SMB security changes in Windows 11 might affect your NAS, too

Topic

New Reply

WINDOWS 11 By Mary Branscombe It’s going to get harder and harder to connect to your NAS as a guest with SMB. That’s a good thing for security, but it
[See the full post at: SMB security changes in Windows 11 might affect your NAS, too]

3 users thanked author for this post.

fisher75, DLivesInTexas, lmacri

Reply | Quote

Replies

In Windows 10, the older SMB can be turned on (old Control Panel – Programs and Features – Turn Windows features on or off).

Im wondering if its also in Win11, but it should not be problem to turn that on. Well, if you what to do.. obviously.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Yes it can be reenabled in Windows 11.

But be aware that in the future:  https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb1-now-disabled-by-default-for-windows-11-home-insiders-builds/ba-p/3289473

“This is not the final story, though: I am also announcing that we are going to remove the SMB1 binaries in a future release. Windows and Windows Server will no longer include the drivers and DLLs of SMB1. We will provide an out-of-band unsupported install package for organizations or users that still need SMB1 to connect to old factory machinery, medical gear, consumer NAS, etc. – I’ll have more details on this in a few months. ”

They have not done this yet, we will very definitely keep an eye out for when they do.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

rbailin, doriel

Reply | Quote

Thank you, that sounds good. I would not turn that on, unless I explicitly need it. But I met several devices that require that (mostly older specialized devices, like microscopes, measuring devices, etc.), usually to write data somewhere (NAS – and it was not possible to get newer versions of SMB). Good to know it wont be turned off completely, because those devices could be very expensive to replace.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

If you have those older devices and you have to enable SMB1 to use them, it’s best to find ways of segregating them from the rest of your network, only using the SMB1 storage for collecting data from them temporarily and then moving it to storage that is better protected. SMB1 is a huge security risk and cleaning up after a successful attack will probably a couple of orders of magnitude more expensive than replacing even specialised hardware in most cases.

1 user thanked author for this post.

doriel

Reply | Quote

Yes, exactly. Those devices are separated on the PCN subnet.
Defended by a company fifewall, without the internet access, so for me the risk should be minimized. And scheduled task launches robocopy, which copies the data on weekly basis.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

SMB 3.0.2

SMB 3.0.2 (known as 3.02 at the time) was introduced with Windows 8.1 and Windows Server 2012 R2;[49][50] in those and later releases, the earlier SMB version 1 can be optionally disabled to increase security.[51][52]

It seems like we have a newer version but of course as far as I can tell we still need SMB1 for file sharing and for access ing my router connected USB drive. 17 years since SMB 2 was released and vendors took how long to utilize it??

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Most vendors skipped SMB2 because there wasn’t a free implementation of it and they didn’t want to pay to licence a version; even now we have free SAMBA implementations of various SMB releases, lots of hardware vendors haven’t bothered to offer updates for older devices because they already have your money. If your router or USB drive still require SMB1 for connecting, I recommend you start planning to replace them: the security issues with SMB1 are inherent to the protocol and will keep getting exploited.

Reply | Quote

 

Great article but very confusing to us non-techs as to what to do next.  I have two questions:

1. On my home PC (Win 10 Pro 64-bit on a 9-year old Dell Optiplex 7010 Mini-Tower), I don’t need to select a user name or enter a password to log on.
   The only way I can communicate with my HP Printer (OfficeJet Pro 9015) over my  Workgroup network is by having both SMB 1 enabled and higher-level SMB turned off.
   I concluded that I could not use a higher level of SMB unless I set my PC to require the selection of a user name and the entry of a password to log on, but I have never been sure that my conclusion is correct.  (Is it?)
   So, what must I do going forward if I want to stick to my PC and HP OJP 9015?
2. I actually have a bunch of used Dell Optiplex 7010 Mini-Towers running Win 10 Pro 64-bit (from my company), and I was thinking about using one of them as a file server for my wife’s mini-office.  If I try to do that (which I don’t know how to do anyway), must I plan to use SMB 3.x (which one?) and will I be able to do that?
3. If my wife’s mini-office also has some Apple computers that need to connect to that server, what will work?

Thanks.

Reply | Quote

Home networks don’t need to worry about SMB. If you get a malware infection that has an SMB worm you won’t lose much because you have offline backups (don’t you?).

Offices need to keep up with best security practice so SMB 1 should be removed. SMB 2 will then be used by both machine types.

Does the office have any scanners / older equipment that you connect over the network?

cheers, Paul

Reply | Quote