Especially over the last few months, the public face of SMBv1 and how it is quite vulnerable, has become a solid talking point. If you have poked around on some Windows Servers and also some Nix file servers, you may have noticed these legacy-era protocols still running. Even if you have a more recent Windows Server Deployment, they tend to have SMB 1 enabled by default.
Oh Lordy. If you have done any nmap scans you may have also noticed there have been notifications about SMB1 for a loooong time. Lucky for us, I would like to think by disabling SMB1, all your existing systems would work. Please note the optimism, because that’s all it is if you do not confirm things still work, after having turned off SMBv1 or for that matter, any service.
Microsoft has a guide using powershell to manage these. Before you go wild, do make sure to note that SMB 2 and 3 are related and enable relevant network features too.
If you still have XP devices connecting to servers (gods save you), you will lose communication when you turn off SMB v1. Another fine reason to finally push and accomplish getting rid of those things. I think cryptolockers scared non-security people enough this year, to give your pitch some viability.
Looking at the PowerShell syntax, Windows 8 and Server 2012 have some really clean powershell cmdlets. On Windows 7, Server 2008, etc, you are essentially changing a registry key on the command line / by script. If you are rolling an Active Directory domain, you can push the SMB 1 disable out over group policy. Once again, pausing to make sure stuff works after you do this, and it would not hurt to test this in waves, as to not cause a huge problem in one fell swoop.
You can also have fun diving into some PCAPs to get a feel for SMB levels in use. You can apply filters to weed out noise from your scan. Keep good notes. I don’t know about you, but when I tell people I’m doing security maintenance, some folks like to come up with some fantasy stories of things they say worked prior. Typically stuff that never worked or something that way decommissioned months prior, not the week of your rollout.
Jolly August. Fall is creeping up :)
Just bumping as a reminder that SMB 1 natively is enabled up to and including Server 2016 test builds. Running the below may shock you in seeing that EnableSMB1Protocol is by default, set to True.
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
On the Windows 2012 or greater machines, you don’t have to reboot after the change, unlike the older server and workstation machines. To disable SMB1, do up the following, then re-run the check above to verify it’s off.
Set-SmbServerConfiguration -EnableSMB1Protocol $false