SMBv1 isn’t safe and what-so-ever update you run or patch you update the problem is- you are still running SMB1. Hackers behind WannaCry ransomware infected servers with vulnerable SMB ports before victimizing them with phishing emails. The original SMB1 protocol is 30 years old and it was designed for the 80’s world, a world without cyber criminals and big data and rudimentary computer usage.
A security researcher affiliated with the Croatian Government CERT has warned that while WannaCry used only two tools to exploit SMB vulnerabilities, anew worm named EternalRocks will be armed with at least seven such tools to infect systems across the globe. EternalRocks will not only use lethal SMB (Server Message Block) tools which are named EternalBlue, EternalChampion, EternalSynergy, and EternalRomance but also SMB reconnaissance tools named SMBTouch and ArchTouch which will keep an eye on affected computers. We have already seen EternalBlue causing havoc at major ports and terminals across globe.
The later SMB protocols provide protections in key areas such as:•
- Pre-authentication Integrity (SMB 3.1.1+). Protects against security downgrade attacks.
- Secure Dialect Negotiation (SMB 3.0, 3.02). Protects against security downgrade attacks.
- Encryption (SMB 3.0+). Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing!
- Insecure guest auth blocking (SMB 3.0+ on Windows 10+) . Protects against MiTM attacks.
- Better message signing (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.
SMB is used to transfer files between computers. The setting is enabled for most systems but is not needed. Disable them if not in use.
How to do it:
Open Control Panel > Programs & Features >Turn Windows features on or off.
In the list of option, one option would be SMB 1.0/CIFS File sharing support. Uncheck the checkbox associated with it and press OK.
On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)
You can also tweak the Windows Registry to disable SMB1.
Run regedit and navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
In the right side, the DWORD SMB1 should not be present or should have a value of 0.
The values for enabling and disabling it are as follows:
- 0 = Disabled
- 1 = Enabled
SMB isn’t good. It is archaic and it must be disabled.
