Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Win10 1709 and later are supposed to uninstall SMBv1 if it isn’t used — but 1803 doesn’t work that way

    Posted on July 21st, 2018 at 06:42 woody Comment on the AskWoody Lounge

    Many of you have read about the evils of SMBv1, one of the great Windows malware attack vectors of all time.

    Microsoft fixed much of the problem back with Win10 1709. Here’s the story, with lots of specifics:

    In Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3) and later versions, the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default…

    Windows 10 Home and Windows 10 Professional still contain the SMBv1 client by default after a clean installation. If the SMBv1 client is not used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself.

    But there’s a catch. Per Ned Pyle, the “uninstall if not used” feature in 1709 doesn’t happen if you do a fresh install of 1803. It also doesn’t happen if you upgrade directly from 1703 to 1803.

    Pyle also says that the latest beta versions of Win10 1809 (or whatever it’ll be called) have the same problem.

    Oh boy.

    Thx @sb

    If that helped, take a second to support AskWoody on Patreon

    Home Forums SMBv1 not installed by default in Win10 1709 or later… except…

    Tagged: 

    This topic contains 19 replies, has 10 voices, and was last updated by  b 4 months, 3 weeks ago.

    • Author
      Posts
    • #204947 Reply

      woody
      Da Boss

      Many of you have read about the evils of SMBv1, one of the great Windows malware attack vectors of all time. Microsoft fixed much of the problem back
      [See the full post at: SMBv1 not installed by default in Win10 1709 or later… except…]

    • #204966 Reply

      AlexN
      AskWoody Lounger

      If A, then do 1.  If B, then do 2.  If C, then undo 2 and redo the same.  If D, simultaneously stand on your head, flap your arms like bird’s wings, and sing Auld Lang Syne.

      Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
      A weatherman that can code

    • #204971 Reply

      Noel Carboni
      AskWoody MVP

      At one time intra-computer communications (e.g., by SMBv1) on a Local Area Network (LAN) were protected more or less by your router, presuming you didn’t have it set up to expose your file and printer sharing to the world. Basically, because the router by its nature blocked incoming connection attempts the world couldn’t easily beat a path to your computer’s LAN interface.

      In this day and age of wifi and IoT devices being brought into the home, this is not nearly as cut and dried as it used to be.

      Let’s say, for example, you buy a wireless printer. Or maybe your new, green heat pump water heater has a wireless capability. Or your kid visits with a new smart phone. Or you get one of those front door camera things. Of course you set up the device to access your wireless network. At this point it’s on your LAN.

      Now further assume the device’s controller regularly connects to sites online, and maybe even has a software download process in place. Wireless printers do this all the time. You want the latest software features, right? Firmware updates? Integration with your cloud storage? To be able to see who’s at your front door from your smart phone while you’re out?

      All these things mean that the device MAY be vulnerable to being co-opted into becoming malicious and start attacking your other devices. Or even just snooping on your communications as they go by. Suddenly there you are, with an attacker right on your LAN, potentially probing your computer for things like SMBv1 vulnerabilities. And just because it didn’t happen today doesn’t mean it won’t happen tomorrow.

      The scary part is that for the simple convenience of being able to control things or get pictures of whomever’s at your door or have a printer you can set up anywhere with only a power cord, we’re all too willingly opening big holes in our security environments. Even just bringing a smart phone or tablet onto the wifi opens up new security issues.

      There are things you can do, too, under some conditions. For example you can configure many/most devices to use the “guest access” part of your wifi, which is often cordoned off from other devices by the wifi router.

      Make sure that if you don’t need communications with XP systems on your LAN that you have disabled SMBv1.

      Bottom line: Don’t assume your router is keeping your systems on “the inside” of your LAN as safe as it once did.

      -Noel

      9 users thanked author for this post.
      • #205012 Reply

        Ascaris
        AskWoody MVP

        In that scenario, you’ve already allowed malware into you local area network.  It’s already past the perimeter, and the best you can hope for by eliminating SMB1 would be to keep the malware from certain kinds of MitM and similar attacks.  It still wouldn’t change the fact that the malware is there on the system, or even let you know that it’s there.

        From your previous posts, you’ve opined that using antimalware products is using the wrong approach, that the idea is to keep malware from entering the system, and it’s too late if you wait for the malware to get in there before you act to counter it (I hope I have paraphrased accurately).  There’s truth in that, and while I don’t avoid antimalware products (I find the second-order protection they give if despite my careful browsing habits, malware gets on my system anyway, as it once did from a drive-by malware that exploited a Java zero-day back when everyone ran Java), I do understand the logic behind it, and certainly I agree that considering antimalware software to be a first-line defense against infection is a disaster waiting to happen.

        It’s much the same with SMB1.  In order for the relative vulnerability to matter, malware has to be on a device within the “trusted” zone, and only then if you are using password-protected shares.  Even then, not using SMB1 will only (at best) keep the malware from spreading to other devices on the network… it won’t eliminate the infection or alert you to its presence.

        That’s not to say that everyone should keep SMB1, of course.  If you have password-protected shares, you have to understand that SMB1 doesn’t offer much protection, so you should seriously consider dumping it.  If you’re not using SMB1 at all, you might as well get rid of it, but the group of people who use it potentially goes beyond those who use older NAS devices or have XP PCs on the network. Personally, I’m keeping SMB1 because I still use NetBIOS to browse the shares on my network (mixed Linux and Windows), and it’s all open shares anyway, so it’s already at the minimum level of security– lower even than SMB1 with password protection.

        I won’t touch IoT things with a ten foot pole, though, so there’s that.  No smart… anything.

        In response to Windows 10 (supposedly?) cutting off SMB1, Linux Mint 19 (I don’t know how far upstream this goes) disabled it to ensure compatibility, which (unsurprisingly) resulted in complaints that network shares were not showing up in the browser list. If it were truly a “you won’t even notice it being gone” thing, that would be a different story, but the ancient NetBIOS is still in use even now.  Fortunately, adding SMB1 back to Mint was as easy as adding a single line to a config file.

         

        Group L (Linux): KDE Neon User Edition 5.14.4 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        4 users thanked author for this post.
        • #205026 Reply

          Noel Carboni
          AskWoody MVP

          Yes, you get it.

          Thing is, we may no longer have as much control over malware getting in to our local network. The incentives to bringing things into the home are growing (smart TV anyone?), so the tendency is to just enable them to access what once could be considered the trusted circle.

          We might think about security a lot when we’re at our computers, then put it out of our minds when unboxing the cool new 60″ LCD TV.

          -Noel

          3 users thanked author for this post.
      • #205038 Reply

        GoneToPlaid
        AskWoody Lounger

        I don’t allow any IoT devices in my home — period — other than my TV which is forced to connect via cable instead of directly through the Internet via my home router.

        In the past year, four associates at work have become victims of identity fraud, and not one of them knows how this occurred.

        IoT is the Internet of Things

        SoIT is the Security of Internet Things

        SoIT virtually does not exist.

        Yeah, go ahead and let IoT into your home. And when you either get hacked or when your identity gets stolen, just remember, “You let it into your home.”

        I tried disabling SMB1 on all of my Win7 computers on my home network, and I found that when doing so, my computers had trouble seeing drive shares within my home network. And I also found that two of my printers were no longer available on my home network.

        Thus I had to re-enable SMB1, and I rely on my router’s firewall and on AV protection which prevents the encryption of specified drives and folders by any new program or process which might mysteriously launch.

        The upshot is that I couldn’t kill SMB1 without killing my ability for my Win7 computers (no server) to properly see one another’s network shares, and to print to my home printers.

         

        • This reply was modified 4 months, 3 weeks ago by  GoneToPlaid.
        5 users thanked author for this post.
        • #205056 Reply

          Ascaris
          AskWoody MVP

          That’s the one bit of disabling SMB1 that people like Ned Pyle just seem to gloss over when they just say “disable SMB1.”  When you do that, the ability to browse network shares often vanishes on home networks, and that’s not something that not everyone knows how to work around, particularly when they are accustomed to the “just works” way that things used to be with SMB1.

          With SMB1 disabled, you can still access your shares by using the IP address directly, i.e. \\192.168.1.200\sharename.  For that to really work in a practical sense (so you don’t have to look up the share server’s IP address each time manually), you would have to have reserved IP addresses, which most routers are able to do without too much difficulty (I was doing that on my network before any of this push to disable SMB1 started, just for my own convenience).  If you do that, you can create shortcuts to the various shares by IP and place them in the navigation pane of File Explorer, which makes it easy to reach your shares if they are available.

          There are other ways of enabling name resolution, like using the hosts file or setting up a DNS server on the router or as a standalone, but none of them advertise when a share is available, so you still can’t get a list of the shares that are available at that moment for browsing.  For that, NetBIOS has been the old standby, but that requires SMB1.

          WS-Discovery and UPnP/SSDP are supposed to be replacements in Windows-land (and Avahi in Linux, as well as Bonjour in MacOS), but I don’t know much about using any of them.  UPnP was one of those things everyone was supposed to disable (much like SMB1 is now) back in the day, and since I was not using it for anything anyway, I always have.  I know that enabling UPnP in Windows didn’t bring back the lost browsing functionality when I tried it back when EternalBlue and WannaCry were in the news, and since I had nothing to gain by disabling SMB1 anyway on my open-share LAN, I just re-enabled it rather than continue to beat my head against the wall trying to get a non-SMB1 network to work as I wanted.

          Group L (Linux): KDE Neon User Edition 5.14.4 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

          1 user thanked author for this post.
          • #205471 Reply

            Noel Carboni
            AskWoody MVP

            That’s the one bit of disabling SMB1 that people like Ned Pyle just seem to gloss over when they just say “disable SMB1.” When you do that…

            What if, in an imaginary world, Microsoft were publishing things on purpose that will sound like a good idea while simultaneously making older Windows versions less and less desirable to use…

            And possibly in a bigger sense, making Windows (all versions) less and less desirable…

            When would published advice to “disable the things that make your home network do just what you need it to do” make sense?

            Bear in mind that Microsoft is hands-down the best manager of mediocrity on the planet, bar none. Their past mistakes (poorly implemented protocol that is still somehow a security risk, anyone?) are now leverage. They might seem to be making boneheaded decisions, but is it possible their goals are simply not obvious?

            https://www.youtube.com/watch?v=1CYA3eLs-lE

            -Noel

            1 user thanked author for this post.
            • #205480 Reply

              b
              AskWoody Lounger

              What if, in an imaginary world, Microsoft were publishing things on purpose that will sound like a good idea while simultaneously making older Windows versions less and less desirable to use…

              Good job that’s an imaginary world. In the real world they’re using a “charm offensive”:

              Windows 7’s impending EOL triggers Windows 10 charm offensive

              Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker"

              1 user thanked author for this post.
    • #204975 Reply

      BobbyB
      AskWoody Lounger

      Yeah if you want SMB1.0/CIFS out you have to remove it in Win’s 10 1709, 1803 more often than not it shows as a “black Square” which, if memory serves me, is not fully installed but functional. For 1803 Network lovers in life after “Home Groups” leave it in there until you manage to get your network working to your satisfaction, then “untick/take it out” and you should find you’ll not miss it besides again from memory you still have either SMB 2.0 or 3.0 to fall back on that are uncompromised yet!

      • #205042 Reply

        RetiredGeek
        AskWoody MVP

        Bobby,

        I experimented with the SMB 1.0 settings and found that with it entirely uninstalled I could not use the local network (entirely userid/password controlled). Window would just not find the computers where it was turned off. I tried this on both 1709 & 1803. It would however see my Western Digital MyBook Live and my Brother 5450DN printer. Turning only the Client back on restored full network functionality. So what am I missing that it wouldn’t use V2 or V3?

        Windows Features and SettingsSMBV1

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        • This reply was modified 4 months, 3 weeks ago by  RetiredGeek.
        • This reply was modified 4 months, 3 weeks ago by  RetiredGeek.
        Attachments:
        You must be logged in to view attached files.
        • #205050 Reply

          BobbyB
          AskWoody Lounger

          @retiredgeek sorry to hear about your networking woes, it was a major Grrrr as you will see in the following links here. Probably predicated by the fact years ago we purchased a “Job lot” of Routers that where deployed in the field, many still out there, and lurking in all sorts of “nooks and crannies” throughout the Building. Here’s a few snippets of the trials and tribulations encountered.
          https://www.askwoody.com/forums/topic/heres-a-list-of-the-major-known-bugs-in-win10-version-1803/#post-190814
          https://www.askwoody.com/forums/topic/heres-a-list-of-the-major-known-bugs-in-win10-version-1803/#post-193889
          For me the most reliable way was to install Reliable Multicast protocol, set both “Function publish” etc in Services.msc to Auto or Auto delayed (M$ Preference) oh and make sure theyre running that seemed to work and works first time every time and Disable IPV6. As for Win8.1 its disabled through add/remove in Features and I took it out in Win7 with Admin PS CMD Set – ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 –Force you could always edit Registry manually I guess.
          http://www.vinransomware.com/images/news/15-05-17/12.JPG
          Thx to Vinransomware Journal for the image
          Although I have found Win7 Networking indestructible over the years, maybe that’s why M$ is trying to kill Win7 it works!! (pardon my sarcasm 😉 ) As I have noted from your posts in the past your exceptionally knowledgble so none of this is an anathema to you but hey if it aint broke don’t fix it lol Its a whole can of worms as you know especially multiplied by many machines, although I suppose its a security thing so may warrant some attention alas.

