of cyberattacks — the outdated SMB protocol. The first step to disable SMB1 on the network is to find where it lives.
Server Message Block is a transmission protocol used to discover resources and transfer files across the network. SMB1 dates back to the mid-1990s, and Microsoft regularly updates the SMB protocol to address evolving encryption and security needs. In 2016, Microsoft introduced SMB 3.1.1, which is the current version at the time of publication.
But SMB1 still lingers in data centers. Many administrators, as well as third-party storage and printer vendors, haven’t kept up with the new SMB versions — they either default to SMB1 or don’t support the updates to the protocol.
Meanwhile, attackers exploit the weaknesses in the SMB1 protocol to harm the enterprise. In January 2017, the U.S. Computer Emergency Readiness Team urged businesses to disable SMB1 and block all SMB traffic at network boundaries. Several ransomware attacks followed the warning. EternalBlue, WannaCry and Petya all used SMB1 exploits to encrypt data and torment systems administrators. In the fallout, Microsoft issued several SMB-related security updates and even issued patches for unsupported client and server systems. With the fall 2017 Windows updates, Microsoft disabled SMB1 by default in Windows 10 and Windows Server 2016.
Here are some ways to identify where SMB1 is active in your systems and how it can be disabled.
Use Microsoft Message Analyzer to detect SMB1
Microsoft Message Analyzer is a free tool that comes with Windows and detects SMB1-style communications. Message Analyzer traces inbound and outbound activity from different systems on the network.
The admin applies certain filters in Message Analyzer to sift through traffic; in this case, the admin uses SMB as a filter. Message Analyzer checks for markers of SMB1 transactions and pinpoints its source and the traffic’s destination. Here’s a sample of captured network traffic that indicates a device that uses SMB1:
ComNegotiate, Status: STATUS_SUCCESS, Selected Dialect: NT LM 0.12, Requested Dialects: [PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12]
A reference to outdated technologies, such as Windows for Workgroups and LAN Manager, indicates SMB1. Anything that communicates with a Windows network — such as copiers, multifunction printers, routers, switches, appliances and storage devices — could be the culprit still on SMB1.
There are three options to remove SMB1 from these devices: turn off SMB1 support, change the protocol or, in extreme cases, remove the equipment permanently from the network.
Use Message Analyzer to find references in “requested dialects,” such as SMB 2.002 and SMB 2.???. This indicates systems and services that default to SMB1 — most likely to provide maximum compatibility with other devices and systems on the network — but can use later SMB versions if SMB1 is not available.
Evaluate with DSC Environment Analyzer
Desired State Configuration Environment Analyzer (DSCEA) is a PowerShell tool that uses DSC to see if systems comply with the defined configuration. DSCEA requires PowerShell 5.0 or higher.
DSC works in positive statements — because we want to disable SMB1, we have to build a DSC statement in that way to find systems with SMB1 already disabled. By process of elimination, DSCEA will generate a report of systems that failed to meet our requirements — these are the systems that still have SMB1 enabled.
Microsoft provides a more detailed guide to write a configuration file that uses DSCEA to find SMB1 systems.
Identify the perpetrators
To make this detective work less burdensome, Microsoft has a list of products that still require the SMB1 protocol. Some of the products are older and out of support, so don’t expect updates that use the latest version of SMB.