SMB1 is going away!
That list is long and distinguished. In a perfect world, it should be zero. While perfection is not of this world, we can make it better. To progress, we need to take action, step by step, to get there. Microsoft is taking the next step. They are beginning to remove the code for SMB1 from their operating systems.
But I need SMB1 !
We hear you! Yes, we do. But still, no, don’t use SMB1. It is 2022. We get all the reasons you had to keep it around longer than good for your security posture. And yes, we know you have mitigations in place, and your embedded or IoT device network is perfectly isolated and poses no risk whatsoever.
That sounds disreputable like the reasons we hear when people don’t move over to HTTPS or haven’t moved from TLS 1.0/1.1 to TLS 1.2/1.3.
But let’s look at why you still need SMB 1 around. When you run reasonable recent versions of both the Windows client and server operating systems, you can at least leverage SMB2.Starting from Windows Server 2012 and Windows 8 onwards, you can use SMB3.
And yes, staying up to date can cause issues you did not foresee due to older systems requiring SMB1. Here is a fine example: Windows XP Clients Cannot Execute Login Scripts against a Windows Server 2012 R2 Domain Controller – Workaround – Working Hard In IT.
But avoiding this and dealing with any unexpected side effects is part of running a good IT crew.
Unfortunately, that link is also a prime example of technology debt holding you back and blocking a better and more secure environment. However, the legacy client is the real culprit and not the recent versions of Windows Server.
NAS appliances and gateways are types of devices that held on to SMB 1 longer than I would ever have imagined. These things should all have gotten firmware upgrades to support SMB2 or SMB3.
But annoying as the above devices were when trying to ditch SMB1, they pale with the rest of the industry. The issues with manufacturing, medical, industrial appliances and machines, as well as anything related to embedded or IoT solutions are massive. The software also often requires Windows XP or WinCE. Most certainly not, but they can’t be bothered to rewrite the installer or offer support as the vendor doesn’t test it. And who wants to run the software unsupported on Windows 10 or 11 when it concerns a medical device or a 24/7 manufacturing machine?
And let’s not forget about software and applications themselves. There are so many applications written in Java that implement an SMB client and don’t rely on what the OS provides; JCIFS is a prime example of this. Those applications also need to move up the stack and leverage SMB2 and SMB3.
Those devices also tend to live in highly regulated and sensitive environments. No one wants to risk doing a firmware update that might halt a factory or production line, interfere with logging in the aerospace industry, or break all medical scanners in a hospital. The same goes for software and operating systems. In many organizations, the mantra “don’t fix what has not broken” rules. That leads to tech debt and vulnerabilities not being addressed. Fear and cost paralyze, and the powers that be mitigate that cost and risk by shifting it to IT.
But why can't I keep SMB1 ?
SMB1 was created in a time when security risks were not as common as they are today. Unfortunately, it has this overtrustfullness in common with TCP/IP. In today’s world, that means it is very insecure. Unless you have been living under a rock, you will have heard about “man- in the- middle (MiTM)” attacks, backdoors, exploits, lateral movement, worms, malware, ransomware.
While SMB2 improved the security stance, SMB3 excels in security. SMB 3 brought us Secure Dialect Negotiation (SMB 3.0, 3.02) and Pre-Authentication Integrity (SMB 3.1.1). Both protect against security downgrade attacks that play a part in man- in the-middle attacks.
Next, we have gained Encryption (SMB 3.0+) prevents data inspection on the wire and protects against man- in the-middle attacks. Finally, insecure guest authentication blocking (SMB 3.0+ on Windows 10+) protects against man- in the-middle attacks too.
But there is more. We also got improved message signing (SMB 2.02+) with HMAC SHA-256 replacing MD5 as the hashing algorithm, while SMB 3 replaced that with AES-CMAC. While encryption in SMB 3.1.1 outperforms signing, sign-in performance increased in both SMB2 and SMB3.
Finally, SMB Over QUIC (3.1.1+) offers secure, encrypted file sharing over 443/UDP with TLS 1.3, which also protects against MiTM attacks and provides secure authentication and communication while using SMB over the internet without needing a VPN.
Taking into consideration all of the above, please give another thought to using SMB1.
Man- in the-middle attacks with SMB1 work because the protocol trusts any answer, and a bad actor can easily impersonate any file server. Many people state that their networks are 100% isolated and protected. I am sure that is your intention, but the sad reality is that you are only one mistake away from being a victim.
By sticking to SMB1, you not just compromise security; you also miss out on the capabilities and efficiencies SMB 3 offers.
