 in addition to a few others, and figured that I would disable SMB1, but I’m not seeing what I expected.
In Registry Editor: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, there is no entry for SMB1. within Parameters. I see mrxsmb, mrxsmb10, etc. outside of that, though.
In Windows Features: goes from Simple TCPIP services to Tablet PC Components, then Telnet Client, etc. There are no options to enable/disable SMB.
Is it possible that I’ve disabled it in the past and that’s why I’m not seeing anything?
It will not exist by default. You can create it with: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
Or do it manually in regedit. Then restart the Server service or just reboot.
Question: so why keep including SMB1 in modern versions of Windows? just drop it completely.
It’s complicated. I will be explaining this more in a coming blog post. I have been working on SMB1 removal for 2 years and it’s been gone from Windows for a few months now – you just don’t know it yet. 🙂
Hmm… does this explain why “net view” has been failing to work on my home network with Windows 10 machines recently? I’ve been wondering if something has been done to limit browsing in one of the recent updates.
SMB1 removal isn’t hard
but why it installed by default even in 2012R2 ??? since its 30 years old
MS should pay attention to such critical decision
SMB1 cause a lot of damage since it was used by WannaCry
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
I plan to write up an explanatory post on this – will cover this as well as how to troubleshoot the third parties that will break when SMB1 is removed (which is a spoiler alert to why it was still installed)
Exactly. New versions of Windows should make such obsolete technologies strictly an opt-in process.
By turning it on, people should know what they’re doing.
Merely deprecating features they know suck is not good enough.
While I appreciate reading Ned’s blogs and learn something each time, it’s unfortunate we seem to learn about it so late.
We rely on MS as a collective to make the right decision for us IT Professionals as they understand these products inside/out.
SMB is strictly opt-in. There is no way to connect to a machine over SMB by default, at several layers. It’s also important to note that *because* of IT professionals, SMB1 is still on. Millions of you seem to love these third party devices running versions of Samba from 10 years ago… D-:
This is a very complex problem, and our solution to it will make far more people unhappy than wannacry did, trust me. Anyone here want a job owning SMB1? We’re always hiring 🙂
People should have listened to you 😀
So, what would cause the SMB 1 feature checkbox to be grayed (greyed) out in Windows 2012 R2? I went to verify it was off, but I can’t seem to turn it off. I might try via PowerShell but now I have the question why it’s grayed out, could there be another feature reliant on it?
I have my file servers show up with that same exact issue.
Can’t uncheck a grayed out box.
So i ran the removal of the feature from Powershell and wa-la after a reboot it was unchecked.
I imagine its some stupid reason for it being that way.. probably blame it on the users like Microsoft is apt to do.
Frankly the logic makes no fucking sense, you won’t leave .net crap in and make me freakin jump through hopes to install it and other features that i do need but something that is a HUGE DAMN SECURITY HOLE is on by default!!
I really have to ask how much the NSA paid you guys to keep this on because this has their handwriting all over it.
You will see this if you go into Server Manager and click ADD instead of REMOVE for roles and features. Installed items will be grayed out, as they are already added. So yes, I am blaming it on the user in this case. ;). I’m joking of course, it’s a common mistake and I’ve done it myself a few times.
The rest of your comment is, of course, not worth responding to. Please loosen the tin foil hat.
It looks like you called it! WannaCry proved your point lucidly.
With the release of wannacry it has been proved how much right you were 🙂
I wish I wasn’t. 🙁
This was very foretelling when the WannaCry started heating up. All of our company’s newer clients and servers didn’t need SMB1. Just failed to realize that it’s enabled by default. But after some PowerShell chicanery all is well!
Awesome!
All the regular posts show methods for Server 2012 and a registry entry for Server 2008 (Supposed to be what SBS2011 was based on) however, the Server 2012 Powershell commands dont work and the registry entry for server 2008 doesn’t exist in SBS2011 registry.
You can create the registry entry on SBS and it will take effect.
Harmonic Mediagrid still uses SMBv1 only, as we’ve just found out (and we’re on the latest and greatest unreleased beta code…). We have a 700+ device environment and recently went through and disabled SMBv1 on everything. No problems except with the Mediagrid. Turns out they are using some old libraries that can’t talk smbv2/v3 (can’t imagine how many other unpatched vulnerabilities there are…). Instead of rolling back changes we deployed a small DC with smbv1 enabled just for them.
Pretty sad that this is still a problem. Hopefully wannacry and other recent events will light a fire up everyone’s ass.
Hi,
After remove the SMB1.0/CFS file sharing support feature on the server using Powershell command, do we need to restart the system?
Thanks.
Yes, for the binaries to be removed. But you needn’t reboot for SMB1 blocking to take effect – just setting the registry value or running -enablesmb1 $false (see above) works without a restart.
And then came wannacry and we decided to read you article and listen to your advice for the sake of our children.
I turned it off on my small office network, and all the Shared Folders on PC’s running XP, Win 10, Win 7 stopped working! The PC’s would not even appear in Network Neigborhood. Is there something i am missing that can enable Shared Folders, when turning off SMB1? Thx!
Network neighborhood cannot work as SMB1 contains the Computer Browser service; shares will absolutely still work and exist.
If you must leave SMB1 enabled in this environment for network neighborhood, I recommend configuring windows firewall on each computer to only allow from the IP addresses of the other computers inside that network. Ensure that port 445 is not allowed from the internet.
Alternatively, and better, leave SMB1 disabled and map drives to the other computers so that users aren’t browsing in network neighborhood. We stopped supporting that old way 15 years ago, it is a legacy of Windows 95.
Dear NedPyle,
just a question: Have you tested what you are suggesting here?
If I try mapping a network share to a drive letter using the command
net use Z: \\computername\sharename
I only get
“System Error 64. The specified network name is no longer available”.
Seems that it is only available when using SMB1, which is a pity.
Just to amend: All computers I tried this test with were Windows 10 computers with the latest updates installed.
I tested: After re-enabling SMB1, the network drive mapping worked again without any problems.
Kind regards,
Gerd
Yes. Because if your remote machine or device requires SMB1, and you have disabled SMB1, you will get that error. Just like explained here:
https://support.microsoft.com/fr-dz/help/4034314/smbv1-is-not-installed-by-default-in-windows-10-rs3-and-windows-server
But now that I’ve disabled SMB1 using appwiz on Windows 10 as per the article, none of my Windows or Linux shares on the LAN are visible to me in the File Explorer. I can still access them if I type out their location, but they’re not visible. How do I fix that? If it’s not fixable then it’s not worth disabling SMB1 if I cannot see any of my shares! Help.
After parsing through the comments I got my answer. It’s not possible to do with SMB1 disabled. So how would a user set up a network share on Windows so that is appears in the Network places list using UPnP (which I also thought was not secure)?
Like what if I have 20 or so shares on a few NAS servers at home. I have to map those on every device that connects to my network and then I have to remember the name of the shares when guests come over? There has to be an easier way
See previous reply. Your NAS may offer additional client software to make browsing easier – for home devices they almost always do. But for your guests you’d just tell them, the same way you’d tell them the credentials they will need to connect.
Added some new steps to keep using Network Neighborhood, see updated article
Network neighborhood computer browsing is a technology from Windows 95 that requires SMB1. That browsing capability is removed with SMB1, as they are tied together. Computer browsing does not work across subnets and allows broadcast storms and DDoS. I recommend leaving SMB1 off and mapping drives so that you are not browsing to servers to list their shares.
Hey Guys,
I encountered a problem after removing SMB 1.0 on Windows Server 2016 domain controllers.
My office users QNAP TS-439 Pro II+ model NAS server. This server is a member that joined to Windows domain. After removing SMB 1.0, the domain users couldn’t access NAS server via Web and SMB. Then I checked docs of QNAP, TS-439 Pro II+ is an old model that doesn’t support SMB 3.0, max supports SMB 2.0.
Finally I reinstalled SMB 1.0 support on my Windows Server 2016, then users can access the NAS.
What client are you connecting to the device with? Windows uses SMB2 or later since Windows Vista. The error you are describing means that SMB2 is not enabled on the QNAP.
NAS devices often don’t have SMB2 support enabled by default if they support it – the vendor should have docs on how to enable SMB2 and disable SMB1.
Install the latest firmware on your QNap, then connect with SSH and enable SMB3.
That will solve all problems (just did it myself).
Another case is Windows Server 2003 Terminal login. Once you removed SMB 1.0 support on a Windows Server 2016 domain controller. The Windows Server 2003 terminal login in this domain will fail. You have to reinstall SMB 1.0 on DC, or retire WS 2013.
