Microsoft Is Disabling SMB1 File-Sharing Protocol in Windows 11 Home (zdnet.com) 105
joshuark shares a report: Microsoft's Windows 10 operating system already disables by default SMB (Server Message Block) version 1, the 30-year-old file-sharing protocol. Now the company is doing the same with Windows 11 Home Dev Channel test builds, announced officials on April 19. SMB1 is considered outdated and not secure. However, some users with very old equipment may be in for a surprise if their Windows 11 laptops can't connect to an old networked hard drive, as officials said in a blog post about the SMB1 phase out plan. "There is no edition of Windows 11 Insider that has any part of SMB1 enabled by default anymore. At the next major release of Windows 11, that will be the default behavior as well," said Ned Pyle, Principal Program Manager. "Like always, this doesn't affect in-place upgrades of machines where you were already using SMB1. SMB1 is not gone here, an admin can still intentionally reinstall it," Pyle added.
Obsolescence Now! (Score:2)
Why support SMB1 at all in W11?
Re:Obsolescence Now! (Score:5, Informative)
Re:Obsolescence Now! (Score:4, Insightful)
This is true, I wrote to the developer of an Android smb syncing app and he said that smb1 isn't really that insecure and that he won't be updating the app to support smb2. I only found out about this after I upgraded samba and the app stopped talking to my server. Is it true that smb1 vulns aren't a big deal for home users?
Comment removed (Score:5, Interesting)
Re: (Score:3)
There are remote code execution bugs:
https://docs.microsoft.com/en-... [microsoft.com]
Re: (Score:2)
Re: (Score:2)
But it wasn't the first, which implies there are more exploitable bugs to be found.
https://docs.microsoft.com/en-... [microsoft.com]
Since it's EOL for Samba and Microsoft, nobody is actively developing it. It's a massive attack surface with little to no benefit.
Re: (Score:3)
The main issue is that SMB1 password hashes are extremely weak and can be cracked in seconds. At the time it was developed the US had export controls on strong crypto, so Microsoft gave it really weak crypto and put everyone at risk.
Re: (Score:2)
To be fair, this huge risk that left everyone's backsides flapping in the breeze is very much to be blamed on the backward and senseless export regulations themselves, MS didn't have the ability to opt out of that particular nonsense.
Fortunately, the U.S. government finally came to understand that there are people in Europe and Asia that understand math and don't have to obey U.S. law.
Re:Obsolescence Now! (Score:5, Informative)
Well there can be no real argument that more recent protocols like SMBv2 would be more secure however, considering the common attack vectors for SMBv1 I can agree that probably its not much risk in your typical home environment.
The biggest issues are the weak authentication, and weak protection of secrets that can subsequently be used to access services protected by other controls and using more modern protocols. Lastly you have replay, and relay attacks.
The challenge in the enterprise world is that you don't really know who is on the network and even if you do you don't always know their motives. Controls like NAC started to close that whole but the whole BYOD movement has undone a lot of progress that was being made there. (which is pushing things back in the direction VDI which is deeply stupid but that is a different discussion entirely). Even in a perfect world you one phishing payload capable of evading your endpoint controls and command and control detection away from having someone who isnt supposed to be their on your low privilged network.
So having this weak protocol SMBv1 where I can start listing to authentication events passively and cracking hashing, or take the one machine I do control force it authenticate with something and pass replay that around the network to authenticate to other things means I can move around latterly until I find access to some account that lets me move up vertically.
Now lets think about the threat at home - There is probably one or two 'PCs' and a bunch of devices. NAS aside all the goodies most of your threat actors are going to be interested in, your financial account info etc are probably on the PC. Which is also going to be their initial foothold 99% of the time; via a phish or some kind of web-based drive-by. If they pwn your PC do you care if they can get to your Chrome-cast? Probably not much and neither does the attacker..
Can they use SMBv1 as vector to get your PC.. Maybe...I mean there may exist some escalation paths via making smb connections to local-host. Potentially that *could* allow them to get from code limited privilege code execution they already have to knowing a secret. However again, they already have your user account data. Does it really matter if they can get system or not? I care about the /Users/DarkOx; the contents of C:\Windows can be re-installed anytime and it won't get your into my bank account.
What if they are on your wifi? Again its going to be tough, unlike that corporate environment, with 10s to 100s of PCs on a subnet making SMB connections constantly, you might be waiting awhile before you can catch something passively or with something like responder. If you are already in my house I have bigger concerns any, getting on the WIFI is pretty unlikely even if you are still using WPA2-AES kit unless the password is crap. Fortunately for the world most of the WEP only and TKIP only equipment has failed or been replaced. If someone is using a crappy WIFI password they are probably also using a crapy password on the PC - so once again SMB won't be the vector.
