News

Microsoft Offers Tips on Removing Insecure SMB 1 from Windows Networks

Microsoft recently highlighted some tools that IT pros can use to detect if Server Message Block version 1 (SMB 1) is being used in a network.

The need to check for SMB 1 use is perhaps amplified by a ransomware outbreak that occurred earlier this week, targeting Windows systems using SMB 1. While some security software vendors have suggested that SMB version 2 gets targeted by the ransomware, Microsoft affirmed this week via e-mail that only SMB 1 was subject to the attack.

To address the ransomware attack, Microsoft has generally recommended that its March MS17-010 "critical" security bulletin release for Windows systems be installed in networks. IT pros also may be able to remove the unsafe 30-year-old SMB 1 protocol from networks as an additional security precaution.

If SMB version 2 or SMB version 3 is present in a network consisting of Windows Servers (2008 or above), then disabling SMB 1 won't be a problem because the servers will seek out the next version of SMB to communicate with each other. However, simply disabling SMB 1 could cause problems, particular if devices depend on using it, according to Ralph Kyttle, a premier field engineer at Microsoft, in a recent Microsoft TechNet blog post.

Kyttle noted that clients can "sometimes act as SMB servers." They can talk to devices that use SMB 1, such as "printers, NAS, [and] manufacturing gear," that could be running Windows or Samba/Linux, he noted.

Consequently, IT pros may want to run tests to check for SMB 1 dependencies in a network.

Kyttle offered three approaches for detecting device dependency on SMB 1. He generally recommended performing a network capture, though. Network traffic can be captured using the Microsoft Message Analyzer tool, which produces logs of inbound and outbound traffic that can be filtered to show SMB 1 traffic.

It's also possible to use PowerShell's Desired State Configuration Environment Analyzer (DSCEA) module to detect SMB 1 use, Kyttle explained, in another blog post. DSCEA requires the use of PowerShell version 5.0 and can show compliance details via HTML or Power BI. The benefit to using DSCEA is that IT pros can use the scan to fix noncompliant configurations.

"After reviewing server communication and performing network captures where required, please disable or remove SMB1 from as many systems in your environment as possible," Kyttle advised.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

comments powered by Disqus