[German]Microsoft has just announced that they are disabling support for the SMB1 protocol by default in the Windows 11 Home Insider builds. This is the final phase to finally put SMB1 support in Windows to bed and let it expire. The background is security considerations, and SMB2 as well as SMB3 are available. However, the problem will be that certain network connections are dependent on SMB1.
Advertising
Never ending story SMB1
Support for SMB1 (Server Message Block 1) on Windows is a topic that has been on the agenda for years. The abbreviation SMB stands for Server Message Block (earlier names were LAN Manager or NetBIOS protocol), a network protocol for file, print and other server services in computer networks. Version 1 (SMBv1) of the network protocol, which was designed over 30 years ago, and especially the Microsoft implementation, is considered to be very error-prone and security-critical. In the meantime, there is SMBv2 and SMBv3, so the use of SMBv1 in Windows networks is no longer absolutely necessary.
For background: In May 2017, the WannaCry ransomware Trojan infected thousands of computers worldwide (see Ransomware WannaCry infected worldwide thousands of Windows systems). The reason for the broad infection was a vulnerability in the SMBv1 implementation of Windows (see my German blog post SMB Zero-Day-Sicherheitslücke in Windows 8.1/10/Server). However, this vulnerability had been closed by security updates from Microsoft before the WannaCry attack. Actually, WannaCry could no longer have exploited the vulnerability – but the affected machines were unpatched. Maintaining the SMBv1 code involves a certain amount of work, and it cannot be ruled out that there are further vulnerabilities in the implementation. Therefore, Microsoft wants to prevent and pushes that people should switch to SMBv2 or SMBv3. Microsoft therefore published the Stop using SMB1 post back in September 2017, advising against the use of SMBv1. It was said that it was insecure and no longer up to modern requirements.
Windows 11 Home: Microsoft gets serious about SMB1
I became aware via the following tweet as well as this article by colleagues at Bleeping Computer of the Techcommunity post SMB1 now disabled by default for Windows 11 Home Insiders builds.
In the article, Microsoft employee Ned Pyle prepares Windows 11 Home users for the fact that SMB1 is slowly disappearing from support. Back in 2017 (Windows 10 Fall Creators Update), Windows 10 and the corresponding Windows Server versions started shipping without SMB1 installed by default.
Advertising
However, the Home and Pro editions still had the client so that users could post-install SMB1 support if needed. If no outbound use of SMB1 was detected on the client after a total of 15 days of operation, Windows 10 automatically uninstalled this feature. Starting with Windows 10 version 1809, the installation of the SMB1 client was also discontinued in the Pro editions.
Now this development continues with Windows 11. Users who install a Windows Insider Dev Channel build in any Home Edition variant will notice that the SMB1 client is missing and was not installed with it. This is planned by Microsoft as a default behavior for the next major release of Windows 11, expected in the summer. However, if SMB1 is used on an existing machine running Windows 11, the client in question will be preserved during a feature upgrade. In addition, an administrator can install SMB1 as a feature at a later date if necessary.
Future versions comes without SMB1
In one of the future versions of Windows 11, Microsoft then plans to completely remove SMB1 client support. Windows and Windows Server will then no longer include drivers and DLLs for SMB1 support. Microsoft plans to announce more details on this in a few months.
Only for organizations and users that absolutely still need SMB1, Microsoft will then provide an (unsupported) out-of-band installation package. This should then ensure that connections can still be made to legacy manufacturing machines, medical devices, consumer NAS, etc. that communicate exclusively via SMB1. This will primarily affect multifunction devices with scanning capability that can save scans to network shares via SMB1.
Similar articles:
SMBv1 FAQ and Windows networks
Windows 10 Pro V1803: SMBv1 'special traps'
Microsoft recommends disabling SMBv1 on Exchange
Windows 10 20H2/21H1: Explorer does not show all servers of the domain environment
Advertising