Jaa


Detecting and remediating SMBv1

We have recently issued a Security Update (4013389) for Windows SMB. This does affect all supported versions of Windows at this time.

SMB isn't safe, and causes you to lose some key protections, among them:
Pre authentication integrity, which new in Windows 10/2016. It improved "man-in-the-middle" protection against attacks tampering with SMBv2's connections and authentication messages.
Secure Dialect Negotiation, which is also new to SMBv3 to protect against man-in-the middle attacks to downgrade the negotiated capabilities between client and server.
Encyption, which we all know what this is - in newer SMBv3.1.1, performance of encryption has continued to improve.
Insecure guest auth blocking, again preventing man-in-the-middle attacks.
Better message signing as SHA-256 replaces MD5 as the hashing algorythm.

It also provides significant improvements in performance to lose v1 for v3 such as larger reads/writes, peer caching / BranchCache capablities, and better handles (among other things).

First, allow me to deliver some bad news. SMBv1 is enabled by default and is still used in Server 2016, likely for compatibility reasons.

How do you detect or audit it? Very simple.

For Windows 10 and Server 2016:
You can do this in PowerShell:
Set-SmbServerConfiguration –AuditSmb1Access $true
...but we don't use 2016, we use an older OS on our servers...
Got you covered there too:

For Windows Vista/2008, Windows 7/2008 R2
You can check this registry key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 for value 0 (which will be disabled, 1 is enabled)
There is a Key for SMBv2 as well, if you want to check this while you're at it.

For Windows 8 and Server 2012
This is a bit easier, you can use this PowerShell to detect it, maybe even put it into SCCM to see which systems may have SMBv1 enabled:

 
if ([bool](Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol))
{
Write-Host "SMBv1 is Enabled"
}
else
{
write-host "SMBv1 is Disabled"
}

Remediating the problem
Unless you still have a need for XP/2003 (or even older), and is no longer supported, you should turn off SMBv1. There are a few ways to do it, and honestly isn't difficult:

  • Server 2012 R2 and Server 2016
    • Server Manager: Disable SMB 1.0/CIFS File Sharing Support (Feature)
    • PowerShell: Remove-WindowsFeature FS-SMB1
  • Windows Client (8.1 and 10)
    • Remove the Windows Feature SMB 1.0/CIFS File Sharing Support
    • PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
  • Windows Vista/7/2008/2008 R2
    • You can use the registry and set this value to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMBv1 (1 is enabled)

I hope you found this article on how to detect and remediate SMBv1 to be informative and effective. Don't forget you can use things such as SCCM Compliance Settings to detect and remediate these items as well.

-- If you like my blogs, please share it on social media, rate it, and/or leave a comment. --

Comments

  • Anonymous
    May 31, 2017
    Great overview Lee! There is a typo in how to remove SMBv1 from Server 2012 R2 and Server 2016: PowerShell: Remove-WindowsFeature FS-SMB1 (not FS-DMB1).
    • Anonymous
      June 01, 2017
      Thank you for the kind words, Daniel, always appreciated. I will certainly fix the typo, thanks for bringing it to my attention, guess you caught me not using copy/paste. :)
  • Anonymous
    August 17, 2017
    The comment has been removed
    • Anonymous
      August 17, 2017
      Thanks for this. I did some checking, and looks like Windows 7 is still without auditing. I know a lot of folks have moved towards Windows 10, but still a lot on 7 these days. Brace yourselves, January 14, 2020 will be here before you know it.
    • Anonymous
      September 27, 2017
      These added comments are very helpful. Where in the Event Viewer are these audit entries collected? Thanks
      • Anonymous
        September 27, 2017
        After running the Set-SmbServerConfiguration cmdlet, go to the Event Viewer and Applications and Services. You'll find it in Windows \ SMBServer \ Audit. Hope this helps.
  • Anonymous
    September 27, 2017
    The Logic check does not workif ([bool](Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol))this always returns Falseit should be if (((Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol)).EnableSMB1Protocol)
    • Anonymous
      September 27, 2017
      Thanks for the comment. I'll look into this and update the blog as needed.
  • Anonymous
    October 24, 2017
    Great article.
  • Anonymous
    January 15, 2018
    For Windows Vista/2008, Windows 7/2008 R2 - how do we enable SMB1 auditing? Is network captures the only option?
    • Anonymous
      January 17, 2018
      It looks like there is no way to backport the PowerShell cmdlet to enable SMB auditing at this point. Unless someone else has another idea, I see captures as being the option to trace (short of turning it off and see who complains).