Geekly Articles each Day
📜 ⬆️ ⬇️

Fighting viruses and infrastructure, or disabling SMB v1


In connection with the recent outbreak of the WannaCry cipher operator that exploits the SMB v1 vulnerability, there are again tips on disabling this protocol. Moreover, Microsoft strongly recommended disabling the first version of SMB back in September 2016. But such a shutdown can lead to unexpected consequences, even curiosities: I personally came across a company where, after the fight against SMB, the Sonos wireless speakers stopped playing.


Especially to minimize the likelihood of “shot in the foot,” I want to remind you of the features of SMB and consider in detail what the ill-considered disabling of its old versions threatens.


SMB (Server Message Block) is a network protocol for remote access to files and printers. It is used when connecting resources via \ servername \ sharename. The protocol initially worked on top of NetBIOS using UDP ports 137, 138 and TCP 137, 139. With the release of Windows 2000, it started working directly using TCP port 445. SMB is also used to log into the Active Directory domain and work in it.


In addition to remote access to resources, the protocol is also used for interprocessor communication via “named flows” - named pipes . The process is accessed via the path \. \ Pipe \ name.

The first version of the protocol, also known as CIFS (Common Internet File System), was created in the 1980s, but the second version appeared only with Windows Vista, in 2006. The third version of the protocol came out with Windows 8. In parallel with Microsoft, the protocol was created and updated in its open source implementation of Samba .


In each new version of the protocol, various improvements were added to increase the speed, security and support for new functions. But at the same time, support for old protocols remained for compatibility. Of course, in the old versions there were enough vulnerabilities, one of which is used by WannaCry .


Under the spoiler you will find a summary table of changes in SMB versions.
Versionoperating systemAdded, compared with the previous version
SMB 2.0Windows Vista / 2008The number of protocol commands has changed from 100+ to 19
The possibility of "pipeline" work - sending additional requests before receiving a response to the previous
Support for symbolic links
Signature of HMAC SHA256 messages instead of MD5
Increase cache and write \ read blocks
SMB 2.1Windows 7 / 2008R2Performance improvement
Support for higher MTU value
BranchCache support - a mechanism that caches requests to the global network on a local network
SMB 3.0Windows 8/2012Ability to build a transparent, failover cluster with load distribution
Direct Memory Access (RDMA) support
Control via Powershell cmdlets
VSS support
AES – CMAC Signature
AES – CCM Encryption
Ability to use network folders to store HyperV virtual machines
Ability to use network folders to store Microsoft SQL databases
SMB 3.02Windows 8.1 / 2012R2Security and speed improvements
Automatic cluster balancing
SMB 3.1.1Windows 10/2016AES – GCM encryption support
Integrity check prior to authentication using the SHA512 hash
Mandatory secure "negotiations" when working with SMB 2.x clients and above

Considered conditionally affected


It is quite easy to look at the currently used protocol version; we use the Get – SmbConnection cmdlet for this:



Displays the cmdlet with open network resources on servers with different versions of Windows.


From the output, you can see that a client that supports all versions of the protocol uses the highest possible version supported by the server to connect. Of course, if the client supports only the old version of the protocol, and it will be disabled on the server, the connection will not be established. You can enable or disable support for old versions in modern Windows systems using the Set – SmbServerConfiguration cmdlet , and see the status as follows:


Get–SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol


Disable SMBv1 on a server running Windows 2012 R2.



Result when connecting with Windows 2003.


Thus, if you disable the old, vulnerable protocol, you can lose the network performance with old clients. In addition to Windows XP and 2003, SMB v1 is also used in a number of software and hardware solutions (for example, NAS on GNU \ Linux, using the old version of samba).


Under the spoiler, I will give a list of manufacturers and products that will completely or partially stop working when SMB v1 is disabled.
ManufacturerProductComment
BarracudaSSL VPN
Web Security Gateway backups
CanonScan to a network share
CiscoWSA / WSAv
WaasVersions 5.0 and higher
F5RDP client gateway
Microsoft Exchange Proxy
Forcepoint (Raytheon)"Some Products"
HPEArcSight Legacy Unified ConnectorOlder versions
IbmNetserverVersion V7R2 and later
QRadar Vulnerability ManagerVersions 7.2.x and later
LexmarkMultifunction scan for network resourceFirmware eSF 2.x and eSF 3.x firmware
Linux KernelCIFS client2.5.42 to 3.5.x
McafeeWeb gateway
MicrosoftWindowsXP / 2003 and older
MYOBAccountants
NetappONTAPVersions up to 9.1
NetGearReadyNAS
OracleSolaris11.3 and older
Pulse securePCS8.1R9 / 8.2R4 and older
Pps5.1R9 / 5.3R4 and older
QNAPAll storage devicesFirmware older than 4.1
RedhatRhelVersions 7.2
RicohMultifunction scan for network resourceIn addition to a number of models
RSAAuthentication Manager Server
SambaSambaOlder than 3.5
SonosWireless speakers
SophosSophos UTM
Sophos xg firewall
Sophos Web Appliance
SuseSLES11 and older
SynologyDiskstation managerOnly management
Thomson reutersCS Professional Suite
TintriTintri OS, Tintri Global Center
VMwareVcenter
ESXiOver 6.0
WorldoxGX3 DMS
XeroxMultifunction scan for network resourceFirmware without ConnectKey Firmware

The list is taken from the Microsoft site, where it is regularly updated.


The list of products that use the old version of the protocol is quite large - you should definitely think about the consequences before disabling SMB v1.


Still, disable


If there are no programs and devices using SMB v1 on the network, then, of course, it is better to disable the old protocol. At the same time, if Windows 8/2012 is turned off on the SMB server using the Powershell cmdlet, then for Windows 7/2008 you will need to edit the registry. This can also be done using Powershell:


 Set–ItemProperty –Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 –Type DWORD –Value 0 –Force

Or in any other convenient way. In this case, to apply the changes will need to reboot.


To disable SMB v1 support on the client, simply stop the service responsible for its work and fix the dependencies of the lanmanworkstation service. This can be done with the following commands:


 sc.exe config lanmanworkstation depend=bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start=disabled

For the convenience of disabling the protocol throughout the network, it is convenient to use group policies, in particular Group Policy Preferences. With them you can conveniently work with the registry.



Creating a registry item through group policies.


To disable the protocol on the server, simply create the following parameter:




Creating a registry key to disable SMB v1 on the server through group policies.


To disable SMB v1 support on clients, you need to change the value of two parameters.


First, disable the SMB v1 protocol service:




We update one of the parameters.


Then we fix the LanmanWorkstation service dependency so that it does not depend on SMB v1:




And replace another.


After applying Group Policy, you must restart the organization’s computers. After restarting SMB v1 will cease to be used.


Works - do not touch


Strangely enough, this old commandment is not always useful - in a rarely updated infrastructure, cryptographers and Trojans can start. However, inaccurately shutting down and updating services can paralyze the work of an organization as well as viruses.


Tell me, have you turned off SMB of the first version? There were a lot of victims?


')

Source: https://habr.com/ru/post/331906/

More articles:


All Articles