Yes, you should upgrade the WS2003 server; it can only use SMB1. There are many other attacks that will succeed on it that you have no patches for, and it is easily compromised regardless of SMB1. It has not been supported for two years.
So, is there a way to install the patch through the vulnerability?
Can you make a GPO to disable SMB v1 ? It would seem like the obvious best solution rather than touch each server and PC individually. Of course one needs to take into account the operating system version, maybe a separate GPO for each OS version.
How about how to disable it on WHS V1, Yes I’m still running that since I have no better option with a required legacy program what won’t work with newer WHS versions.
Heck, using the info here and several other places I can’t even FIND SMBv1 on WHS V1, so I need some guidance on how to find and disable it. It was simple on my Win8 and Win10 machines.
Does Home Server allow access to a command-line (CMD) or regedit? that thing has been gone for so long, I don’t have any way to repro on it.
I think WHSv1 is based on Server 2003 which only supports SMB1.
Hello Ned,
I am a bit confused by your blog post. I have just installed Windows Server 2016 and I used the “Get-SmbServerConfiguration” PS command to check if SMB1 is active and it gives me the following output “EnableSMB1Protocol : True” which means that it is enabled by default as you state in your article (I know that you did not provide the above command by I am assuming, maybe erroneously, that they output tells you how SMB is configured on your server) . However, when I try to remove the SMB1 from the server via the Server Manager method I see that SMB 1.0 is not installed as you show in your picture. Also when I try to use the PS command you gave I also get the exact same output as you show in your pictures which also means that the SMB 1.0 was never installed. If I then run the “Get-SmbServerConfiguration” again I get the same output as before.
So what gives? Is SMB 1.0 enabled by default on WS 2016? If it is then the commands that you give in your post do not work as they do not do anything at least in my case. If they do disable the SMB1.0 Feature how can I check it without having someone try to connect via smb1.0.
SMB1 is installed by default in all released products; the only way it can be missing out of the box is if you are using a custom image – which many companies do make. If you run “get-windowsfeature FS-SMB1” from an elevated PowerShell prompt, what does it show?
I get the following:
Display Name Name Install State
———— —- ————-
[ ] SMB 1.0/CIFS File Sharing Support FS-SMB1 Available
Hi NedPyle
Good luck on the SMB1 crusade.
I do have a question though, as I’m getting confusing answers about some *nix products using EAP-MSCHAPv2 authentication method being the reason we have to keep using SMB1. Is this true because it’s not possible to use EAP-MSCHAPv2 over SMB2.x or is it just that they’ve not implemented it to use SMB2.x in their product for whatever reason?
Yes I am asking the vendors, but I’d like to know this so I don’t get fobbed off with change your authentication method to remove SMB1 dependency answers.
Peace, love and MACHINE empathy
Da’flibble
SMB is agnostic to security – it uses whatever the implementer says to use – so it’s specific to that implementation.
Does removing FS-SMB1 Windows Feature completely removes the support of SMB1 protocol, or is it just remove the SMB1 server?
Removes both client and server in Windows 8.1/10 & Windows Server 2012 R2/2016 current versions.
how to you create a share on windows 10 1607 when you’ve removed smb1 then? or is that a feature and you cant?
SMB2 and SMB3 are on Windows 10, you still create shares just like normal; there is no change to this experience.
I have created an RFC-1867 gateway to Samba’s client in C. The code is here:
https://github.com/orachas/xmit-file-transfer-w-RFC-1867-sha256/ [examine smbgw.c]
This will get my VAX and older UNIX off of SMB1 by relying upon our newer systems to act as intermediaries. The code is somewhat blunt and brutish, but it works.
Because the code is written in C, there are few dependencies and upgrades should be rare. I’m offering it as an aid for those trying to escape SMB1.
There is little access control – that function should be performed by stunnel if it’s required.
Hi Ned,
i agree with not using SMB1, but AFAIK this is the only SMB version without client side caching, which can screw up migrations on shaky network connections.
Is there any way to disable client side caching in SMB3 to avoid delayed write errors? I have to do it on OS level as I cannot change the copy tool itself. As of now I have to force my client to use SMB1 in order to prevent this.
Ty, Ralf.
Client-side caching is supported on all versions of Windows and all versions of SMB. You can disable client-side caching on the share, or in the client itself; it’s an application, not SMB itself.
