Microsoft Will Disable WannaCry Attack Vector SMBv1 Starting This Fall

An anonymous reader writes: Starting this fall, with the public launch of the next major Windows 10 update — codenamed Redstone 3 -- Microsoft plans to disable SMBv1 in most versions of the Windows operating systems. SMBv1 is a three-decades-old file sharing protocol that Microsoft has continued to ship "enabled by default" with all Windows OS versions.

The protocol got a lot of attention recently as it was the main infection vector for the WannaCry ransomware. Microsoft officially confirmed Tuesday that it will not ship SMBv1 with the Fall Creators Update. This change will affect only users performing clean installs, and will not be shipped as an update. This means Microsoft decision will not affect existing Windows installations, where SMBv1 might be part of a critical system.

Microsoft kills what made it great

[klingens]

The old Microsoft was backwards compatible to old software. Yes it was hard, yes it meant to support shitty old protocols like SMB v1, but they did it, and lots of stuff worked, just worked together, Microsoft code that actually worked!

When they disable SMB v1, one cannot put XP or anything before it in the same network as a current Windows to share files. E.g. a XP VM for some old scanner or printer that you can still use via VM and the current host OS can access.

Re:Microsoft kills what made it great

VueScan (https://www.hamrick.com) will let you use any scanner on any OS, regardless of driver support. I use it to use an old SCSI scanner form the windows 95 days on my 64-bit Win10 setup.

Re:Microsoft kills what made it great

[Z00L00K]

However it's way too late to disable it, and a better alternative would be to make a mod to XP to fix it.

I had to disable SMBv1 to make my Windows 7 connect to my Samba server. Seems like Samba was ahead of the game there.

Re: Microsoft kills what made it great

[Brockmire]

If the manufacturer didn't support the scanner, why should Microsoft? Do you know what "few" means? If Linux had your scanner driver, why didn't you switch a decade earlier?

Re:Microsoft kills what made it great

[Bert64]

SCSI scanners actually use a standard protocol and shouldn't need drivers...

Re:Microsoft kills what made it great

When they disable SMB v1, one cannot put XP or anything before it in the same network as a current Windows to share files. E.g. a XP VM for some old scanner or printer that you can still use via VM and the current host OS can access.

Optional things and specific cases should be in "options" you know like a checkbox saying "enable v1 support" not ON by default.
Just as simple as that, and for average Joe you can just pop a Clippy asking "is something not working after the update?" and then enable v1 support according to the answer.

And yes Clippy also optional at install/upgrade

Re: Microsoft kills what made it great

If the manufacturer didn't support the scanner, why should Microsoft?
Do you know what "few" means?
If Linux had your scanner driver, why didn't you switch a decade earlier?

Microsoft encouraged and then dropped a protocol used by a lot of usb scanners, the protocol made cheaper scanners by delegating things on windows instead of a expensive development on drivers and hardware. And nope wasn't a "few" a lot of people had to upgrade hardware because a software droppping support. It was in the middle of an economic bubble so not everybody noticed it but the most conservative users, like the ones that buy a thing to last more than 5 years.

Re:Microsoft kills what made it great

[Opportunist]

Then the least they could do is ship newer version with ancient protocols and support for ancient crap DISabled by default. If you need it, enable it. I think the one person out of a million that actually still needs protocols that have been read in "ancient history 101" can be bothered to click "enable" once.

Re:Microsoft kills what made it great

[Opportunist]

To their defense, SMBv1 support isn't remotely as annoying as Clippy, most likely most people never noticed its existence.

Re: Microsoft kills what made it great

[dougdonovan]

msft will get to it when they get to it. its been this way for 35 years.

Re:Microsoft kills what made it great

for various definitions of "worked".

The problem has ALWAYS been that Microsoft will not fix vulnerabilities.

Re:Microsoft kills what made it great

[currently_awake]

Or they could have a security setting to turn it on/off, with it defaulting to off. And they could release it as a security update now instead of next year.

Re:Microsoft kills what made it great

[__aaclcg7560]

VueScan (https://www.hamrick.com) will let you use any scanner on any OS, regardless of driver support.

Second this. When I saw how easy VueScan made scanning from old hardware, I bought a professional license 10+ years ago. Still getting free updates. Software runs on Windows, Mac and Linux.

Problem is not the age of the protocol

[140Mandak262Jamuna]

30 year old protocols are not ipso facto bad.

What is bad is not upgrading the security of a protocol that is ON by default for 30 years.

