beawolf - Fotolia


Disable SMB1 before the next WannaCry strikes

As long as SMB1 lingers in your systems, they are vulnerable to cyberattacks. Use these tools and techniques to find and remove all signs of this unsafe network protocol.

Don't wait for the next ransomware attack to infect your systems. Go on the offensive, and root out a key enabler of cyberattacks -- the outdated SMB protocol. The first step to disable SMB1 on the network is to find where it lives.

Server Message Block is a transmission protocol used to discover resources and transfer files across the network. SMB1 dates back to the mid-1990s, and Microsoft regularly updates the SMB protocol to address evolving encryption and security needs. In 2016, Microsoft introduced SMB 3.1.1, which is the current version at the time of publication.

But SMB1 still lingers in data centers. Many administrators, as well as third-party storage and printer vendors, haven't kept up with the new SMB versions -- they either default to SMB1 or don't support the updates to the protocol.

Meanwhile, attackers exploit the weaknesses in the SMB1 protocol to harm the enterprise. In January 2017, the U.S. Computer Emergency Readiness Team urged businesses to disable SMB1 and block all SMB traffic at network boundaries. Several ransomware attacks followed the warning. EternalBlue, WannaCry and Petya all used SMB1 exploits to encrypt data and torment systems administrators. In the fallout, Microsoft issued several SMB-related security updates and even issued patches for unsupported client and server systems. With the fall 2017 Windows updates, Microsoft disabled SMB1 by default in Windows 10 and Windows Server 2016.

Here are some ways to identify where SMB1 is active in your systems and how it can be disabled.

Use Microsoft Message Analyzer to detect SMB1

Microsoft Message Analyzer is a free tool that comes with Windows and detects SMB1-style communications. Message Analyzer traces inbound and outbound activity from different systems on the network.

Microsoft Message Analyzer
The free Microsoft Message Analyzer utility captures network traffic to discover where SMB1 communications appear across the network.

The admin applies certain filters in Message Analyzer to sift through traffic; in this case, the admin uses SMB as a filter. Message Analyzer checks for markers of SMB1 transactions and pinpoints its source and the traffic's destination. Here's a sample of captured network traffic that indicates a device that uses SMB1:

ComNegotiate, Status: STATUS_SUCCESS, Selected Dialect: NT LM 0.12, Requested Dialects: [PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12]

A reference to outdated technologies, such as Windows for Workgroups and LAN Manager, indicates SMB1. Anything that communicates with a Windows network -- such as copiers, multifunction printers, routers, switches, appliances and storage devices -- could be the culprit still on SMB1.

The first step to disable SMB1 on the network is to find where it lives.

There are three options to remove SMB1 from these devices: turn off SMB1 support, change the protocol or, in extreme cases, remove the equipment permanently from the network.

Use Message Analyzer to find references in "requested dialects," such as SMB 2.002 and SMB 2.???. This indicates systems and services that default to SMB1 -- most likely to provide maximum compatibility with other devices and systems on the network -- but can use later SMB versions if SMB1 is not available.

Evaluate with DSC Environment Analyzer

Desired State Configuration Environment Analyzer (DSCEA) is a PowerShell tool that uses DSC to see if systems comply with the defined configuration. DSCEA requires PowerShell 5.0 or higher.

DSC works in positive statements -- because we want to disable SMB1, we have to build a DSC statement in that way to find systems with SMB1 already disabled. By process of elimination, DSCEA will generate a report of systems that failed to meet our requirements -- these are the systems that still have SMB1 enabled.

Microsoft provides a more detailed guide to write a configuration file that uses DSCEA to find SMB1 systems.

How to disable SMB1 on Windows systems

It's a relatively simple task to disable SMB1 on a Windows machine with PowerShell.

For Windows 8 and Windows Server 2012 systems, use the following PowerShell command:
Set-SmbServerConfiguration -EnableSMB1Protocol $false.

For Windows 8.1, Windows 10, Windows Server 2012 R2 and Windows Server 2016, use this command:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol.

On those systems, the change is effective immediately.

For Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2, use PowerShell to change the properties of a Registry item. The following command makes the change:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force.

Administrators need to reboot the affected machines before the OS picks up the change.

Identify the perpetrators

To make this detective work less burdensome, Microsoft has a list of products that still require the SMB1 protocol. Some of the products are older and out of support, so don't expect updates that use the latest version of SMB.

Next Steps

More ways to shut down SMB1 on your systems

SMB exploits a boon for malware attackers

Why SMB1 continues to haunt Microsoft users

Dig Deeper on Windows Server troubleshooting