Lack of maintenance or security updates is one of the main causes of attacks on operating systems such as Windows. In one of its most recent publications, Microsoft has strongly asked system administrators to disable the SMBv1 network communication protocol on Exchange servers, as a way to protect them against the deployment of some malware attacks and other cybersecurity threats.
The main cause of this recommendation is that SMBv1 does not have additional security measures that were added to later versions of the protocol. According to cybersecurity specialists, SMBv1 lacks encryption, proof of integrity mechanisms, guest authentication block, among other protections.
In its message, the Exchange team mentions that it is necessary to disable the protocol to protect servers from some of the most common threats: “We recommend disabling SMBv1 to keep your organization safe from threats like Emotet, WannaCry, TrickBot, among others; there is no need to run this protocol (almost 30 years old) if Exchange 2013/2016/2019 is installed on your system,” they mention.
Multiple reports stated that, back in 2017, the US National Security Agency (NSA) developed various exploits that abused the SMBv1 protocol, which contributed to the massive attack of this implementation. Among the most exploited vulnerabilities in this protocol are EternalBlue and EternalRomance. In addition, these exploits were used to infect Exchange implementations with multiple malware variants such as Emotet, WannaCry, Retefe, NotPetya, Olympic Destroyer, among others, expanding through many other machines to encrypt or destroy files and steal login credentials.
Starting with Windows 10 1709 and Windows Server 1709, the protocol is no longer installed by default, so newer versions of Windows operating systems use SMBv3. Concerned users can verify that SMBv1 is enabled on a system by running the following PowerShell commands on different versions of Windows Server:
- Windows Server 2008 R2: SMBv1 is enabled on this version of Windows Server. Therefore, if the following command does not return an SMB1 value or an SMB1 value of 1, the protocol is enabled. If it returns an SMB1 value of 0, it is disabled.
Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters |
ForEach-Object {Get-ItemProperty $_.pspath}
- Windows Server 2012: If the command returns a false, SMBv1 is not enabled.
Get-SmbServerConfiguration | Select EnableSMB1Protocol
- Windows Server 2012 R2 or later: If the command returns a false, SMBv1 is not enabled.
(Get-WindowsFeature FS-SMB1).Installed
Get-SmbServerConfiguration | Select EnableSMB1Protocol
In case SMBv1 is enabled on your server, you can disable it using the following commands.
- On Windows Server 2008 R2:
Set-ItemProperty –Path
“HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” -Name SMB1 -Type DWORD -Value 0 –Force
• On Windows Server 2012:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -force
- On Windows Server 2012 R2 or later:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.