Sign up and stay connected to your favorite communities.

sign uplog in
158

PSA: recent Windows updates disabling SMB1

Windows April/May updates are disabling SMB1 protocol on computers / servers.

This can cause various communication issues between workstations and servers. Examples are credit card readers communicating with host software and browsing file shares via VPN.

This is detectable during a packet capture, there will be a reset packet immediately after a protocol negotiation.

Please see link for PowerShell commands for checking, enabling, and disabling various SMB versions.

https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

87 comments
88% Upvoted
What are your thoughts? Log in or Sign uplog insign up

You should have disabled SMB1 a long time ago when that huge vulnerability was announced so... Good.

Please do not re-enable it.

Pretty much this. That was one of the things that came up on our own test forever ago.

Smb1 should have been nuked agea ago...

11 points · 11 days ago

Have a client that has a critical proprietary application that only uses SMBv1. Their development team has no plans to fix it "because they will be replacing it with a cloud version." They've been working on that for 6 years.

1 point · 10 days ago

Wrap it with a VPN connection. Problem solved by abstraction.

The application runs straight off a shared drive on-premises.

3 points · 10 days ago

Use an on-premise VPN so that all traffic between the server and client is encrypted with it configured clients can not interact with each other through it. Make it so that you can not access it unless using the VPN. Then authentication and confidentiality are handled by the VPN. This is an example of defense in depth.

This guy admins.

Good work OP someone out there NEEDS this info

Unless you still have a couple legacy 2003 servers on your network you can't kill yet.

Or anything using Redhat 6.x or CentOS 6.x that also only support mounting windows shares SMBv1. They can be a server up to SMBv3 but only a client with SMBv1.

RHEL7/CentOS7 can do it all but 6 is still in support so getting some of our external software updated is taking a while.

CCNA
9 points · 10 days ago · edited 10 days ago

I never got that attitude here of, "I did this at my work so theres zero reason why you can't. This place is so pretentious sometimes. I've got my network protected and we can recover from ransomware in minutes IF it manages to both get in and get out. We have numerous layers of security and D.R. if that fails.

So don't judge me. I cant retire my smb servers yet due to other business issues, and it's not a risk worth worrying about compared to everything else I do.

4 points · 10 days ago

At the end of the day, it needs to be calculated that with any vulnerability, there is a threshold of acceptable risk. In your scenario, the business and yourself have accepted the potential risk.

Likes der Blinkenlichts
1 point · 10 days ago

If you ever feel bad about running it, just remember there are those who work with US gov’t organizations that have to tolerate SMBv1 flying over the network.

And they technically have no reason to keep it enabled. 😭

3 points · 11 days ago

Or, some MFCs that will only scan to SMBv1.

6 points · 11 days ago

We worked around this by setting up some internal FTP servers.

Network Engineer
3 points · 11 days ago

This. Much less headache doing literally ANY of the other transfer protocols.

1 point · 10 days ago

or if you have riverbed steelheads for wan optimizacon.

Obviously

85 points · 11 days ago

SMB 1 is 30+ years old now. The product manager for Windows storage services has been on a crusade against SMB 1 for years.

If you still have it in your environment you should be asking why and actively removing barriers to sunset it. Continuing to have SMB1 deployed in your network would be like running Banyan Vines as your desktop OS across an enterprise or using IPX instead of TCP/IP as your network stack.

SMB 1 is 30+ years old now.

but its still a damn good game.

CC&A
8 points · 11 days ago

Bloink! Bloink!

The product manager for Windows storage services has been on a crusade against SMB 1 for years.

God I love Ned and his twitter feed

While I agree...tell that the the vertical solution vendors for various hardware/software that refuse to change.

2 points · 10 days ago

Tell them to wrap it with a VPN connection, it should fix the problem if done well.

Like HP.

Clonezilla can't use network resources without SMB1 enabled. It's not used very often though, so I keep the files on a VM that's powered off when not needed, and that VM was added as an exception to the GPO that disables SMB1.

One day I'll actually have the time to find a free replacement that doesn't require SMB1.

Pretty sure Clonezilla now supports newer versions of SMB - you have to specify it in your syslinux.cfg

Sometimes that is not possible when a vendor does not support it

41 points · 11 days ago · edited 11 days ago

Windows 10 by default will auto remove SMB v1 protocol after 15 days of combined uptime (excluding when machine is off) IF no SMBv1 is detected .

https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows

We disable SMB1 months ago, it’s a big security hole used by CryptoLockers.

Waaaaannacry

Waaaaannacry

No. No I don't.