I am on windows 10( preview and release ) using an R7000 Netgear router, and with SMB1 turned off in Control Panel I can not map my ‘network’ hard drive.
Are there options, and is there another protocol that will allow the mapped drive that is connected to my Netgear router?
You will have to ask Netgear, sorry. We don’t know what each vendor and product options are. Clearly they are requiring SMB1, but perhaps they also support SMB2 or later, and simply don’t have it turned on by default.
Hi Ned,
Can you tell me how to re-enable smb1 on XP machines.
We disabled it via GPO but have a few machines left in the system.
It’s caused a headache for them now.
thanks
XP only has SMB1. If you disabled it, it has no SMB of any kind. Just ensure that the LanManServer and LanManWorkstation services are set to automatic and running
Are there any more unsafe legacy features in the latest Windows enabled by default?
Please make a blog post of ALL features to disable for increased security against ransomware attacks
We have done more much more than this for some years: https://blogs.technet.microsoft.com/secguide/
What mainstream applications or other mainstream software utilises Server Message Block 1?
Check out https://aka.ms/stillneedssmb1.
Do not go there if you are in a good mood.
Can you tell me what the guidance is with SMB1 on domain controllers? is it safe to remove it?
It’s usually safe and recommended to remove on DCs unless you are running third parties that require it to domain join. See https://aka.ms/stillneedssmb1 for more info. Even if your vendors are not on the list, you should still ask them!
The best test for SMBv1 is to connect remotely and see what is offered/supported. It’s more reliable than checking a server’s configuration – the truth is on the wire.
But I can’t find a tool to do this. Can you suggest one?
We generally use nmap for remote checks like this (TLS configuration, etc.), but it doesn’t have a test for “Is it running SMBv1?”.
If there isn’t a tool which can do this, could your team contribute a script to nmap? (nmap[.]org) Or some PowerShell magic.
Thanks,
Andrew
I know of one tool that was created to test your local network for the EternalBlue vulnerability, and was later improved to also list SMBv1 accessible hosts. It can be downloaded from http://omerez.com/eternalblues/.
When I tested this at my home network, it found that none of my Win10 pcs were vulnerable, and that only my wlan router was offering file sharing via smbv1. So I guess now I’ll have to figure out if it can be forced to use only smbv2/3. 🙂
nmap 7.6 added SMB tests which now cover this, you can run:
nmap -p 445 –script smb-protocols,smb-security-mode,smb2-capabilities,smb2-security-mode
and it’ll show which versions of SMB the server’s offering and how SMB’s configured.
Windows Embedded Standard 2009 (WES09) e POSReady 2009 still using SMBv1 ?;)
Only If you don’t need SMBv1, you can disable it
In doubt … waiting for something to go wrong… isn’t an option (for me)
Thanks, I forgot all about this one! Updated list.
Hey Ned, really great to see lot of posts from you. I am having a similar problem wherein i got SMB1 running on legacy 2000 and XP systesm and host legacy applications. Can you let me know what’s the work around on this ?
1. Is there any other thirdparty feature installation can be done on this (know that we dont have any patches from MS but still wanted to check)
2. Is there any work around if we disable SMB1 on servers with any tweakings in systems ?
No workaround, those systems must be upgraded/replaced. I don’t know of any third parties in this space that retrofit Windows itself (nor that do so for Linux versions that are 17 years old either, tbh).
Encryption and security downgrade pevention hasnt been made until SMB3?
what did they even do in SMB2?
Made 85% of what comprises SMB3.
Given the release of several SMB1 related patches by MS recently, is the continued use of SMB1 still considered a security vulnerability or have these updates resolved the concerns?
If you patch, you are closing those specific vulnerabilities in the server portion of SMB1 (I mean the server service, not the server OS – i.e. the part that creates shares). So you won’t get infected by wannacry, for instance. But we deprecated SMB1 a long time for other security reasons that cannot be fixed; they’re just inherent to the client protocol. So we still highly recommend removing SMB1 so that you aren’t as vulnerable to MitM attacks, for instance.
SMB1 itself is removed from most SKUs and editions in the next RS3 release. With some minor exceptions. This is in the RS3 flighting release notes and I have a KB coming shortly.
Problem is, Android does not support it yet – probably deliberately.
Google only gains by not supporting SMB v2, because it makes Windows look bad when it gets compromised. The ugly face of capitalism.
