Mẹo Is it safe to enable smb1?
Mẹo Hướng dẫn Is it safe to enable smb1? Chi Tiết
Bùi Thị Vân Thiện đang tìm kiếm từ khóa Is it safe to enable smb1? được Cập Nhật vào lúc : 2022-10-26 07:06:04 . Với phương châm chia sẻ Bí quyết Hướng dẫn trong nội dung bài viết một cách Chi Tiết Mới Nhất. Nếu sau khi Read Post vẫn ko hiểu thì hoàn toàn có thể lại Comment ở cuối bài để Tác giả lý giải và hướng dẫn lại nha.Asked 1 year, 8 months ago
Nội dung chính Show- SMB1 isn’t safeSMB1 isn’t modern or efficientSMB1 isn’t usually necessarySMB1 removal isn’t hardExplorer Network BrowsingSMB1 isn’t goodWhat is SMBv1 used for?What is the impact of disabling SMB1?Why is SMB1 disabled Windows 10?
Viewed 7k times
I have an old device which is not SMB 2 capable. Much has been written about danger of using SMB1 (eg. https://techcommunity.microsoft.com/t5/storage--microsoft/stop-using-smb1/ba-p/425858). I would like to access files on this device from current Windows 10 client. Windows 10 still allows to enable SMB1 through checkbox "SMB 1.0/CIFS client" in "Turn Windows features on or off" in Control Panel. Is there any real danger for Windows 10 client by doing so?
asked Feb 5, 2022 9:39
1
If the old device server is not accessible from the internet and is not used for internet surfing, it's as secure as the rest of your local network.
In order for it to be infected, another device from the LAN must be infected first, then propagate the infection. I think that this point the whole question of SMBv1 vulnerability becomes somewhat mute.
SMBv1 vulnerability is dangerous for larger networks. A modest home LAN should avoid SMBv1, but an old device disconnected from the internet cannot be used as an entry-point by an attacker.
For more information, see :
- Microsoft's advisory Stop using SMB1What’s the Problem with SMB 1, and Should You Worry About SMB 2 and 3?
answered Feb 5, 2022 10:46
harrymcharrymc
419k29 gold badges477 silver badges849 bronze badges
1
First published on TECHNET on Sep 16, 2022
Hi folks, Ned here again and today’s topic is short and sweet:
Stop using SMB1. Stop using SMB1 . STOP USING SMB1!
In September of 2022, MS16-114 , a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.
The original SMB1 protocol is nearly 30 years old , and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle :).
If you don't care about the why and just want to get to the how, I recommend you review:
- How to
remove SMB1 The SMB1 clearinghouse SMB1 is being removed from Windows and Windows Server
Otherwise, let me explain why this protocol needs to hit the landfill.
SMB1 isn’t safe
When you use SMB1, you lose key protections offered by later SMB protocol versions:
- Pre-authentication Integrity (SMB 3.1.1+). Protects against security downgrade attacks.Secure Dialect Negotiation (SMB 3.0, 3.02).
Protects against security downgrade attacks.Encryption (SMB 3.0+). Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing!Insecure guest auth blocking (SMB 3.0+ on Windows 10+) . Protects against MiTM attacks.Better message signing (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB
2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.
The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above . All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!
As an owner of SMB MS, I cannot emphasize enough how much I want everyone to stop using SMB1 https://t.co/kHPqvyxTKC
— Ned Pyle (@NerdPyle) April 12, 2022
US-CERT agrees with me, BTW: https://www.us-cert.gov/ncas/current-activity/2022/01/16/SMB-Security-Best-Practices
SMB1 isn’t modern or efficient
When you use SMB1, you lose key performance and productivity optimizations for end users.
- Larger reads and writes (2.02+)- more efficient use of faster networks or higher latency WANs. Large MTU support.Peer caching of thư mục and file properties (2.02+) - clients keep local copies of folders and files via BranchCacheDurable handles (2.02, 2.1) - allow for connection to transparently reconnect to the server if there is a temporary disconnectionClient oplock
leasing model (2.02+) - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalabilityMultichannel & SMB Direct (3.0+) - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server, plus usage of modern ultra-high throughout RDMA infrastructureDirectory Leasing (3.0+) - Improves application response times in branch offices through caching
Running SMB1 is like taking your grandmother to prom: she means well, but she can't really move anymore. Also, it's creepy and gross
— Ned Pyle (@NerdPyle) September 16, 2022
SMB1 isn’t usually necessary
This is the real killer: there are far fewer cases left in modern enterprises where SMB1 is the only option. Some legit reasons:
You’re still running XP or WS2003 under a custom support agreement.You have old management software that demands admins browse via the so-called ‘network' aka 'network neighborhood’ master browser list.You run old multi-function printers with old firmware in order to “scan to share”.These will only affect the average business or user if you let them. Vendors are moving to upgrade their SMB2 support - see here: https://aka.ms/stillneedssmb1 For the ones who aren't, their competitors are. You have leverage here. You have the wallet.
We work carefully with partners in the storage, printer, and application spaces all over the world to ensure they provide least SMB2 support and have done so with annual conferences and plugfests for six years. Samba supports SMB 2 and 3. So does OSX and MacOS. So do EMC, NetApp, and their competitors. So do our licensed SMB providers like Visuality and Tuxera, who also help printer manufacturers join the modern world.
A proper IT pro is always from Missouri though. We provide SMB1 usage auditing in Windows Server 2022, Windows Server 2022, Windows Server 2012 R2, and Windows Server 2008 R2 (the latter two received via backported functionality in monthly updates several years ago) plus their client equivalents, just to be sure. That way you can configure your Windows Servers to see if disabling SMB1 would break someone:
Set-SmbServerConfiguration –AuditSmb1Access $true
On Windows Server 2008 R2 and Windows 7 you must edit the registry directly for this DWORD value, there is no SMB PowerShell:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" AuditSmb1Access -Type DWORD -Value 1 –Force
Then just examine the SMBServerAudit sự kiện log on the systems. If you have older servers than WS2012 R2, now is good time to talk upgrade. Ok, that’s a bit extortionist – now is the time to talk to your blue teams, network teams, and other security folks about if and where they are seeing SMB1 usage on the network. If they have no idea, they need to get one. If you still don’t know because this is a smaller shop, run your own network captures on a sample of your servers and clients, see if SMB1 appears.
Day 700 without SMB1 installed: nothing happened. Just like last 699 days. Because anyone requiring SMB1 is not allowed on my $%^&%# network— Ned Pyle (@NerdPyle) September 13, 2022
SMB1 removal isn’t hard
Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.
On Server, the Server Manager approach:
On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):
On Client, the add remove programs approach (appwiz.cpl):
On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)
On legacy operating systems:
When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008...
A key point: when you begin the removal project, start smaller scale and work your way up. No one says you must finish this in a day.
Explorer Network Browsing
The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka "Network Neighborhood"). This legacy protocol is long deprecated, doesn't route, and has limited security. Because it cannot function without SMB1, it is removed the same time.
However, some customers still use the Explorer Network in home and small business workgroup environments to locate Windows computers. To continue using Explorer Network, you can perform the following steps on your Windows computers that no longer use SMB1:
1. Start the "Function Discovery Provider Host" and "Function Discovery Resource Publication" services and set them to delayed start.
2. When the user opens Network, they will be prompted to enable network discovery. Do so.
3. Now all Windows devices within that subnet that have these settings in place will appear in Network for browsing. This uses the WS-DISCOVERY protocol. Check with your other vendors and manufacturers if their devices still do not appear in this browse list after Windows devices appear; it is likely they have this protocol disabled or only support SMB1.
Note: we highly recommend you map drives and printers for your users instead of enabling this feature, which still requires searching and browsing for their devices. Mapped resources are easier for them to locate, require less training, and are safer to use, especially when provided automatically through group policy.
SMB1 isn’t good
Stop using SMB1. For your children. For your children’s children. Please. We’re begging you. And if that's not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is here folks: https://aka.ms/smb1rs3
- Ned “and the rest of the SMB team Microsoft” Pyle
What is SMBv1 used for?
Server Message Block (SMB) is a Microsoft communication protocol used primarily for sharing files and printer services between computers on a network. SMBv1 dates back to the LAN Manager operating system and was deprecated in 2013 — so why should you care about it? I can answer in one word: ransomware.What is the impact of disabling SMB1?
Concluding. Disabling SMBv1 on Active Directory Domain Controllers improves the security posture of your Microsoft-oriented networking environment.Why is SMB1 disabled Windows 10?
This was meant to allow end users to connect to various devices, including NAS, which only supported SMB1. Microsoft was uninstalling SMB1 after 15 days of uptime on computers that didn't use the protocol all. The new insider builds of Windows no longer have any version of SMB1 enabled by default. Tải thêm tài liệu liên quan đến nội dung bài viết Is it safe to enable smb1? Alternative to SMB1 SMB on Windows SMB1 vs SMB2
Post a Comment