| | | System Vulnerability: Ditching the vulnerable SMBv1 protocol (Ed Bott)
[Originally posted on the SI Windows 10 subject board]
While this is a Windows 10 or 8.1 Tip, it applies to 8.1. For Windows 7, you can't remove SMBv1, but you can disable it (see end of text for that). .
>> Windows 10 tip: Stop using the horribly insecure SMBv1 protocol
For years, Microsoft has been recommending that you disable the vulnerable SMBv1 protocol. Recent ransomware outbreaks underscore the need to take this important step. Here's how.
Ed Bott
ZDNet | The Ed Bott Report | Topic: Windows 10
June 28, 2017
zdnet.com
Two devastating global ransomware outbreaks, WannaCry and Petya, spread quickly because of a vulnerability in one of the internet's most ancient networking protocols, Server Message Block version 1 (aka SMBv1).
Your PCs that run Windows 10 are protected from that exploit, but that doesn't mean you'll be so lucky the next time.
In the interests of implementing a comprehensive, multi-layer security policy, Microsoft recommends that you disable the SMBv1 protocol completely. The world has already moved on to SMBv3, and there's no excuse for continuing to let that old and horribly insecure protocol run on your network.
To permanently remove SMBv1 support from Windows 10, use either of these two approaches.
Open Control Panel (just start typing Control in the search box to find its shortcut quickly). Click Programs, and then click Turn Windows features on or off (under the Programs heading). Clear the check box for SMB 1.0/CIFS File Sharing Support, as shown here. That's it; you're protected.
(Note that you can use that same procedure in Windows 8.1. For Windows 7, you can't remove SMBv1, but you can disable it using the instructions in this article: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.)
As an alternative in Windows 10, open a Windows PowerShell prompt with administrative privileges. In the Windows 10 Creators Update, version 1703, right-click the Start button and choose Windows PowerShell (Admin) from the Quick Link menu.) If you're running an earlier Windows 10 version, enter Windows PowerShell in the search box, then right-click the Windows PowerShell shortcut and click Run as administrator. From that elevated PowerShell prompt, type the following command:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Press Enter and you're done.
On a Windows domain, of course, you can use Group Policy. Full instructions (along with links to help management understand why this is a good idea) are in this Microsoft TechNet article: Disable SMB v1 in Managed Environments with Group Policy.
Disabling SMBv1 shouldn't have any effect on modern, fully updated hardware. Some consumer-grade network attached storage devices use this protocol by default, but a firmware update or a change in settings might allow you to change it to something more secure. Unfortunately, some older database programs and even new devices such as those from Sonos require SMBv1.
If you discover that you have an app or a network device that won't work without this feature, use Control Panel to turn the feature back on. Then consider whether that app or device is worth the impact on your network security and whether it's time to look for a replacement.
# # #
- Eric L. - |
|