TL:DR - yes you should upgrade, and Microsoft is probably doing the right thing here nudging a now very long depricated protocol out of use. However I also don't think if you are still runing some SMBv1 stuff at home you are really destorying your security posture should you decided to re-enable SMBv1 or make occasional use of some use-space smbclient like thing to talk to an old NAS or move some files to an old PC or something. Its really not the massive attack surface it presents in the enterprise space.
Re: (Score:2)
I can't imagine any vulnerability in SMB1 that's any bigger than anything in any non-encrypted file transfer protocol that's also in common use.
Pointing at something else insecure doesn't excuse picking something insecure and enabling it by default.
You may recall that SMBv1 vulnerabilities were largely used for Eternalblue, Wannacry and NotPetya, none of these relied on simply the lack of encryption. SMBv1 has been responsible for several remote code execution vulnerabilities, not just by Microsoft, but by the open source community as well, and this was due to how the SMBv1 protocol was handled and designed, not just bad programming. Closing off th
Re: (Score:3)
SMB1 was not installed by default on Windows Server 2016 and from Windows 10 build 1706. If this Android app only supports SMB1 then it hasn't been working out the box for many years. Users would have been forced to follow instructions for installing SMB1 on Windows 10 just to get it to work.
Sounds like a shit app, TBH. There are loads of other apps for Android that support SMB2 and SMB3.
Re: (Score:2)
Windows not having SMB1 running by default for years has no bearing on an Android app. Android apps don't run on Windows (unless you are using an emulator) so if SMB1 isn't running on Windows the app can still run fine as long as the version of Android you are using is still using SMB1.
Re:Obsolescence Now! (Score:4, Informative)
It's mostly the ability to have unencrypted transfers and weak password hashes.
Which for home use is probably no big deal - I would expect most home users to basically have no password or weak passwords on the shares because it's stuff like media and such. The devices aren't all that old - some are basically current media players that can get their files off a NAS, but they only do SMB1. The average home user will probably make it a password less share, a simple password or whatever and the content is TV shows or movies.
The big deal really is that SMB1 is still around, because SMB2 has been around since Windows Vista and expanded upon in Windows 7. (SMB3 was part of Windows 8).
Likely the reason for that is Samba - version 3.2 went to GPLv3, yet SMB2 support happened 3 years later in 3.6. Few people want to deal with GPLv3 in embedded devices, so all these devices basically were stuck with SMB1 as that is what Samba supported under GPLv2.
Which would be an interesting case of it's not Microsoft wanting to deprecate SMB1, it's open-source software licensing causing people to still require the ancient protocol. Unless you're Apple or Synology or QNAP or whatever, who can develop your own SMB2+ implementation.
These media boxes are basically turnkey devices so the manufacturers just use what they can - including old versions of Samba because you want Windows networking.
Re: (Score:2)
That is a lazy-ass incompetent app developer -- android apps should ABSOLUTELY be supporting SMBv2, it's been out for well over a decade* and they're not keeping up with the times.
* https://en.wikipedia.org/wiki/... [wikipedia.org]
Recommend you find another app that does support it. And/or shell out some $$ to support someone writing an app that supports SMBv2.
Re:Obsolescence Now! (Score:5, Interesting)
because hundreds of thousands of devices only support SMB1, it may be insecure and obsolete but that doesn't magically make all the NAS type devices that rely on it disappear.
And so your answer is to continue to support hundreds of thousands of insecure devices, and simply wait for the inevitable data to magically disappear instead, because it was cracked like the fragile egg it is?
Sure, that 1972 Pinto is still street legal. Doesn't mean you're rushing to put your first born in it. And it would be different if we were merely catering to Obsolescence here. We're not. We're catering to Dangerous too.
And if you're still manufacturing devices that rely on SMB1 exclusively today, well your eulogy has been written. Security was screaming at you five years ago to secure your shit after they played the Wanna Cry song. That's four years too many.
Re: (Score:3)
>And if you're still manufacturing devices that rely on SMB1 exclusively today, well your eulogy has been written.
A sizable percentage (majority?) of users will give out their passwords in exchange for a chocolate bar - I don't think an security is high on their list of purchase considerations.
Meanwhile, if data security is important to you, and you're not either a security expert yourself, nor have one on your payroll, then you probably shouldn't have your data on any internet-facing hardware in the fir
Re: (Score:2)
Meanwhile, if data security is important to you, and you're not either a security expert yourself, nor have one on your payroll, then you probably shouldn't have your data on any internet-facing hardware in the first place.