Disabling SMB1 breaks the Network Neighborhood.
In a network with only Windows 10 clients with SMB1 disabled, you will see the other clients as usual in Network Neighborhood but double clicking on any of them will give the beloved “Windows cannot access \\clientname” error with “The network path was not found” in the details.
Is there a way to re-enable browsing the Network Neighborhood without having to re-enable SMB1?
Thank you and kind regards,
Gerd
Nope.
That is really great news. It means nothing more and nothing less than that you will break your entire home network (access to file shares) if you disable SMB1.
What do you advice to be used instead of file shares/shared network drives? FTP? Really?
This is only true if your home network requires SMB1. This has been explained in this article and in https://support.microsoft.com/fr-dz/help/4034314/smbv1-is-not-installed-by-default-in-windows-10-rs3-and-windows-server
To the guys who advised switching to SQL in place of ISAM – even if that were possible, which it is not:
The arguments against SMB1 apply to SQL, but in spades. It was developed in the days of mainframes, when physical computer security meant that there was no real need to protect against malicious database operators. It is totally unsuited to use on the Internet.
Strangely, in the early PC days we had databases which didn’t suffer from code injection, but on deciding to use databases for Web backends the clock was put back way into history, and SQL chosen. A really unwise choice, and one which is responsible for the majority of hacked and malware-ridden websites on the planet.
If any piece of software needs to be eradicated in the interests of security, it is (non-transactional) SQL. Yet, it ain’t happening. Why not, I ask?
http://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
Only the last frame should read: “..and I hope you’ve learned that if you use SQL, just one tiny oversight can spell disaster.. So for heaven’s sake, STOP using it!”
Should have been removed 15 years ago!! You are begging people not to use it but will still be partially installed on some versions of Windows. STOP begging and kill off SMBv1 already!!
We did. See RS3 release notes.
If MS was serious about SMBv3’s security needs, they’d release it for for Win7+8.
If you were serious about your computer’s security needs, you’d buy Windows 10.
See, I can be snarky too. 🙂 We’re running a business here, L.
SMBLoris is going to hurt large enterprises that still need SMB1:
http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html
“The attack triggers the memory saturation for NBSS and it is necessary to reboot the server in order to restore a normal operation.”
It sounds like a single host can shut down many, many file servers very quickly with this exploit.
Is the patch refusal final?
This article is mistaken, the issue has nothing to do with any SMB version; it affects Negotiate, so even before SMB version is decided.
Internet-facing servers should be in a DMZ. Any servers in a DMZ should not allow SMB inbound from the internet. To prevent this attack, do not allow internet systems to contact machines from the internet over SMB. This advice is a best practice for all protocols, not just SMB.
I just found out about this because of a code project mail.
About 1 year later …. 🙁
I took action immediately.
Is there a mailing list available where I get *all* information about possible security issues that aren’t patched and how to solve them (without any other information)?
Hi Ned,
Is there any chance you can reissue this blog post?
Our business is run on broker software that still uses SMBv1 and their response to this blog, was “it’s been patched…”
I’ve seen the comment relating to placing the servers in a DMZ, so we will implement that, but how can I encourage said software manufacturer to fix their s**t?
If you tell me the vendor that requires SMB1 with a pointer to documentation, I am happy to throw their name and info up on https://aka.ms/stillneedssmb1
SMB V1 support will be removed from Win10 in FCU (Redstone-3).
But this is a “Feature update” I Guess, so this only applies to CB and CBB channels.
So the LTS channel will still have SMB1 ?
Check out https://aka.ms/smb1rs3. It will be in all channels, the real “will it or won’t it” comes down to edition and upgrade/vs clean
Great Post!!!
Hi Ned,
For some Ux flavous (RHEL6) you need smbv1, becasue a higher version is just not supported. And we run a couple of those with some applications with a vendor that just supports RHEL6. And we cannot business wise decommission those apps.
If we disable smbv1 just on our Windows clients (and keep m on the file servers), will that be enough safeguard from things like wannacry? We do have a closed End User Computing landscape, so we know they just use v3. But sometimes legacy cannot be pushed away,
Regards,
Ronald
It’s not safe for the environment, as SMB1 will still be used on the Linux machines, and SMB1 has architectural flaws with security (like guest auth support and MitM). Also if you disable SMB1 on clients that need to talk to Linux, they will simply fail to communicate with them. If you at least disable the SMB1 server on your Windows machines, they will no longer be attackable via SMB1 RCE like Wannacry.