    • #205003 Reply

      b
      AskWoody Lounger

      1803 only. Pro only. Client only. Why do we care?

      SMBv1 isn’t removed from any version of Windows 7.

      I wonder how exactly this “issue” was found and tested.

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker"

      • #205027 Reply

        Noel Carboni
        AskWoody MVP

        You probably should care about the other things on your LAN. The least of them probably has more compute power and threat potential than a top-end computer from 10 years ago.

        -Noel

        • #205037 Reply

          b
          AskWoody Lounger

          Any SMBv1 danger if I don’t have SMBv1 server installed and enabled?

          Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker"

          • #205472 Reply

            Noel Carboni
            AskWoody MVP

            How could I know? Go look at the source code.

            How is it possible that a protocol is still being delivered with “The Most Secure Windows Ever” that is so insecure that it must be disabled in order to eliminate threats? Oh, that’s right, computers don’t have any more power to do error checking than they did in the 1980s when the protocol was developed.

            -Noel

            1 user thanked author for this post.
    • #205048 Reply

      anonymous

      I’m fine with that. I think it was a bad solution. SMBv1 appears to be what allows you to browse the network. It’s how you can see the names of the other devices on the network. So people use it even if they don’t actually use SMBv1 for file transfers. They should have replaced it with another way to broadcast the names of your servers without the hole.

    • #205112 Reply

      GoneToPlaid
      AskWoody Lounger

      Any SMBv1 danger if I don’t have SMBv1 server installed and enabled?

      The potential danger is ransomware which uses SMBv1 to find and encrypt data on other hard drives on the local network. Some AV products have features which will alert you before any new or unknown process attempts to access data on drives, folders, and shares which you specify. This greatly helps to mitigate the damage of ransomware across a local network.

      I am looking at three stand-alone products which are compatible with AV products, and which supposedly can undo the damage of ransomware. A report said that all three were 100% successful in various tests. I called one of the product companies, and I found out that their machine learning actually is only 99% successful. I am still investigating the other two products. One of these two products might actually be able to be 100% successful every time, since it waits until it has gathered enough data to compare the pre-encrypted files to the post-encrypted files, and has verified that it has successfully generated and tested the decryption keys. All three of these products set up honeypots on your computer for the ransomware to hit first.

      1 user thanked author for this post.
      • #205118 Reply

        b
        AskWoody Lounger

        Thanks, but that doesn’t answer my question; which was whether it’s safe to have only the client component of SMBv1 enabled (on Windows 10 1709/1803, not possible with earlier versions).

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker"

        1 user thanked author for this post.
        • #205185 Reply

          GoneToPlaid
          AskWoody Lounger

          I think that you are safe, assuming that you are on a home network with no server, given the caveats which I mentioned.

          1 user thanked author for this post.
    • #205155 Reply

      anonymous

      Slightly off topic here…but I just noticed the Preview for Win 7 338821 is dated 2018-07. Is this a preview for Aug. updates ?

      • #205158 Reply

        PKCano
        AskWoody MVP

        The yyyy-mm Monthly Rollup is composed of three parts: the security updates, the non-security updates and the cumulative update for IE11. It is released on the second Tues of the month (Patch Tues).

        The yyyy-mm Preview Rollup is composed of four parts: the three parts of the Monthly Rollup with the same yyyy-mm designation PLUS the non-security updates for the following month (yyyy-mm+1). Traditionally, it was issued on the third (C) Tuesday on the month. But MS’s schedule has slipped by the wayside, and you can expect it when you see it later in the month.

        So, the Preview you mentioned contains the 2018-07 (July cumulative) Monthly Rollup and the non-security updates that will be a part of the 2018-08 (August cumulative) Monthly Rollup.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: SMBv1 not installed by default in Win10 1709 or later… except…

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: