Sysadmins should remove or disable SMBv1

Sep 20, 2016 22:05 GMT  ·  By

Ned Pyle, Principal Program Manager in the Microsoft Windows Server team, has made a solid case for the retirement of the SMBv1 protocol from active duty and is pleading with organizations to stop using it.

The Server Message Block protocol provides shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. Like most protocols these days, it has gone through a series of iterations and is currently at version 3.1.1.

Pyle: Stop using SMB1. For your children. For your children’s children.

Pyle, the Microsoft engineer tasked with SMB maintenance, has gone on an epic rant on the Microsoft blogs, and with good arguments, if we can say so ourselves, hinting that anyone still deploying the protocol is just looking for trouble.

What caused this rant? It was a recent Microsoft security bulletin issued last week, MS16-114, which addressed denial-of-service and remote execution vulnerabilities in Microsoft's SMBv1 implementation for several Windows versions.

"If you need this security patch, you already have a much bigger problem: you are still running SMB1," Pyle began his argument.

  The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though [SIC] modern eyes. I blame the West Coast hippy lifestyle.  

Pyle: SMB1 isn’t usually necessary

Furthermore, the Microsoft engineer explains that since Windows XP and Windows Server 2003 are not officially supported anymore, SMBv1 shouldn't be a minimum requirement in any modern enterprise networks, unless the company is using really ancient systems.

The fact that Microsoft still has to fix SMBv1 issues for Windows 8.1, Windows RT 8.1, and Windows Server 2012, means that a lot of companies are still deploying it in their networks, something that should not happen in the engineer's view.

Pyle lists a series of security features that make SMBv2 and higher versions must-use tools, instead of SMBv1:

But using SMBv2 or higher is not all that's needed. Pyle says that even if companies deploy modern versions of the protocol, if they don't remove SMBv1 from their computers, their networks are still vulnerable.

  The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!  

Pyle's advice: Remove SMBv1 from all the things!

Pyle is providing instructions on how to remove SMBv1 on Windows 8.1 and Windows Server 2012 R2. He says that the removal process is easy but time-consuming.

"A key point: when you begin the removal project, start at smaller scale and work your way up," Pyle says. "No one says you must finish this in a day."