Microsoft Offers Tips on Removing Insecure SMB 1 from Windows Networks

Microsoft recently highlighted some tools that IT pros can use to detect if Server Message Block version 1 (SMB 1) is being used in a network.

The need to check for SMB 1 use is perhaps amplified by a ransomware outbreak that occurred earlier this week, targeting Windows systems using SMB 1. While some security software vendors have suggested that SMB version 2 gets targeted by the ransomware, Microsoft affirmed this week via e-mail that only SMB 1 was subject to the attack.

To address the ransomware attack, Microsoft has generally recommended that its March MS17-010 "critical" security bulletin release for Windows systems be installed in networks. IT pros also may be able to remove the unsafe 30-year-old SMB 1 protocol from networks as an additional security precaution.

If SMB version 2 or SMB version 3 is present in a network consisting of Windows Servers (2008 or above), then disabling SMB 1 won't be a problem because the servers will seek out the next version of SMB to communicate with each other. However, simply disabling SMB 1 could cause problems, particular if devices depend on using it, according to Ralph Kyttle, a premier field engineer at Microsoft, in a recent Microsoft TechNet blog post.

Kyttle noted that clients can "sometimes act as SMB servers." They can talk to devices that use SMB 1, such as "printers, NAS, [and] manufacturing gear," that could be running Windows or Samba/Linux, he noted.

Consequently, IT pros may want to run tests to check for SMB 1 dependencies in a network.

Kyttle offered three approaches for detecting device dependency on SMB 1. He generally recommended performing a network capture, though. Network traffic can be captured using the Microsoft Message Analyzer tool, which produces logs of inbound and outbound traffic that can be filtered to show SMB 1 traffic.

It's also possible to use PowerShell's Desired State Configuration Environment Analyzer (DSCEA) module to detect SMB 1 use, Kyttle explained, in another blog post. DSCEA requires the use of PowerShell version 5.0 and can show compliance details via HTML or Power BI. The benefit to using DSCEA is that IT pros can use the scan to fix noncompliant configurations.

"After reviewing server communication and performing network captures where required, please disable or remove SMB1 from as many systems in your environment as possible," Kyttle advised.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube