When You Should Disable Server Message Block v1SECURITY BASELINE: Susan Bradley The recent ransomware attacks have had a inadvertent side effect at my home and office: It has pointed out to me how much I’m still dependent on Server Message Block v1 (SMB v1). Microsoft’s workaround for the recent ransomware attacks have recommended the following workaround as noted in KB2696547: disabling SMB v1, and leaving SMB v2 and SMB v3 alone unless you need to troubleshoot your security settings. As noted in a September 2016 blog post, SMB v1 is a 30 year old protocol that has seen better days. The recent ransomware attacks using this protocol to amplify their mayhem have some security researchers still unsure of exactly how the initial attack vector took place. It’s unclear at this time if this ransomware came through targeted email attacks (like many other ransomware attacks), or, if this was a unique attack that possibly infected a workstation, which then brought the attack into the impacted networks through some network access point previously used to bring in other worm like attacks. While it’s unclear how the initial infection started out, it’s clear that once the infection got into the network, it relied on vulnerabilities in SMB v1 to basically run rampant through the network. This is why so many security sites recommended disabling SMB v1 as an old and out of date protocol. As pointed out on the Vinransomware blog site, the best way for a consumer or home user to disable SMBv1 is through the graphical user interface.
Now comes the fun part. Determining what — if anything — is broken now that SMB v1 is disabled. What May Have BrokenIn small firms, the first thing that may be impacted is the use of multifunction printers and copiers that use a scan to file share in order for users to make scans. For older printers, these devices may use SMB v1 as their main protocol for communication. You may need to contact your printer vendor to see if they have a firmware update to allow you to keep smb v1 disabled. In a consumer setting, you may have issues with network-attached storage devices, consumer speakers that can play music from a computer share such as Sonos connected speakers, and other devices that are based on Linux. There is no definitive listing of what devices require SMB v1 in order to work and those that use SMB v2 or v3. Unfortunately, the only way you can test what is impacted is, quite frankly … to check them out by trying to make them work. You’ll need to check to see if your printer and scanner devices still work, and if any other home consumer devices you connect to your computer still work. Which Version of Windows Uses WhatThe problem is often you aren’t quite sure what protocol will be used when connecting to consumer devices. This section should help clear it up.
If you want to test how your Windows 10 system connects to other devices, launch PowerShell from an administrative command prompt and type in Get-SMBConnection to see what the system is currently being used. In my own home network I have three Western Digital MyCloud devices. One is slightly newer than the other two. When I tested what version of SMB I was using, I was interested to see that my older two Western Digital My cloud devices were using SMB 2.1 to connect to my Windows machine and my newer Western Digital My Cloud device uses SMB 3.1.1 On Windows 7, the PowerShell command doesn’t work so you have to use another method to check what version you are natively using. At an administrative command prompt, type in sc.exe qc lanmanworkstation. On my Windows 7 workstation, I learned SMBv1 was enabled and active. Some applications — such as accounting software from Sage — recommend that you find a common SMB protocol and use that to communicate between the workstations and and the server. And sometimes, depending on what version of Windows you’re running, you may have to use SMB v1 as the common protocol, otherwise you will run into speed issues and communication errors. Is a Firmware Update the Answer?For those with older printers and scanners, you might find yourself in the same boat as several posters in the Spiceworks forum that had issues with “non-domain machines such as terastatios [sic] and our ibm production machine’s shares. After calling ibm, they confirmed to browse to their machine it still needs smb1″. It’s often hard to determine what printers use to connect and talk to other devices without having to resort to packet captures to determine what protocols are being used. If you disable SMB v1 and you can no longer connect to your devices, you will need to look for a firmware update and test to see if it fixes the issue. There is no definitive listing that I have been able to find to document what each printer or device needs to connect. While I’ll urge you to take the step of disabling SMB v1, I’ll do so with a huge caveat: Something may not work. If you find that something suddenly doesn’t work and there’s no way to update the device, you can run back through the steps and re-enable SMB v1:
Depending on what doesn’t work and whether or not you depend on that device, you may decide to enable/reenable the protocol only when you need to, or consider buying a new device. Often Linux nas devices that you’ve had for a while have unpatched vulnerabilities and should be retired to the e-waste pile (after resetting the device to factory defaults to ensure you aren’t giving sensitive data that can be harvested.) If you personally find key devices that you rely on broken by these instructions, I’ll urge you to reach out to me in the WS Columns forum to showcase what vendors are still using SMBv1. I’m especially interested if any current devices that you are using still require and demand this protocol. |
Recent Comments