Let us take something equally ancient on the unix side, like the Xwindows. Is it on by default in linux? Does it suck as much as SMBv1 in terms of security? What kind of security enhancements have gone into each protocol over these three decades?

I don't know which one is better, but that will give us a sense of how much blame to heap on Microsoft.

Re:Problem is not the age of the protocol

[chipschap]

30 year old protocols are not ipso facto bad.

What is bad is not upgrading the security of a protocol that is ON by default for 30 years.

Let us take something equally ancient on the unix side, like the Xwindows. Is it on by default in linux? Does it suck as much as SMBv1 in terms of security? What kind of security enhancements have gone into each protocol over these three decades?

I don't know which one is better, but that will give us a sense of how much blame to heap on Microsoft.

No. It will give us a sense of how much blame to heap on Xwindows. The fact that there are potentially bad practices going on elsewhere doesn't excuse them.

Re:Problem is not the age of the protocol

[mccalli]

Well, "what kind of security enhancements" covers the existence of SMB v3. It's not surprising that v1 might not be up to modern security - it was written for a different time.

Re: Problem is not the age of the protocol

No excuses lol

Everyone else wasn't filled with default-server daemons with built in vulns back then. This is a Microsoft issue.

Re: Problem is not the age of the protocol

Xwindows is not on by default, it is a distributor choice and not necessary to run a nix box. It is just the only choice of windowing environment. Hopefully it will be displaced by Wayland but any security concerns there are implementation specific. A poor example but you could have picked any of the many open source projects which have legacy flaws

Re:Problem is not the age of the protocol

[chispito]

What is bad is not upgrading the security of a protocol that is ON by default for 30 years.

It HAS been upgraded to version 3. This is not a neglected protocol, this is default backwards compatibility. They are now defaulting to NOT be backwards compatible, due to lack of security.

But I agree that it should have been turned off much sooner.

Re:Problem is not the age of the protocol

[Chris+Mattern]

Let us take something equally ancient on the unix side, like the Xwindows. Is it on by default in linux?

Yes, of course, but by default all remote connection to the X server are disabled. Red Hat also has a default iptables config that shuts off the port, too.

Re:Problem is not the age of the protocol

> What is bad is not upgrading the security of a protocol that is ON by default for 30 years.

a) It can be tough to perform backwards-compatible security upgrades to a communications protocol. If you're interested in interoperability with non-upgraded (and/or non-upgradable) clients, it can often be impossible.

ii) If you know of no reason to create a security fix for a software, and you're busy with other things, you're not likely to go digging around for security-relevant bugs that are -in all likelihood- not there. Time and manpower are both finite, so you have to spend both wisely.

3) WannaCry is the result of a -apparently- dreadfully old vulnerability that was hoarded by the US Intelligence Apparatus. The US Public needs to have a _really_ serious, level-headed discussion about whether or not the Intelligence Agencies are reaching the correct conclusions when they determine whether they're going to sit on and use a vulnerability or they're going to inform software companies of it so it can be fixed. Given how unproductive the discussion that came out of the Snowden Leaks was, I don't have high hopes for this one.

Re:Problem is not the age of the protocol

It's not surprising that v1 might not be up to modern security - it was written for a different time.

... and is ON by default

Re:Problem is not the age of the protocol

But I agree that it should have been turned off much sooner.

Almost everything on windows should be turned off by default

Re: Problem is not the age of the protocol

[del_diablo]

>it is a distributor choice
So its on by default. Thank you for your valid and long argument

Re: Problem is not the age of the protocol

[Zero__Kelvin]

No dumbshit. It is on if you select a GUI at install time in many distributions. In numerous others Wayland is the default for GUI, which again is an option. Since you have no experience with and/or understanding of Linux, stick to Windows critiques if by some surprising development you ever have a clue about that.

Re:Problem is not the age of the protocol

[Opportunist]

No, of course not. How old is IPv4?

What makes the protocol problematic is that it is not only ancient but also hasn't been in use by anyone in a more or less productive environment for nearly as long as it exists. The problem here is that with a lack of use, a lack of auditing comes along. An things that don't get audited because nobody really relies on them also get very little scrutiny when it comes to their security flaws.

Re:Problem is not the age of the protocol

Heck, you should turn Windows off by default...

Re: Problem is not the age of the protocol

your a doosh

Re:Problem is not the age of the protocol

[ckatko]

I can't wait for 30 years to pass and a vulnerability in v1.0 of systemd comes out to see how measured and reasonable Slashdotters are.

