Fighting viruses and infrastructure, or disabling SMB v1
Due to the recent WannaCry ransomware epidemic exploiting the SMB v1 vulnerability, tips have again appeared on the network to disable this protocol. Moreover, Microsoft strongly recommended disabling the first version of SMB back in September 2016. But such a shutdown can lead to unexpected consequences, even to funny things: I personally came across a company where, after fighting against SMB, Sonos wireless speakers stopped playing.
Especially to minimize the likelihood of a "shot in the leg" I want to remind you of the features of SMB and consider in detail what threatens the ill-considered disconnection of its old versions.
SMB (Server Message Block) is a network protocol for remote access to files and printers. It is it that is used when connecting resources through \ servername \ sharename. The protocol initially worked on top of NetBIOS using UDP ports 137, 138 and TCP 137, 139. With the release of Windows 2000, it began to work directly using TCP port 445. SMB is also used to enter and work in the Active Directory domain.
In addition to remote access to resources, the protocol is also used for interprocess communication through "named flows" - named pipes . The process is accessed along the path \. \ Pipe \ name.
The first version of the protocol, also known as CIFS (Common Internet File System), was created back in the 1980s, but the second version appeared only with Windows Vista, in 2006. The third version of the protocol came out with Windows 8. In parallel with Microsoft, the protocol was created and updated in its open implementation of Samba .
In each new version of the protocol, various kinds of improvements were added, aimed at increasing speed, security and support for new functions. But at the same time, support for old protocols remained for compatibility. Of course, in older versions there were and are enough vulnerabilities, one of which is used by WannaCry .
| Version | operating system | Added, compared to previous version |
| SMB 2.0 | Windows Vista / 2008 | The number of protocol commands has changed from 100+ to 19 |
| The possibility of "pipelined" work - sending additional requests before receiving a response to the previous one | ||
| Support for symbolic links | ||
| Signing HMAC SHA256 Messages Instead of MD5 | ||
| Increase cache and write / read blocks | ||
| SMB 2.1 | Windows 7 / 2008R2 | Performance improvement |
| Support greater MTU value | ||
| BranchCache service support - a mechanism that caches requests to the global network on a local network | ||
| SMB 3.0 | Windows 8/2012 | Ability to build a transparent failover cluster with load balancing |
| Direct Memory Access (RDMA) Support | ||
| Powershell Cmdlet Control | ||
| Vss support | ||
| Signature AES – CMAC | ||
| AES – CCM Encryption | ||
| Ability to use network folders to store HyperV virtual machines | ||
| The ability to use network folders to store Microsoft SQL databases | ||
| SMB 3.02 | Windows 8.1 / 2012R2 | Security and Performance Enhancements |
| Cluster auto balancing | ||
| SMB 3.1.1 | Windows 10/2016 | AES – GCM Encryption Support |
| Integrity check before authentication using SHA512 hash | ||
| Mandatory secure “negotiations” when working with SMB 2.x and higher clients |
We consider conditionally affected
It’s quite simple to see the version of the protocol currently being used; we use the Get – SmbConnection cmdlet for this :
Cmdlet output for open network resources on servers with different versions of Windows.
It can be seen from the output that a client that supports all versions of the protocol uses the maximum possible version of the ones supported by the server to connect. Of course, if the client supports only the old version of the protocol, and it is disconnected on the server, the connection will not be established. You can enable or disable support for older versions in modern Windows systems using the Set – SmbServerConfiguration cmdlet , and view the status like this:
Get–SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
Turn off SMBv1 on the server with Windows 2012 R2.
The result when connecting with Windows 2003.
