Ned wasn’t kidding: The End of SMB1

Ned Pyle

Microsoft

SMB 3.1.1

The evolution of SMB

Past 5 yearsThe 1980s The 1990s mid 2000s

The primordial ooze SMB1/”CIFS” SMB2 SMB3

SMB 1

DOS, Windows, LANMan(!)

Ubiquitously abused

Slow, unsafe $%^#

SMB 2

Windows Vista+ / Windows Server 2008+

User-optimizedRequest compounds, large reads and writes

Folder & file property caching

Durable handles

Improved message signing - HMAC SHA-256

Large MTU support

SMB 3

SMB 3.0

SMB 3.02

SMB 3.1.1

Windows 8+ / Windows Server 2012+

Datacenter application-optimized

Software-defined fabric

Modern user

Security-oriented

Deprecated years ago

Removable since WS2012 R2/Win8.1

Disable-able since Vista/2008

Gone in WS2016 Nano

uninstalled by default

uninstalled by default

uninstalled if not used

Attacker

Blocked – no SMB1 server

Home and Pro editions

SMB1 Client

disabled by default

allowed client dialects

Find it

Aka.ms/StillNeedsSMB1

Zap it

Zap it

Zap it

KB2696547

38

10

11

2

fuzzing, review, & pentests pay off

Set-SMBShare –LeasingModeFull = default

Shared = grant read-caching lease, not write or handle-caching

None = no oplocks or leases

New to RS3

Should never be used

End-to-end SMB encryptionPrivacy

AES-128-GCM & AES-128-CCM

SMB Signing updatedIntegrity

AES-CMAC

Pre-auth Integrity

Plus all SMB can make use of UNC Hardening

aka.ms/StopUsingSmb1

SMB1 vendor & product list - aka.ms/StillNeedsSmb1

SMB & Windows Server - aka.ms/windowsserver

SMB team blog - aka.ms/serverstorage

Old SMB blog - aka.ms/josesmb3

Spec Team -blogs.msdn.microsoft.com/openspecification

Which side do you want to be on?

Thank You!Questions?