More to the point, SMB2/3 isn’t good, because of its enforced client-side caching of data which can’t be turned off at the server. Using SMB2/3 risks loss of mission critical data from any file based database on the LAN. The situation is worse for Windows 7-10 users than for XP users, who typically won’t hit this data corruption issue while the later systems will.
For the majority of businesses, corruption of data is THE security concern. Any development which increases the risk of that is BAD.
In any case, SMB should not be used over the Internet, so where is the MITM risk going to arise from? I think I’d notice a guy crawling around under my desk with wire snippers.
These statements about caching are untrue. Please explain where SMB2 is caching your documents and corrupting them – if that were true, I’d ask that you file a bug with us.
The MitM doesn’t have to be the internet. Your laptop that is domain joined is trying to use SMB whether or not you are in the office – the get to DCs for group policy, for instance; that you are on starbucks wifi and there is an attacker listening there pretending to be your DC is a MitM attack. This is not theoretical, it’s why we created the UNC Hardening feature. And any device allowed on a switched network is now a potential MitM – there is no one under your desk.
Howdy this is somewhat of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually code with HTML.
I’m starting a blog soon but have no coding expertise so I wanted to
get advice from someone with experience. Any help would be greatly
appreciated!
This blog is just using wordpress’ editor
Hi Ned,
I am using WNetOpenEnum and WNetEnumResource to discover network resources.
In my test, I fould diabling SMB1 would cause failure of the EnumResource function.
The packet capture shows that the SMB negotiate packet was reset by server.
Is there an alternate way to do so?
Would microsoft windows browser protocal not work anymore with SMB1 diabled?
Thanks
YITU
Are you disabling SMB1 on the client or server?
Browser (aka bowser) no longer works when SMB1 is removed, correct. It is removed by SMB1 removal.
After disabling SMB1 our DOS EPOS system can’t print. Printer is shared by using command “`net use lpt2 \\till3\BrotherHL /persistent:yes“` Is there any workaround ?
Stop using DOS
If HP, to name a notably serious offender, stopped building brand new consumer- and SMB-targeted MFPs that require SMBv1 tomorrow, there would still be brand new HP MFPs being sold 18 months or more from now to unsuspecting end users who expect them to be able to save scans and received faxes to a shared folder just like the user’s guide says it can and won’t know squat about re-installing SMBv1 support. There is zero sign HP is about to stop building new consumer MFPs that require SMBv1 tomorrow or anytime soon. I don’t doubt Microsoft has been trying to tell HP and others to get off SMBv1 for six years or more. They aren’t listening, apparently. Maybe Microsoft should run some “Don’t buy HP MFPs before reading this” ads this holiday season–since HP only admits this problem in an obscure support note. Of course, HP is a YUUGE Microsoft customer, so this probably isn’t in the cards.
At least one of these postings pass this problem off as one somehow unique to owners of antiquated MFPs and routers and similar. Many very recently introduced models consumers are yet to buy are also dependent on SMBv1. HP, to name one, probably has no models stacked high on the floor of your neighborhood BestBuy or Costco that *don’t* require SMBv1.
Is it safe to use the Windows 10 1709 SMBv1 Client on a home network? (Leaving the Server disabled)
It’s not safe to me, but it might be to you. 🙂 I only recommend leaving it enabled if you have some 3rd party device you are connecting to that only supports SMB1. And I would strongly recommend instead upgrading or replacing that third party – they do not care about basic network security if they require SMB1, which implies they don’t care about any security for your data. 🙁
That’s how it is for most devices – they update the firmware once or twice and then forget about it. Once a device has been sold, it’s not the manufacturer’s problem anymore. Which is what makes the Internet of Things so scary.
The SMB1 eradication programme is successfully underway in networks I manage!
A couple of points about network browsing using the Function Discovery Provider Host and Function Discovery Resource Publication services:
1) MSDN documentation implies that Function Discovery is deprecated. Please don’t do this! There are many users (particularly in small businesses, where training and full-time systems administration is unavailable, and a relatively high proportion of users are barely computer literate) who depend on accessing network shares through Network Neighborhood. It’s muscle memory.