The fix – Visuality Systems
We don’t have a magic wand. But we are Visuality Systems, and we thrive on building libraries that deliver modern SMB functionality for embedded systems, IoT devices, and Jave based applications. The Visuality Systems YNQ and jNQ libraries are found in devices and software as far as human endeavor extends. You will find them in space, your home, offices, hospitals, manufacturing lines, industrial plants, cars, and airplanes. Even better, those modern libraries are kept up to date, can handle SMB3, and have backward compatibility. So if you use those libraries in your solutions, your products are also easy to keep up to date.
Please read up about us here Visuality Systems: SMB File Sharing Solutions.
Visuality Systems know the file-sharing world very well. We understand your needs, concerns, and challenges. That’s how we can help you move ahead. By partnering with Visuality Systems, you gain the use of a modern SMB stack in the solutions you build for your customers. We allow you to bring security, capabilities, and efficiency into your offering. Just do it.
Start using SMB2 today
Microsoft is entering the final phases of the long journey to get rid of SMB1. First, they will no longer install SMB1 on Windows 11 home edition by default. That is a logical step they have taken for enterprise SKUs of their Windows operating systems before.
By default, Microsoft already did not install SMB1 by default on all other editions of Windows over the years. For example, they did so on all Windows 10 Professional and Enterprise editions, starting with version 1709 (in 2017) and for server builds starting with 1709. Please see the following document SMBv1 is not installed by default in Windows 10 version 1709, Windows Server version 1709, and later versions | Microsoft Docs for more details.
Microsoft has been informing the public gradually , ever since they released SMB2 in 2007 and later, in 2012, when they released SMB3.
The next step will be that the drivers and the actual DLL files will no longer ship with the product. That will be the final phase of ridding the world of SMB1. It will no longer be part of the OS.
The only way to enable SMB1 then will be via an out-of-band installer. While possible, the plan is that this will be without any support. Yes, your read that correctly, not just depreciated, not just disabled or not installed, but ripped out of the OS and unsupported! While this still helps put when you have no choice, it should not stop you from moving beyond SMB1. Today you would probably be in a better place where SMB2 is considered the legacy SMB protocol in your organization when SMB3 is not an option.
Is Microsoft being unreasonable?
It takes a lot of time for these devices to disappear from our environments. But even worse, it takes a lot of time for many vendors to stop supporting and finally remove SMB1 from their offerings.
In the corporate world, in 2022, it is safe to say that if any device still requires SMB1, it is probably not fit for purpose anymore and is often too old to be worth maintaining and upgrading.
However, in the embedded and IoT world, too many devices still require or support SMB1. That is a pity as SMB3 is ten years old this year, and SMB2 is more than 15 years old. So why not move to that version? How long can it take? Again, the same reasons and reasoning we mentioned before. Technology has a very long tail. On top of that, despite ITIL, change management boards, and Chief Security Officers, the hard reality is that tech debt persists and keeps haunting businesses. The firmware does not get patched unless something breaks, old devices linger, and newer appliances do not get their SMB protocol updated.
Ultimately, removing dependencies on SMB1 from our businesses and products is not solely a Microsoft effort. We all have our part to play.
Microsoft removing SMB1 is the final warning shot. Yes, if you are willing to install it purposely and with some effort, you can still make it work. But don’t. You want to rid your environment of SMB1. Instead of trailing behind in the back, you want to lead and move to SMB3 where ever you can and phase out SMB2 when possible. Be proactive. The effort to do this now, at your own pace, before it becomes necessary, is always less risky, cheaper, and more comfortable than when you must do so because you no longer have a choice. So lead, and if you cannot, at least follow the leaders, do not let technology debt become your ball and chain.
Partnering with Visuality Systems
If you build machines, embedded systems, IoT devices or develop Java based applications, get ahead of the curve. Lead by example. Visuality Systems has your back with their JNQ and YNQ libraries. These support SMB3 and are updated regularly to make sure they stay current. Leveraging these libraries in your solutions will make it easy to keep up to date. It will show your customers that you care about their security. It is proof that you are committed to helping them maintain a modern and secure environment. Partnering with Visuality Systems means you will not be the reason a partner or customer of yours has to keep legacy, insecure SMB protocols enabled in their environments. When necessary, Visuality Systems does have backward compatibility for SMB2 and SMB1, but the writing is on the wall. So move forward, step into that bright, more capable, and secure world of SMB3. Both you and your customers will be better off by doing so! When it comes to SMB1, the time to plan for moving away from it started a long time ago. Act now.