Thus, when you turn off the old, vulnerable protocol, you can lose the network with old clients. In addition to Windows XP and 2003, SMB v1 is also used in a number of software and hardware solutions (for example, NAS on GNU \ Linux, using the old version of samba).
| Manufacturer | Product | A comment |
| Barracuda | SSL VPN | |
| Web security gateway backups | ||
| Canon | Scan to network share | |
| Cisco | WSA / WSAv | |
| WAAS | Version 5.0 and later | |
| F5 | RDP client gateway | |
| Microsoft Exchange Proxy | ||
| Forcepoint (Raytheon) | "Some products" | |
| HPE | ArcSight Legacy Unified Connector | Old versions |
| Ibm | NetServer | Version V7R2 and later |
| QRadar Vulnerability Manager | Version 7.2.x and later | |
| Lexmark | MFP scanning to a network resource | Firmware Firmware eSF 2.x and eSF 3.x |
| Linux kernel | CIFS Client | From 2.5.42 to 3.5.x |
| Mcafee | Web gateway | |
| Microsoft | Windows | XP / 2003 and later |
| MYOB | Accountants | |
| Netapp | ONTAP | Version up to 9.1 |
| Netgear | ReadyNAS | |
| Oracle | Solaris | 11.3 and older |
| Pulse secure | PCS | 8.1R9 / 8.2R4 and older |
| PPS | 5.1R9 / 5.3R4 and later | |
| QNAP | All storage devices | Firmware older than 4.1 |
| Redhat | Rhel | Version up to 7.2 |
| Ricoh | MFP scanning to a network resource | In addition to a number of models |
| RSA | Authentication Manager Server | |
| Samba | Samba | Older than 3.5 |
| Sonos | Wireless speakers | |
| Sophos | Sophos UTM | |
| Sophos xg firewall | ||
| Sophos Web Appliance | ||
| SUSE | SLES | 11 and older |
| Synology | Diskstation manager | Management only |
| Thomson reuters | CS Professional Suite | |
| Tintri | Tintri OS, Tintri Global Center | |
| VMware | Vcenter | |
| ESXi | Older than 6.0 | |
| Worldox | GX3 DMS | |
| Xerox | MFP scanning to a network resource | Firmware without ConnectKey Firmware |
The list is taken from the Microsoft website , where it is regularly updated.
The list of products using the old version of the protocol is quite large - before disabling SMB v1, you need to think about the consequences.
Still turn off
If there are no programs and devices using SMB v1 on the network, then, of course, it is better to disable the old protocol. At the same time, if the shutdown on the Windows 8/2012 SMB server is performed using the Powershell cmdlet, then for Windows 7/2008 you need to edit the registry. This can also be done using Powershell:
Set–ItemProperty –Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 –Type DWORD –Value 0 –Force
Or in any other convenient way. At the same time, a reboot is required to apply the changes.
To disable SMB v1 support on the client, just stop the service responsible for its operation and correct the dependencies of the lanmanworkstation service. This can be done with the following commands:
sc.exe config lanmanworkstation depend=bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start=disabled
For the convenience of disabling the protocol throughout the network, it is convenient to use group policies, in particular Group Policy Preferences. Using them you can conveniently work with the registry.
Creating a registry item through group policies.
Чтобы отключить протокол на сервере, достаточно создать следующий параметр:
путь: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters;
новый параметр: REG_DWORD c именем SMB1;
- значение: 0.
Создание параметра реестра для отключения SMB v1 на сервере через групповые политики.
Для отключения поддержки SMB v1 на клиентах понадобится изменить значение двух параметров.
Сначала отключим службу протокола SMB v1:
путь: HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb10;
параметр: REG_DWORD c именем Start;
- значение: 4.
Обновляем один из параметров.
Потом поправим зависимость службы LanmanWorkstation, чтоб она не зависела от SMB v1:
путь: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation;
параметр: REG_MULTI_SZ с именем DependOnService;
- значение: три строки – Bowser, MRxSmb20 и NSI.
И заменяем другой.
After applying Group Policy, you must restart the computers in your organization. After rebooting, SMB v1 will cease to be used.
It works - do not touch
Oddly enough, this old commandment is not always useful - encryptors and trojans can be found in rarely updated infrastructure . Nevertheless, inaccurate shutdown and updating of services can paralyze the work of the organization no worse than viruses.
Tell me, have you already disabled the first version SMB? Were there many victims?