SMBv1 disabled on NETID domain controllers

October 4, 2017

We disabled SMBv1 on all domain controllers for the NETID Windows domain.

Over the past couple months, we reached out to customers with resolvable client hostnames which were using SMBv1 to connect to the NETID domain controllers to let them know about this planned change. For somewhat obvious reasons, we didn’t want to publicize that we were still supporting a vulnerable protocol, which is why this change notification is happening after the fact.

What and When

The SMBv1 protocol was disabled on all NETID domain controllers on September 15, 2017.

As you are hopefully aware, the SMBv1 protocol has numerous security issues and vulnerabilities that have been exploited, making news headlines around the world. Microsoft and others have been recommending that SMBv1 be turned off, as it cannot be adequately patched or protected. For more info see below.

What you need to do

We were not able to contact less than a dozen customers which had unresolvable hostnames such as those handed out via DHCP. Those customers may need to update or reconfigure their computers to stop using SMBv1, and to use SMBv2 or SMBv3. How that is done will vary based on the operating system, application, etc., so you may need to contact your vendor(s) for assistance.

For Microsoft Windows clients, https://support.microsoft.com/en-gb/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows provides assistance on disabling and enabling SMB version support. There is a list of known non-Microsoft products which require SMBv1 here: https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/.

More Info

Microsoft stopped supporting SMBv1 with the demise of Windows Server 2003 in 2015.

Significant security patches for SMBv1 were released in September 2016. And since September 2016, Microsoft has publicly been encouraging everyone to turn off SMBv1. As explained in that post, SMBv1 has serious design flaws that are 20 years old. These flaws most significantly allow person-in-the-middle attacks, but also permit data inspection, and significant performance degradation leading to denial of service attacks.

Ransomware that circulated earlier this year in high volume leveraged SMBv1 vulnerabilities. Those vulnerabilities were patched in March 2017 and were applied to domain controllers.

More recently, a significant denial of service attack, called SMBLoris, has been identified and affects all computer supporting the SMBv1 protocol. Microsoft has declined to patch current OSes for this attack.

 

In summary, SMBv1 is insecure and as the Microsoft PM responsible for SMB says “SMB1 isn’t good.” We could not in good conscience continue to run it on the NETID domain controllers. We encourage anyone at the UW who is still running it to prioritize retiring it.

Please note that to protect yourself from server operators who have not yet chosen to disable it, you should disable it on your clients.

Brian Arkills
Microsoft Infrastructure service manager
UW-IT