2) The article mentions setting the start type for these services to Automatic. This isn’t good advice. Delayed Start is better, because Automatic introduces a race condition – if the computer’s starting up and the network isn’t available when the Function Discovery services are started, they’ll immediately stop again. It would be very useful if Microsoft could modify these services to trigger start / stop depending on when a network is available.
Hi,
i got a question from one of our customer rearding SMB1 Deactivation and i could not find anything.
Is it possible to deactivate SMB1 only on one Network Card if two or more Cards did exit on the Server?
many thanks
jo
No, it’s a service & driver. It’s not network per-interface – all or nothing.
Microsoft Windows 10 Pro
Version 10.0.16299 Build 16299
Microsoft recently updated all my local SOHO Windows 10 Pro computers to Version 10.0.16299 Build 16299.
The D: partition of computer MAXIMUS (IP address 10.0.0.2) is shared as “\\MAXIMUS\Maximus-Data” so my other Windows 10 Pro local computers can access it.
I do NOT have Active Directory. I use a local account – not a Microsoft account.
Before the update, my network worked OK. After the update, nothing works.
After the update, I see that SMB 1.0/CIFS File Sharing Support is now unchecked in “Turn Windows features on or off”.
In PowerShell ISE (Run as administrator), Get-SmbServerConfiguration | Select EnableSMB2Protocol says True.
On MAXIMUS which has IP address 10.0.0.2, “Map network drive” refuses to connect with either “\\MAXIMUS\Maximus-Data” or “\\10.0.0.2\Maximus-Data”. I get the dreaded “Windows cannot access \\10.0.0.2\Maximus-Data”. Obviously, if I cannot map the network drive on MAXIMUS itself, the other local computers cannot either.
*** Verifications ***
Start | cmd | Run as administrator
When the command prompt opens, type the following:
sfc /scannow
There is no error.
Start | Credential Manager | Windows Credentials
MAXIMUS appears in Windows Credentials.
*** Settings ***
Network is in Private mode.
I rebooted Comcast router to factory settings.
I use Microsoft Windows Defender.
All computers are connected to same Homegroup.
I NEVER used Norton or McAfee.
Private (current profile)
Network discovery (Enabled)
File and printer sharing (Enabled)
HomeGroup connections (Enable – Use user accounts and passwords to connect to other computers)
All Networks
Public folder sharing (Enable – Turn on sharing so anyone with network access can read and write files in the Public folders)
File sharing connections (Enable – Use 128-bit encryption to help protect file sharing connections)
Password protected sharing (Enable – Turn on password protected sharing)
Note: All computers use same User profile and password which show in the Credential Manager.
*** The following measures did not work. ***
Start | cmd | Run as administrator
When the command prompt opens, type the following:
ipconfig/flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
netsh winsock reset
Reboot computer.
Did not fix problem.
Start | Network link | Network and Sharing Center
Click Network reset.
Reboot computer.
Did not fix problem.
I reset the Windows Defender Firewall for the private network.
Did not fix problem.
I disable the Windows Defender Firewall for the private network.
Did not fix problem.
For All Networks, I changed to Turn off password protected sharing.
Did not fix problem.
*** Summary ***
The Windows update forced me to “Stop using SMB1”.
But now I cannot map to Maximus-Data which is absolutely necessary for my users.
Any feedback is appreciated. Thanks
Hi. Please open a support case if yo haven’t done so already. Upgrading Pro does not disable SMB1 unless no one uses it for more than 2 weeks.
My previous attempt appears to have disappeared so I’ll try again and see what happens.
In the original post it says:
“Explorer Network Browsing
The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka “Network Neighborhood”). This legacy protocol is long deprecated, doesn’t route, and has limited security. Because it cannot function without SMB1, it is removed at the same time.
However, some customers still use the Explorer Network in home and small business workgroup environments to locate Windows computers. To continue using Explorer Network, you can perform the following steps on your Windows computers that no longer use SMB1:
1. Start the “Function Discovery Provider Host” and “Function Discovery Resource Publication” services and set them to delayed start.”
The screen grab below shows those services set to manual, Which is correct?
If the Network folder isn’t meant to function anymore what is the intended method of Network management in small LANs and where can we find ir described and how to set it up?
The screenshot is “before”, you are the after. 🙂
Ned, hope you don’t mind a couple of very basic questions about SMB.
