Jump to content

Microsoft to Disable SMBv1 in Windows Starting This Fall


CrAKeN

Recommended Posts

SMBv1.jpg

 

EXCLUSIVE — Starting this fall, with the public launch of the next major Windows 10 update — codenamed Redstone 3 — Microsoft plans to disable SMBv1 in most versions of the Windows operating systems.

 

Internally, Microsoft has been already building Windows versions where SMBv1 — a file sharing protocol Microsoft developed in the early 90s — has been disabled.

 

For example, Microsoft has disabled SMBv1 for internal builds of Windows 10 Enterprise and Windows Server 2016. These builds are not available to the public and are only for testing purposes.

 

"This will not reach Insider Flights for some time, and it does not affect released production code at all yet," said Ned Pyle, Principal Program Manager in the Microsoft Windows Server High Availability and Storage group, who confirmed the company's plans to Bleeping Computer yesterday via email.

 

Exact details are not available just yet, as Microsoft is still in the early stages of deciding on a plan of action.

 

"It is likely to evolve several times inside Flights," Pyle said. "All of this is subject to change and none of it can be considered plan of record. This is just early guidance."

 

Decision made five years ago. Long before WannaCry.


In the past few months, SMBv1 has been in the limelight like never before. The Shadow Brokers leaked a batch of hacking tools that revolved around exploiting SMBv1 security flaws. If this wasn't enough, someone used one of these exploits to help create a ransom-worm called WannaCry that wreaked havoc across the world.

 

Despite these high-profile incidents, the decision to disable SMBv1 was made long before that.

 

"It started 5 years ago," Pyle said. "We made the decision public in 2014, without setting specific dates and OSes until later."

 

That date is now the release of Windows 10 Redstone 3, also referenced as the Fall Creators Update, scheduled for launch in October/November 2017.

 

After that day, every new Windows 10 or Windows Server 2016 OS you install will not have some or all of SMBv1 turned on, which is the norm right now.

 

"This is not patching, nor upgrading," Pyle said. "This is clean install RS3."

 

This means Microsoft decision will not affect existing Windows installations, where SMBv1 might be part of a critical system. Users who want to get rid of SMBv1 will still have to manually disable SMBv1 on their existing machines, or perform a clean install with Redstone 3.

 

Nonetheless, Pyle doesn't exclude a situation where Microsoft changes track on the "upgrades" part, and decides to disable SMBv1 for users who upgrade from older OS versions to Windows 10 or new Insider Builds.

 

Security was the main reason to disable SMBv1


Even if the WannaCry outbreak was not the primary reason why Microsoft will disable SMBv1, the protocol's abysmal security had something to do with the company's decision.

 

"It’s the main, but not the only," Pyle told Bleeping Computer. "Besides security, the code itself was superseded by SMB2 and later for functionality; SMB1 brings no special value except ubiquity – SMB2 can do what SMB1 can, plus many other things."

 

"[Right now, SMBv]2.02 is the version that ships with Windows Server 2008, which is the oldest supported OS in the Windows/Windows Server stable currently. That makes it the minimum recommended," the expert added.

 

"We prefer that everyone run SMB 3.1.1 as a minimum, as it is the most secure and has the most functionality," Pyle says. "SMB1 is deprecated, meaning it is effectively abandoned except for security updates."

 

During the past few years, Pyle has been one of the most ardent supports of abandoning SMBv1. Famous are his articles on Microsoft's blog, and his Twitter SMBv1 memes.

 

https://twitter.com/NerdPyle/status/874469377353031681

https://twitter.com/NerdPyle/status/871820787581374466

https://twitter.com/NerdPyle/status/776900804712148993

https://twitter.com/NerdPyle/status/775840453203677184

 

More recently, Pyle has been keeping a list of vendors and products that require SMBv1 as a minimum requirement, so users can avoid these products and implicitly get blocked in supporting SMBv1, a protocol that's over three decades old.

 

Users interested in disabling SMBv1 can visit this Microsoft's support page for step-by-step instructions.

 

Source

Link to comment
Share on other sites


  • Replies 3
  • Views 503
  • Created
  • Last Reply

Nothing like being invited to a party and showing up 5 years late, is there Microsoft?  Good news is most large corporations and companies with good security officers blocked SMB1  at least 5 years ago.  The old security adage of 'if you don't need it, block it' was alive and well back then.  The new crop of security officers seem to be reactive and not proactive.  One of the reasons you see more companies getting hacked.

Link to comment
Share on other sites


  • Administrator

I was surprised to see when all the mobile apps that could connect to LAN were using SMBv1 and had no SMBv2 or SMBv3 in sight. I guess this issue has raised awareness with everyone I think.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...