Microsoft Offers Tips on Removing Insecure SMB 1 from Windows Networks -- Redmondmag.com

Microsoft Offers Tips on Removing Insecure SMB 1 from Windows Networks

By Kurt Mackie
05/16/2017

Microsoft recently highlighted some tools that IT pros can use to detect if Server Message Block version 1 (SMB 1) is being used in a network.

The need to check for SMB 1 use is perhaps amplified by a ransomware outbreak that occurred earlier this week, targeting Windows systems using SMB 1. While some security software vendors have suggested that SMB version 2 gets targeted by the ransomware, Microsoft affirmed this week via e-mail that only SMB 1 was subject to the attack.

To address the ransomware attack, Microsoft has generally recommended that its March MS17-010 "critical" security bulletin release for Windows systems be installed in networks. IT pros also may be able to remove the unsafe 30-year-old SMB 1 protocol from networks as an additional security precaution.

If SMB version 2 or SMB version 3 is present in a network consisting of Windows Servers (2008 or above), then disabling SMB 1 won't be a problem because the servers will seek out the next version of SMB to communicate with each other. However, simply disabling SMB 1 could cause problems, particular if devices depend on using it, according to Ralph Kyttle, a premier field engineer at Microsoft, in a recent Microsoft TechNet blog post.

Kyttle noted that clients can "sometimes act as SMB servers." They can talk to devices that use SMB 1, such as "printers, NAS, [and] manufacturing gear," that could be running Windows or Samba/Linux, he noted.

Consequently, IT pros may want to run tests to check for SMB 1 dependencies in a network.

Kyttle offered three approaches for detecting device dependency on SMB 1. He generally recommended performing a network capture, though. Network traffic can be captured using the Microsoft Message Analyzer tool, which produces logs of inbound and outbound traffic that can be filtered to show SMB 1 traffic.

It's also possible to use PowerShell's Desired State Configuration Environment Analyzer (DSCEA) module to detect SMB 1 use, Kyttle explained, in another blog post. DSCEA requires the use of PowerShell version 5.0 and can show compliance details via HTML or Power BI. The benefit to using DSCEA is that IT pros can use the scan to fix noncompliant configurations.

"After reviewing server communication and performing network captures where required, please disable or remove SMB1 from as many systems in your environment as possible," Kyttle advised.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.