We disabled Windows months ago, it's a big security hole used by CryptoLockers.

Also, I use Arch Linux.

Right, because linux isn't just as vulnerable. Oh right, it is - because it's software. written by humans. who make mistakes all the time. this smug little incorrect attitude doesn't serve you well.

Someones having a bad day. Guess the obvious sarcasm went a bit over your head there buddy.

3 points · 10 days ago

^btw they use Arch.

Not obvious. You do an incredibly convincing imitation of someone who actually believes that.

months

Good, stop using SMB1, we’ve known this for over a year now.

17 points · 11 days ago

SMBv1 is long dead, man. SMBv3.1.1 is the latest version, but even SMBv2 was released in 2006 (12 years ago), with the Linux-based Samba able to add support in 2013 (5 years ago). If you have any hardware that still only supports SMBv1 then it's well past time to replace it.

Samba added support as a server. As a client some Linyxes are stuck at SMBv1 :(

3 points · 10 days ago

Maybe the world could migrate to NFSv4.

From Ned Pyle (creator of SMB):

Stop using SMB1. For your children. For your children’s children. Please. We’re begging you.

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

11 points · 11 days ago

Ned didn’t invent SMB. He’s very outspoken about getting rid of SMB1 and 2 and is the program manger for storage services at MSFT, but the SMB protocol is so old that is long pre-dates Ned’s tech career.

Yeah sorry.. he is somehow the "manager" of SMB at Microsoft.

3 points · 10 days ago

He also has a list of vendors and products.

Also from that post:

To update this list, please email StillNeedsSMB1@microsoft.com or tweet @nerdpyle with hashtag #StillNeedsSMB1.

So if you don't see your vendor on there (and they have a public stance/documentation about it) ... well maybe it's time for a bit of public shaming.

And earlier

Possibly part of the problem was some issues with the early implementations of SMB2, which then developed into sysadmin voodoo "Oh, just revert it to SMB1 and see if that works".

MEF-CECP, "CC & N/A"
20 points · 11 days ago · edited 11 days ago

Thank god. I've dealt with so many complaints of "not getting my bandwidth" over the years because some numbnuts thinks his shitty SMB1 file transfer throughput from coast-to-coast indicates a carrier issue.

Cue a week of RFC2544/Y.1564/RFC6349 testing and Iperf instructions before they finally understand the impact that crappy old chatty file transfer protocols designed for sub-millisecond LAN environments have upon performance when sent across thousands of miles of propagation delay. And I haven't even started on the security issues.

If you're still running SMB1 to workstations in this day and age, you are doing something wrong.

Ran into this before. Do a packet capture and show them. SMB1 literally sends blocks of data filled with 0s, for no other purpose than to take up space. Granted, the much bigger problem is that it doesn't stream data, but that's harder to show and requires a bit of math to explain how that extra 50ms makes such a big difference.

MEF-CECP, "CC & N/A"
1 point · 10 days ago

Cool, didn't actually know about it padding zeroes. I've always stuck to explaining that it exchanges around a dozen packets before it sends a data block, so 12x 1 ms means a hypothetical 12 ms between blocks, where 12 ms x 100 ms means a full 1.2 seconds between each data block, to bring the explanation down to layman terms (often necessary in my line of work).

Pointing out that it literally wastes bandwidth would have been a handy tip, though I should be thankful that I probably won't have to have that conversation again.

I have unmanaged clients who still use legacy shit in CAD systems and other industrial shit that requires 5 to 6 digit upgrades just for a fucking OS. However, outside of the dedicated CAD, they bounce between me and some other company that fucks them.

needless to say, I can count on one hand how many clients insist on using legacy bullshit like win2k and the random winXP machine.

Luckily most of the legacy shit is the exception, not the norm. Hopefully this gives me some ammo to convince them to UPGRADE ALREADY.

Likes der Blinkenlichts
2 points · 10 days ago

Dealt with this at my work recently.

I feel your pain.

8 points · 11 days ago

You see this in patch notes anywhere? Or just noticed it?

I can't find any offical documentation from Microsoft stating they have done this in "recent windows updates". Then, I am not the greatest at finding good informaiton in the tubes of the internet. If someone has offical documentation stating this I would be greatly appreciated :)

Original Poster1 point · 11 days ago

Just noticed. Unfortunately

6 points · 11 days ago

Good.

PSA: you shouldn’t be using SMB1.

Curious HOW "credit card readers" would use SMB

5 points · 11 days ago

And why you would run any critical information over such an insecure protocol. Begging to be exploited.

We ran into this with our Riverbed optimization as we have had it set for years to send a request to downgrade from SMB 2 to 1 to our clients and servers but that no longer works and breaks applications. This started when we began deploying Windows 10 this spring.

The work around for us was to disable layer 7 SMB optimization’s. The real fix would be to upgrade our RiOS and register each Riverbed to the domain but we don’t want to do that as we are slowly retiring WAN optimization appliances.

We too have an SMC that we are letting die in lieu of upgrading, but I am curious why you are retiring WAN optimization on your nets?

Bandwidth is cheap and most of our applications are encrypted and moving to the cloud. What applications we run internally, when I disable optimization at a remote site no one complains about speed issues or anything so we don’t buy new hardware because our xx50 series at EOL. So we retire the hardware and save on the yearly support contracts.

Yup... same, just always curious what others are up to. Cheers!

I thought it was disabled by windows update months ago?

Good!

SMB1 should not be used in any environments as of years ago. It's a massive vulnerability with already implemented solutions.

If you're doing things right, this announcement should not even hit your radar.

Cisco CCNP R&S, Avaya ACE-Fx, Citrix CCP-N
5 points · 10 days ago

You'll encounter this in a variation of 'my mission critical yet ancient software just stopped working so it must be a networking issue'.

And yes, mission critical. Because it works, there's no budget for replacement (or even replacement, period), and the powers that be value end user functionality more than IT.

UGH, as much as SMB1 should be dead, it will break all the scanners!

Scan to email?

They are so old they don’t support modern email protocols with TLS. The client is in O365 for email so a no go as they can’t leave the network unencrypted due to privacy. These are Gen1 Canon imageRunners. I advised the client it’s time to upgrade one of them or get stand alone scanners

Can you run an unauthenticated email relay with an IP ACL that only accepts things from the scanners?

Maybe? Honestly they just need to get lifecycled. They are so old it’s time

3 points · 11 days ago

It's at least an option, however painful, if management won't let you shitcan the old hardware, and updating the stuff didn't make it into AOP, etc. (maybe someone in IT forgot or had to prioritize other things... thems the breaks)

We do exactly this in a lot of cases.

I used to set up one of these a week for a while at my last job. SMTP Relay through windows server 2016. Super easy to do.

Technical debt is a bitch.

I've switched all ours over to FTP like in the good ol days.

yeah, I telnet into the printer's public IP to set it up

Agreed. All network scan to folders, at least all the ones at my client's, have "broken" with smb1 disabled. Stupid, old protocol.

put a linux system between the two. smb1 with an ACL that only allows the scanners to access it. Then mount your SMBv2/SMBv3 shares and share them via samba only to the scanner IPs.

It's terrible, but it works.

I know I mentioned the ACL thing twice, because that's important. Unless you love cryptolocker and wannacry.

When the first patches to kill SMB1 appeared, it caused me issues, not with Windows clients and servers, but with a linux box talking to a Windows server for printing. It had a pretty old version of Samba on it, owing to the application having specific OS requirements, so I had to hack a newer version of Samba on to it to support SMB2. So yeah, these things don't always affect the most obvious things.

I wonder if ESXi 6.5 and vCenter 6.5 have finally been updated to not need SMB1, because even with the tweaks to enable SMB2 support, you cannot join ESXi or vCenter to a domain unless SMB1 is installed and enabled on the domain controllers.

It has since U1 was released last year.

credit card readers communicating with host software

Wait, since when is SMB required for this?

I have some clients on legacy shit.

This effectively officially puts a split between old win2k/win2k3 (virtualized) systems, CAD systems, and other old shit that uses specialized software and win10 and newer microsoft stuff.

Also old printers.

A few people are NOT going to like that. For the legacy printers, a go-between of SAMBA between the two helps, but I am going to start pushing these people to finally upgrade their shit. They think they can keep spit-shining old shit, I remind them that some of their shit is old enough to raise a family now, and they need to start some massive upgrades.

In some cases, it'd be cheaper to get a college student to manually enter old database info into a newer program than trying to support aging shit with security issues.

I have one client I have held back updates with, but I am working on a server upgrade proposal to get them off this ancient bullshit ASAP.

This is probably why I can no longer share my media to Kodi running on my Fire TV. 8.1 had absolutely no issues.

You can add it back in. Control panel / programs and features / Turn on or off windows features.

I tried that actually...no such luck, although I did find some registry edits that can help with the issue I'm having.

Community Details

121k

Subscribers

541

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post

r/networking Rules

1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.