Ned Pyle, Principal Program Manager in the Microsoft Windows Server team, has made a solid case for the retirement of the SMBv1 protocol from active duty and is pleading with organizations to stop using it.
The Server Message Block protocol provides shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. Like most protocols these days, it has gone through a series of iterations and is currently at version 3.1.1.
Pyle: Stop using SMB1. For your children. For your children’s children.
Pyle, the Microsoft engineer tasked with SMB maintenance, has gone on an epic rant on the Microsoft blogs, and with good arguments, if we can say so ourselves, hinting that anyone still deploying the protocol is just looking for trouble.
What caused this rant? It was a recent Microsoft security bulletin issued last week, MS16-114, which addressed denial-of-service and remote execution vulnerabilities in Microsoft's SMBv1 implementation for several Windows versions.
"If you need this security patch, you already have a much bigger problem: you are still running SMB1," Pyle began his argument.
“ The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though [SIC] modern eyes. I blame the West Coast hippy lifestyle. ”
Pyle: SMB1 isn’t usually necessary
Furthermore, the Microsoft engineer explains that since Windows XP and Windows Server 2003 are not officially supported anymore, SMBv1 shouldn't be a minimum requirement in any modern enterprise networks, unless the company is using really ancient systems.
The fact that Microsoft still has to fix SMBv1 issues for Windows 8.1, Windows RT 8.1, and Windows Server 2012, means that a lot of companies are still deploying it in their networks, something that should not happen in the engineer's view.
Pyle lists a series of security features that make SMBv2 and higher versions must-use tools, instead of SMBv1:
- Pre-authentication Integrity (SMB 3.1.1+). Protects against security downgrade attacks.
- Secure Dialect Negotiation (SMB 3.0, 3.02). Protects against security downgrade attacks.
- Encryption (SMB 3.0+). Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing!
- Insecure guest auth blocking (SMB 3.0+ on Windows 10+) . Protects against MiTM attacks.
- Better message signing (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.
“ The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares! ”
Pyle's advice: Remove SMBv1 from all the things!
Pyle is providing instructions on how to remove SMBv1 on Windows 8.1 and Windows Server 2012 R2. He says that the removal process is easy but time-consuming.
"A key point: when you begin the removal project, start at smaller scale and work your way up," Pyle says. "No one says you must finish this in a day."
Running SMB1 is like taking your grandmother to prom: she means well, but she can't really move anymore. Also, it's creepy and gross — Ned Pyle (@NerdPyle) September 16, 2016
Day 700 without SMB1 installed: nothing happened. Just like last 699 days. Because anyone requiring SMB1 is not allowed on my $%^&%# network — Ned Pyle (@NerdPyle) September 13, 2016