SMBv1 Solutions

WannaCry
WannaCry

It’s been weeks since the #WannaCry #WannaCrypt exploited thousands of computers across the internet. If you have been regularly patching your systems you would have been covered by the March 2017 update. The vulnerability used the legacy protocol SMB version 1 to propagate across the network once a machine was infected. Security experts and even Microsoft have been calling for the disabling and or removal of the SMBv1 protocol from Windows environments for quite some time.

A Little History

Introduced with Windows XP, the SMBv1 protocol has been installed and enabled by default on all Windows operating systems for backwards compatibility. SMB version 2 was introduced with Windows Vista/Windows Server 2008 adding additional security and performance. SMB version 3 was introduced with Windows 8/Windows Server 2012 adding even more performance and availability options.

But First…

Disabling SMBv1 across an enterprise is no small feat. There’s a process to follow, and there’s research that needs to be done ahead of time. There are basically three hang-ups that can keep you from disabling SMBv1 across the board:

  • Windows XP and Windows Server 2003 boxes still hanging around the network. You REALLY need to get rid of them.
  • Linux servers, appliances, or devices that share or access data over SMBv1. Check with your vendors on supporting SMB 2.
  • Network scanners or multi-function printers that scan to file servers using SMBv1. See if they can be reconfigured or updated to support SMB 2.

Do the work to identify these gotchas so that you can know where you can and can’t proceed with disabling the legacy protocol.

Tip

Note that when disabling the SMBv1 protocol you need to disable both the server-side (I’m sharing files with you) and client-side (you’re sharing files with me) of the protocol.

Get It Done!

You route to disabling SMBv1 depends on the tools at your disposal.

1. Batch files and psexec

 

2. Group Policyhttps://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

or

https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

3. SCCMhttps://alexpooleyblog.wordpress.com/2017/03/09/disabling-smb1-via-configmgr-desired-state-configuration-dsc/

I wrote a PowerShell tool to gather the SMB protocols that are enable/disabled on a Windows computer called Get-SmbStatus. You can use this tool for discovery before and/or after you make your changes.

Example:

You can pick up the PowerShell function Get-SmbStatus at the Technet Script Repository.

Leave a Reply

Your email address will not be published. Required fields are marked *