Microsoft recommends disabling SMBv1 on Exchange

[German]Microsoft recommends that administrators of Exchange Servers disable the SMBv1 protocol on these machines for security reasons. Here are a few details about that recommendation.


Advertising

The problem with SMBv1

The abbreviation SMB stands for Server Message Block (earlier names are LAN Manager or NetBIOS protocol), a network protocol for file, print and other server services in computer networks. Version 1 (SMBv1) of the network protocol, which was designed over 30 years ago, and especially the Microsoft implementation, is considered to be very error-prone and security-critical. In the meantime, there are SMBv2 and SMBv3, so that the use of SMBv1 in Windows networks is no longer absolutely necessary.

Microsoft has therefore already published the article Stop using SMB1 in September 2017, which advises against the use of SMBv1. It is insecure and no longer up to modern requirements. In addition, SMBv1 is no longer necessary …, but this ignores the problem that many companies still have devices such as multifunction devices (printers with scanning units) that use SMBv1 to store files on shares and don’t support SMBv2/SMBv3.

What’s breathing down Microsoft’s neck

In May 2017 the blackmailing Trojan WannaCry infected thousands of computers worldwide (see Ransomware WannaCry infected worldwide thousands of Windows systems). A reason for this outbreak was a vulnerability in the SMBv1 implementation of Windows (see SMB Zero-Day vulnerability in Windows 8.1/10/Server). However, this vulnerability had been closed by security updates from Microsoft before the WannaCry attack. Actually WannaCry should not been able to exploited the vulnerability anymore – but the affected machines were unpatched.

Maintaining the SMBv1 code involves a certain amount of effort and it cannot be ruled out that the implementation may contain further vulnerabilities. Therefore Microsoft push people to switch to SMBv2 or SMBv3.

In addition, Microsoft does not want to patch (not so critical) the vulnerability described in the blog post Microsoft won’t patch SMBloris vulnerability, which could be used to shoot down computers.

Deactivation step by step from autumn 2017 onwards

I had pointed out in the German blog post Windows 10: Aus für SMBv1 ab Herbst 2017 that Microsoft is beginning to phase out SMBv1 in Windows 10. SMBv1 will no longer be automatically installed with new installations of Windows 10 (see also Microsoft plans to deactivate SMBv1 in Windows 10 V1709). This has been implemented step-by-step – and administrators can also take action themselves. I have collected some information on this topic in the blog post SMBv1 FAQ and Windows networks.


Advertising

Recommendation to switch off SMBv1 in Exchange

Lawrence Abrams has sptted a Techcommunity article Exchange Server and SMBv1 in which Microsoft recommends that Exchange server administrators on on-premises installations disable SMBv1 for security reasons. Abrams points this out in this tweet.

The Techcommunity post (published on February 12, 2020) recommends to deactivate SMBv1:

To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server.

In the article, Microsoft points out that there is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on a system. Microsoft had already declared the SMBv1 protocol deprecated in 2014. The use of the SMBv1 protocol during installation was set by default starting with Windows Server 2016 1709 (RS3). Further information can be found in this KB. See the Techcommunity article Exchange Server and SMBv1 for more information. 

  • For example, Microsoft has not validated that Exchange Server 2010, which will be retired from support in October 2020, runs cleanly with the SMBv1 protocol disabled. 
  • In addition, Microsoft recommends to check that a correctly configured and supported DAG (database availability group) Witness Server is used that supports at least SMBv2.

In the Techcommunity post, Microsoft also gives advice on how to check if SMBv1 protocol is enabled under different server versions and how to disable it.

Similar articles:
SMBv1 FAQ and Windows networks
Windows 10 Pro V1803: SMBv1 ‘special traps’
PSA: Windows 10 V1803: Update KB4284848 brings SMBv1 fix
Microsoft plans a Windows 10 V1803 SMBv1 fix on June 2018
Microsoft won’t patch SMBloris vulnerability
Microsoft plans to deactivate SMBv1 in Windows 10 V1709
SMB Zero-Day vulnerability in Windows 8.1/10/Server


Advertising


This entry was posted in Security, Software, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *