Newsletter Archives

  • SMB security changes in Windows 11 might affect your NAS, too

    WINDOWS 11

    Mary BranscombeBy Mary Branscombe

    It’s going to get harder and harder to connect to your NAS as a guest with SMB. That’s a good thing for security, but it could be a problem if your hardware is older.

    The Server Message Block (SMB) network file-sharing protocol lets Windows applications read and write files stored on servers in your network, including Network Attached Storage (NAS) systems. SMB underpins a lot of Windows network technologies, such as Storage Spaces Direct and even network printing. The print spooler is essentially just a file, after all.

    Read the full story in our Plus Newsletter (20.35.0, 2023-08-28).

  • MS-DEFCON 2: Are you still on Windows 10 21H2?

    alert banner

    ISSUE 20.23.1 • 2023-06-08

    By Susan Bradley

    We’re nearly halfway through the 2023 patching year, almost to the end of the road for Windows 10 21H2.

    But before we delve into that: Patch Tuesday is just around the corner, so it’s time to get conservative and defer patches. Accordingly, I’m raising the MS-DEFCON level to 2.

    Microsoft is indicating that it will “force” 21H2 machines to 22H2, but I have news for them — if you don’t have 22H2 and you are not using one of the methods to hold off on feature releases (Group Policy, registry key, etc.), chances are you have some sort of issue that is blocking the install. Some of the blocks may be driver-related, and some may be the result of underlying corruption in the code that handles patching.

    Anyone can read the full MS-DEFCON Alert (20.23.1, 2023-06-08).

  • Win10 1709 and later are supposed to uninstall SMBv1 if it isn’t used — but 1803 doesn’t work that way

    Many of you have read about the evils of SMBv1, one of the great Windows malware attack vectors of all time.

    Microsoft fixed much of the problem back with Win10 1709. Here’s the story, with lots of specifics:

    In Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3) and later versions, the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default…

    Windows 10 Home and Windows 10 Professional still contain the SMBv1 client by default after a clean installation. If the SMBv1 client is not used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself.

    But there’s a catch. Per Ned Pyle, the “uninstall if not used” feature in 1709 doesn’t happen if you do a fresh install of 1803. It also doesn’t happen if you upgrade directly from 1703 to 1803.

    Pyle also says that the latest beta versions of Win10 1809 (or whatever it’ll be called) have the same problem.

    Oh boy.

    Thx @sb

  • Patch lady – Scanners and SMBv1

    So if your older scanner suddenly doesn’t work consider this:  In 1709 if you did an in place upgrade, you retain the SMBv1 in your networking configuration.  However because this is deemed very unsafe (and it is a risk to keep it enabled), Microsoft does a check to see if you are still using it.  “In-place upgrades and Insider flights of Windows 10 Home and Windows 10 Professional do not automatically remove SMB1 initially. If the SMBv1 client or server is not used for 15 days in total (excluding the time during which the computer is off), they each automatically uninstall themselves.”

    So 15 days after SMBv1 on the client is not used, the system will send a dism command to disable SMBv1

    If suddenly your clients (if you are a consultant), or you (if it’s your computer) won’t scan to computer or scan to share, and you are using an older multi function device, go into your Windows 10 1709 and see if you can spot this in your event log in the setup section:

    Event 8

    Initiating changes to turn off update SMB1Protocol-Client of package SMB1-Package. Client id: DISM Package Manager Provider.

    If so, see if your printer/scanner manufacturer has a firmware update to support SMBv2 or SMBv3.  If not, you may need to either purchase a new device, or decide to lower your defenses.  Remember SMBv1 is often used in attacks to gain more rights and more toe-holds into a system and thus distribute ransomware.

    Bottom line if suddenly you can’t scan to a folder, check to see if that device only supports SMBv1 and then decide if you want to risk enabling it.

  • List of problematic SMBv1-only hardware, from NedPyle

    No doubt you’ve been following the SMBv1 controversy, where an ancient protocol is exposing lots of machines to WannaCry-class malware. You or your company may well have started disabling it.

    Microsoft’s Ned Pyle (@NerdPyle on Twitter) has compiled a lengthy list of hardware that only works with SMBv1. It’s a sobering list.

  • Turn off SMBv1 on Windows, but be aware of the consequences

    Good series of articles from Barb Bowman, taking normal everyday users through the steps to disable SMBv1, the Windows system utility that put the “cry” in WannaCry.

    The first article explains how to turn it off.

    The second article gives workarounds for common problems with disabling the ancient protocol.