Re:Problem is not the age of the protocol

[thegarbz]

Let us take something equally ancient on the unix side, like the Xwindows. Is it on by default in linux? Does it suck as much as SMBv1 in terms of security?

Sucking as much is a loaded question. The reality is everything sucks differently. You can't bolt on security without making a mess. Security needs to be thought of from the beginning or the protocol needs to be replaced with something else. Here's a classic example from X: Not only can anything draw on the screen, it can also block other things from drawing on the screen. This has serious implications for something like a lock screen.

If something wasn't thought up when a protocol was created then adding it as a patch can potentially break the existing protocol irreparably. Hence, SMBv2 etc.

Re:Problem is not the age of the protocol

[Shirley+Marquez]

The X Windows protocol itself does not include any security beyond a simple password check that is sent unencrypted, so running it straight up on a network that has any public connections is a bad idea. But these days people mostly run it tunneled through an SSH connection, which is encrypted, except for connections on the local host. So it has effectively gotten a security update even though the X protocol itself was not upgraded.

Re:Problem is not the age of the protocol

[ebvwfbw]

It wasn't as if it was really on for 30 years. Microsoft didn't own networking until at least the mid 1990s, I'd argue well into the 2000s. So I'd say 10-15 years. Novell and Unix ran it before. Novel Dominated windows networking well into the 1990s. I wouldn't be surprised if Novel isn't still running some government agencies. I remember Microsoft couldn't give their networking away. Then they called it "NT", had a big fan fair and such.. and stupid managers bought it. Says NEW... New Technology! No, it was the same old crap. Unfortunately they got away with it and greasing a lot of palms with green stuff and they managed to penetrate the market.

Is there a reason not to disable it on home

[rsilvergun]

and small networked systems? I honestly haven't paid much attention to the underlining protocols of Windows file sharing. What, if any, advantages are there to having it on by default?

Re: Is there a reason not to disable it on home

Presumably there are a fuckton of older systems (and not so old..) running either Windows XP, Windows Embedded, Windows POS or - especially - Linux / BSD with an older install of Samba that will start to have 'patchy' connectivity to (l)users Windows 10 devices..

Re:Is there a reason not to disable it on home

In general, no, you can turn it off as long as you don't have any windows XP, 2003 or older machines. Network printers the big exception, they often only support SMBv1.

Re:Is there a reason not to disable it on home

[will_die]

Unless you have stuff from the windows xp/windows 2003 time frame you are probably good. you will need v3 and alot of things need v2.

Re:Is there a reason not to disable it on home

Windows XP only understands SMBv1, so if you turn it off, it means all of your Windows XP machines won't be able to connect to your local network, share files, etc... This is unacceptable.

What's the rush?

The damage has been done.

Re:What's the rush?

"The damage has been done."
This is the motto of every security "expert" or "researcher" in existence. Evidently the people who exploit security weaknesses are 10 steps ahead of those who are supposed to providing system security. If criminals can ferret out these exploits you have to wonder why those claiming to be security experts cannot do so as well. It would be no big surprise if the security experts play both sides of the fence. They would guarantee their future employment will continuing to make a shit load of money. Make money from the exploit and turn around and make money for discovering the exploit and publishing their warnings. The security experts never seem to be able to secure anything. Instead they just conduct post-mortems and publish their findings but "The damage has been done."

Re:What's the rush?

It would be no big surprise if the security experts play both sides of the fence.

They look like penguins, once they approach you they are white but if they turn their back they become black. White hats and Black hats are the same, they just rotate 180 degrees to change sides.

Re: What's the rush?

Maybe they are penguins...

Re: Non-windows devices are also affected majorly.

Smb 1 has been depricated for 4ish years though. Why are oems not bothering to support newer protocol stacks when they're out there?

while you are at it

disable by default:

* cortana
* search
* xbox
* windows store updates
* non critical updates
* old app profiling
* prefeching the unprefetchable
* apps in suspended mode
* task scheduler
* onedrive
* remote access
* remote admin
* windows media
* shared folders

and the list goes on and on and on

btw do you know you can boot with a linux usb and delete all the windows store/windows apps folders? some registry cleanup after boot but hey no more ghost process in background eating cpu and memory

Re:while you are at it

[Opportunist]

And ENable by default showing file extensions and showing "hidden" files while you're at it!

Re:while you are at it

And ENable by default showing file extensions ...

So much this. Hiding file extensions by default was one of the more visible dangerous-to-general-users things that Microsoft has done in the last couple of decades. (Not that they haven't done a lot of dangerous things, but how many grandmas would be less likely to double-click "grandkids.jpg.exe" than "grandkids.jpg"?)

Re:while you are at it

* close forever port 139

Re:while you are at it

btw do you know you can boot with a linux usb and delete all the windows store/windows apps folders? some registry cleanup after boot but hey no more ghost process in background eating cpu and memory

I am legit surprised they never rolled that up under System Files Protection, that feature that scans changes to every system file and warns you if anything fucks with them.
I don't know the actual name of it again, it's been over a decade since I've seen that window pop up.

Also, second that motion.
Open services is THE biggest reason Windows is so horrific in regards to security.
You can disable every service on XP non-essential to the OS and turn it in to a TANK of an OS, despite being so old. Not to mention enable features disabled on OSes by default that seriously harden security so much.
Stuff like enabling a zone disabled in Internet Options and disabling everything in it. (refers to your Computer, which handles scripting in anything non-browser, breaks some help files and other mshtml controls in some ways, but blocks a shitload of attack vectors!)
Of course, given those that still use XP, they likely have an old-protocol-requirement for hardware or software.
But for some strange reason, they still keep these ones on the internet.
XP is fine on the internet with everything disabled, but if you give anything an inch, hackers will take the fucking mile and then some.
Easier to just upgrade to "XP" PoSReady and install whatever processes you need, at least that has some nice security features on top and is up-to-date.

Better yet, hire a developer to create middle-men programs, services and drivers to translate requests to a better protocol that CAN be upgraded. Or write new programs and transparently replace them. Might require some hackery with file permissions and DLL editing in some cases, but not impossible.
Old developers have the wisdom and experience with these systems. It's the younger devs that CREATED these issues most times! (even without management-pressure!)

Trust-by-default is the worst thing to happen to computing. Especially the internet itself. The fact the internet is horribly trust-based still freaks me out. One angry nation later and Youtube is blocked for 60+% of the world. Thanks Pakistan.
The internet needs to die before it can be reborn. It's too big and too shit.
We can't even reliably get to IPv6. There's STILL demand for IPv4. People are STILL rolling out IPv4 systems instead of IPv6.
Of course, that is also to do with the fact IPv6 is also a fucking disaster of a spec, but still better than IPv4 simply for efficiencies sake, and security.
Even if I was back then creating these specs, I would never have been so naive and childish in thinking that only trustworthy people would have been using computers. I'm 100% sure heavy corruption existed back pre-90s. Especially in the science fields. It is worse today, far worse, but still loads of it back then.
See "fat is bad", and now see today "coconut oil is bad", yet more scummy pricks ignoring entire double-digit nations that consume high amounts of saturated fats with ZERO problems that American companies constantly associate with it. Fuck off already. Sincerely, the rest of the world.
There's no fixing it. It's too far gone. We can't even regulate the corruption away. They end up becoming their own god damn regulators! (see computing, food, banking, drugs regulators, all self-regulated, all yes-men paid off by their respective industries)

Re:while you are at it

Why don’t you just open Powershell ISE with admin privileges and paste:

Get-AppxPackage -AllUsers | where-object {$_.name –like “*windowsstore*”} | Remove-AppxPackage
Get-appxprovisionedpackage -online | where-object {$_.packagename –like “*windowsstore*”} | Remove-AppxProvisionedPackage -online

You can check whether you want to get rid of any other preinstalled and hard to get rid of crap:

Get-AppxProvisionedPackage -Online | Select DisplayName, PackageName

Re:while you are at it

Amen!

Old protocols are a huge problem

[Sycraft-fu]

When you take something that wasn't designed with security in mind and try to expand and adapt it, you have a lot of issues. Better to start with something designed for the purpose it is being used from the start.

HTTP is a good example. It was designed as a stateless protocol for transferring text documents with markup. We now rely on it to do stateful transactions for things like shopping carts online and this has lead to tons of security issues since you have to hack on state to a protocol that isn't designed to support it using things like cookies. It would be much more secure had it been designed from the ground up to handle stateful transactions with people.

IP is another great example. There's all kinds of shit in IPv4 that is completely stupid from the perspective of a protocol used on the Internet. Like source routing, where you can specify the routers that a packet must go through, or the fact that you can just claim to be from any IP you want. This is a bad design for a global communications network. However it is that way because IP wasn't designed for a global communications network, it was designed for an ARPA project and it grew. IPv6 fixes a lot of this because it was designed later, around how IP is actually used these days.

Also talking about Xwindows is funny because man you wanna talk security risk, X is a huge. If you have an X server that talks on the network any system on the network can just draw to your local display, and you have no easy way of knowing that it isn't your system. Someone can phish passwords in a very hard to detect way using it. Now of course most distros are smart enough to block remote X using the firewall, and you do something like tunnel it over SSH. However that is a hack, it is putting up barriers around something insecure. If those barriers are bypassed, the insecurity is still there. Better if it were designed secure from the ground up. Then you still put the barriers in place as well so that you aren't relying on any one level of security.

Discontinuing the use of older protocols is a good idea for security, when possible. It isn't always possible, of course, I mean IPv4 is still far and away the most widely used IP spec. But you stop using them when you can (and indeed modern OSes will prefer IPv6 when they have both available).

Re:Old protocols are a huge problem

If only you're updated, just this year there were dangerous flaws found in IPv6 too.

Re:Old protocols are a huge problem

[WaffleMonster]

When you take something that wasn't designed with security in mind and try to expand and adapt it, you have a lot of issues. Better to start with something designed for the purpose it is being used from the start.

If more things were designed without security we would see much better outcomes.

Security where possible should be treated as an aspect and simply punted to subsystems actually dedicated and capable of providing it rather than continuously (poorly) re-implemented.

HTTP is a good example. It was designed as a stateless protocol for transferring text documents with markup. We now rely on it to do stateful transactions for things like shopping carts online and this has lead to tons of security issues since you have to hack on state to a protocol that isn't designed to support it using things like cookies.

HTTP is the wrong layer for security. People have issues because they insist upon entering credentials into adhoc web forms in plaintext over HTTPS instead of authenticating via secure authentication protocol cryptographically bound to encrypted channels. One continues to offer security even when the user attempts to authenticate with an attacker... the other is the clusterfuck we have today.

IP is another great example. There's all kinds of shit in IPv4 that is completely stupid from the perspective of a protocol used on the Internet.

IPv4 and IPv6 are nothing more than an envelope of information with a with globally unique source and destination address. The design is in every way that matters perfect because it only says what is obviously necessary for communication.

Just because old baggage and routing options exist is quite irrelevant if they are effectively disabled and not actually an issue/used in the real world.

Like source routing, where you can specify the routers that a packet must go through,

It's not so much a bad design as it is the wrong layer. Specifying where traffic goes is full time job of traffic engineers. The fictional problem which does not actually exist would be the practice of exposing routing decisions to IP... This is not occurring.

or the fact that you can just claim to be from any IP you want. This is a bad design for a global communications network.

I will go to my grave believing this is a feature to be celebrated although attempts to curb ala BCP 38 and crew are also to be celebrated. I believe it is practically impossible and morally perilous to even try to create a trusted global communications network open to everyone. The best humanity can do is make a network that with some predictable regularity delivers information to where it's supposed to go and let people establish their own end to end trust relationships. All known alternatives suck much worse than what we have now.

However it is that way because IP wasn't designed for a global communications network, it was designed for an ARPA project and it grew. IPv6 fixes a lot of this because it was designed later, around how IP is actually used these days.

While there will always be interesting implementation drama IPv6 is the exact same shit in every way that matters as IPv4. The expanded address space adds some interesting new challenges such as local broadcast spam and places slight damper on others such a tractability of global scans and associated exploit campaigns. High level it really is just 96 more bits of address space.

Also talking about Xwindows is funny because man you wanna talk security risk, X is a huge.

X risks hail from spaghetti code.

Now of course most distros are smart enough to block remote X using the firewall, and you do something like tunnel it over SSH. However that is a hack, it is putting up barriers around something insecure.

It seems to me if you want to control acc

Re: Old protocols are a huge problem

You do know that X has built-in security mechanisms, right? You do know that you don't have to rely solely on a separate firewall, right?

No, who am I kidding, of course you don't know. But minor details like "complete ignorance of the subject" never stopped anyone from making an ass of themselves in public, did they?

Re:Old protocols are a huge problem

Actually, when originally developed X windows used Kerberos authentication with encryption as an added option.

BUT because the US Government had labeled all encryption as "munitions", MIT was forced to remove it all; and not just remove it, but also had to remove any hooks for security that could have been used to add it back in.

X, by default, does not enable TCP connections. It uses local domain sockets instead. To get network sockets requires the use of SSH...

Protect vs. WanaCry easily 2 ways

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

Re:Protect vs. WanaCry easily 2 ways

And use a custom "hosts" file too you scurrilous knaves!

"Only SMBv1"???

The only people that use SMBv1 are legacy linux systems.

SMBv2 had the copied code from SMBv1 when M$ migrated the APIs they knew, worked, from SMBv1 and then put them into v2.

So why arent they also depreciating SMBv2? That protocol was equally effected as SMBv1?

Or is this, like I hinted in my first line, pulling up the protocol ladder to solidify licence revenue from the equally broken SMBv2 and stifle competition?

Re:Non-windows devices are also affected majorly.

[Opportunist]

So in other words you could not be assed to update the security of your printers for years until it finally broke connectivity?

Just so I know what I should avoid like the plague, what copier manufacturer are you working for?

Idiots arguing over who is smartest

[WaffleMonster]

This SMB thing reminds me of people arguing over which version of SNMP is better to use. Use version 1... no version 2c that's better... no v3 with passwords and privacy passwords is much safer when the reality is no matter what version you select the outcome is still very much the same: your fucked. The only sane method for securing SNMP is restricting use to secure channels. (e.g. (D)TLS or SSH)

My understanding SMB is no different. Even latest and greatest version 3 with somewhat modern algorithms still provides zilch in terms of offering a rational basis of trust. Trust is generally established from weak challenge response authentication protocols (NTLM/Kerberos) which when unprotected by PKI exposes users of SMB to offline compromise of their credentials.

The only way to use SMB securely is the same as SNMP - restrict use to a secure channel at which point caring about worthless security features included with versions x, y and z is all a rather fruitless exercise.

I should add on multiple occasions I've found myself having to disable SMBv2 due to shady caching and locking semantics that place performance before safety.

At the end of the day I just want shit that works and Microsoft is spectacularly failing to deliver. It's 2017 and they still can't be bothered to implement a secure authentication protocol capable of standing alone.

Suggestions disregarded by MS

In the late 2006 during the pre Vista and XP SP3, I already encountered in a forum about a kid who wanted to secure his XP box and had a headache on his open port TCP/445 which is on by default on fresh installs including the difficult to disable NetBIOS. The poster wanted to know how to disable this default SMBv1 port 445, he criticized MS and even claimed to have contacted MS to close it down due to security issues. But many replied on that forum regarding local machine firewall and router firewall being the solution.

Now that kid (from Netherlands if my memory serves me right) seems to be correct, 11 yrs AGO, about the dangers of an open useless port even if you're protected by your router firewall. If only M$ heed the warning.

How to disable SMBv1 ..

[najajomo]

At least us Windows users have a modern GUI interface to play with instead of all those text config files under Linux.

Re:How to disable SMBv1 ..

[chipschap]

Give me the text config files any day. Easy to edit, easy to do version control, easy to diff, etc. Easy to add comments, for that matter. No mouse needed, just the keyboard. Fast and accurate.

GUIs are nice for casual administration (if there is such a thing) but to do any sort of heavy lifting, text files are efficient and manageable.

Re:How to disable SMBv1 ..

And much faster to do.

SMB1 is a disaster - don't use it

[emil]

I have discussed all of this in another place. Microsoft is unambiguous on this issue, and for good reason.

Re:Microsoft kills - NETBIOS and WINS?

Call me once they kill NETBIOS and WINS. While those are still working, they are not serious.

Bob Marley said it best

"No Windows, No Cry..."

Re:Non-windows devices are also affected majorly.

[__aaclcg7560]

So in other words you could not be assed to update the security of your printers for years until it finally broke connectivity?

Printer security is a can of worms. If you think that is bad, try finding and removing Windows-based medical devices from the general VLAN.

Maybe someone should give MS a book on hardening?

A door that isn't there can not be opened. Why have tons of software running in a machine that isn't used... and then run a firewall in the same machine to block access to the software that isn't used.

Disable all the crap that isn't used! 99.999999999% of all Windows installations does not need or used SMB/CIFS. If MS feel that they want to use it internally in the machine bind it to 127.0.0.1 ONLY! (at least they do not share the registry will full admin rights to guest anymore)

(and PLEASE bring system documentation back up to the level you had with Windows XP!)

Caveat emptor

[spongman]

I disabled smbv1 back when wannacry broke and while my winows boxes could still talk to each other fine, my macs and Linux boxes all started failing.

Re:Non-windows devices are also affected majorly.

[Opportunist]

I know. Try, just TRY to get a printer 802.1X compliant.

That doesn't mean you can throw your hands up and just be done with it.