Using the Powershell commands that I found on the below website, I seem to have established that SMB1
was NOT operative on my W7 Ultimate 64bit computer. This was also borne out by the lack of an SMB1 entry in the LanmanServer\Parameters section of the Registry. I’m guessing it was disabled by the MS update that followed the WannaCry attack.
So I’m guessing its absence is correct.
But oddly, SMB2 wasn’t listed in LanmanServer\Parameters, either. So I enabled it with Powershell, and after a reboot, it’s now showing in the Registry. However, there’s nothing about any version of SMB in the Lanman Workstation Parameters.
Question 1 then: Does SMB2 need enabling in the Workstation Parameters also?
Question 2: I’m getting the impression that whether these protocols are enabled or not, they still exist within the OS?
Question 3: Does ‘Samba’ have any association with SMB protocols, or is that name just coincidental?
Many thanks,
Mike
‘https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and’
Hi
1. We don’t do anything to Windows 7; you have to disable it yourself. Only when you move to Windows 10 do we start automatically removing (or never installing) SMB1. Windows 7 is in its extended hands-off phase. In 18 months it will cease to be supported at all, so I really recommend moving to Windows 10.
You don’t need to do anything to SMB2 on Windows 7 and shouldn’t do anything to it, just leave it running. 🙂
2. On Windows 7, yes. On Windows 10, no. You can actually remove them from Windows 10 (and Win8, although hardly anyone uses that OS).
3. Yes, Samba contains the open source version of SMB server that you can run on operating systems like Linux. It has many versions and is quite mature. It has more than just SMB (it can also emulate a Windows Domain Controller, for instance).
Hi Ned,
We have an application that seems to get impacted when SMB1 is disables and windows SMB file clustering is used. I would like to through out behavior change we noticed with Windows updates since early 2017 (WannaCry patching days).
We have Windows 2012 R2 based SMB Clustered shares where software writes a lot of data. Quorum disk and data disk are attached to another WIndows 2008 host as iSCSI disks.
1. If we build fresh SMB cluster for file shares, no windows updates are done, everything works perfectly in terms of writing data to file shares.
2. Once we patch cluster nodes with all windows updates (till Oct 2018), we see that while writing files work that used to complete in milliseconds before windows updates now takes 4 minutes and 20 seconds (approximately) every time. Does not matter small file or large file is written.
3. If we install SMBv1 issue still exists if “Continuous Availability” is enabled. If we remove CA then issue goes away.
4. If SMBv1 is removes, does not matter if CA is enabled or not, issue would exist.
5. If we choose to access file share without cluster name being involved e.g. \\IPofActiveNode\E$\SharedFolder then issue is not observed but defeats purpose of clustering.
I did network trace as well, I see real writing happens at the end within milliseconds using ISCSI calls whereas there is something happening before that which I am unable to put my finger on.
There are no anti virus or anything else that is holding locks on the files. I am trying to find out what gets used in the code to write the files which could be causing clustered file shares to behave so badly. All I know so far is that application performs unbuffered writes.
I built a lab using virtual ISCSI disks on VMWARE as well as opposed to iSCSI disks from a storage vendor attached to host and both setups shows same issue. I do not need to write a lot of data to reproduce, I can reproduce while writing 1-2 files. It seems there is something that went into windows updates which are causing the issue. In past one of the sites decided to pursue with MS support, since normal Windows copy operations and tools like Robocopy were not running into issue, it didn’t go anywhere.
Would you know if there is any such issue reported or anyone would have come accross? Or anything that i could check from my end?
I’ve not had anyone report similar behavior. I recommend opening a support case with us, get some extra eyes on the investigation.
Hi I have a query which I hope you can help with!
I have uninstalled SMB 1.0/CIFS through Server Manager – Remove Features. No issues there, clearly shows up as not installed after a reboot.
However, after rebooting the Server (2012R2 & 2016) and running “get-smbserverconfiguration” it displays;
EnableSMB1Protocol:True
If I then run this cmdlet “Set-SmbServerConfiguration -EnableSMB1Protocol $false” it does indeed set it to
EnableSMB1Protocol:False
Would you be able to advise as to why I am seeing or having to take this step even though I have used Server Manager – Remove Feature to disable SMBv1
Many Thanks in advance!!
It’s a cosmetic bug we first fixed in Version 1709. If you uninstalled SMB1, we were not updating the state of that query – but SMB1 was really gone, nonetheless.
Thanks for the clarification Ned.. Much appreciated.