Actually, if you don't have backups, your data isn't truly secure anyway. In my own experience, drive failure is far more likely to kill your data than hackers. Unless you're subscribed to the ransomware of the month club, I guess.
Re: (Score:2)
A fair point - though I suppose it depends on what you mean by security. Depending on the data, losing it may be far preferable to having someone else find it (or modify it). You know - banking details, nuclear secrets, the codebase of your popular app, etc.
Personally I'd make a distinction between safe ="you won't lose it" and secure ="they won't get it". Though that's me, and there's obviously a fair bit of overlap.
Re: (Score:2)
I don't really see a big problem with SMB1, as long as it's inside LAN or VPN. And if you are using SMB over WAN, well, knowing that the service for Windows had so many exploitable bugs over the years, you're stupid.
Re: (Score:2)
I don't really see a big problem with SMB1, as long as it's inside LAN or VPN.
"Hi, my name's Decade Ago. I take it you haven't met my frenemy Insider Threat yet? Weird. Everyone tells me this guy's like everywhere now..."
Re: (Score:2)
Well, if someone's inside my house connected to my LAN I have much bigger problems to worry about than whether all my LAN traffic is encrypted.
Re: (Score:2)
While it may seem silly and outdated to include a trivial amount of code within a zero-day vuln to scan for SMB1 in the year 2022, we are still sitting here talking about brand-new vulnerable hardware.
It's not always a person, intruding.
Re: (Score:2)
It depends on what's the device that is hacked first. For example, if the PC gets hacked, people, who have a NAS, would have the network shares mounted already and accessible by the user (and the hacker).
Re: (Score:2)
well, knowing that the service for Windows had so many exploitable bugs over the years, you're stupid.
I was right with you there, but given you restricted view to just "the service for Windows" you can join all the people you just called stupid.
https://cve.mitre.org/cgi-bin/... [mitre.org]
Re: (Score:2)
I did not say that the samba was bug-free.
Also, I would use NFS between Linux machines instead of SMB (over VPN or inside LAN).
However, the Windows service is notoriously buggy - how many RCE bugs did it have over the years, I think the Blaster worm was one of the first famous worms to exploit it, but every version of Windows had more than one RCE bug in that service. It looks to me like the service is so complicated that Microsoft can never get it right.
Re: (Score:2)
It would be hard to manufacture a device today that was limited to SMB1.
Most of these devices use SoCs. All the in-production SoCs are supported by Linux versions newer than 2010 when SMB2 support was added to Samba. Maybe someone has a pile of ancient SoCs they want to get rid of by building NAS boxes or something.
See you don't just compile Linux for your target SoC and it works. It needs drivers and configuration options, known as Board Support Package or BSP. That comes from the manufacturer of the SoC,
Re: (Score:2)
We use lathes that cost 6 figures that still ship with windows XP embedded. XP only supports SMB1.
Some our lathes are still running MS DOS (and are perfectly reliable) and we have a "bridge" XP Virtual machine running SMB1 over TCP/IP for our windows 10/11 workstations to deposit job files, which get picked from the XP VM via SMB over IPS/SPX by the older lathes.
The new lathes pick up jobs from the bridge file server as well, but use TCP/IP not IPX/SPX.
Re: (Score:2)
The problem is GPLv3. Samba went GPLv3 in version 3.2 in 2008, and supported SMB2 in version 3.6, released in 2011.
So you might be fine with GPLv3, but manufacturers aren't, so they're left with ancient versions of Samba. Even Apple got caught out in this - Apple used Samba for Windows networking support until it transitioned to GPLv3. At that point, Apple wrote their own SMB support, and it was
Re: (Score:3)
No, Synology and QNAP are active bug reporters to the Samba project. I fix bugs for them both on a regular basis. Funnily enough, the Apple client engineers are also very active Samba bug reporters :-).
Re: (Score:3)
Cheap personal NAS boxes that still use the same hardware and firmware from a decade and a half ago. Many of them still don't support the newer SMB protocols or even modern browsers.
Re: (Score:2)
Cheap personal NAS boxes that still use the same hardware and firmware from a decade and a half ago. Many of them still don't support the newer SMB protocols or even modern browsers.
When we say a decade ago in computing terms, just imagine a century ago in car terms.
Sure, you could try and put a Model T on a freeway. You may not be considered sane if you did so. Same goes for continuing to use or rely on hardware or vendors who clearly don't give a flying fuck about security.
The "newer" protocols needed here, are years old. And if you can't even support a modern browser, your hardware probably belongs in a training lab or the trash.
Re: (Score:2)
Re: (Score:2)
The problem is that at least 2 years ago, they were still on the market in all of their obsolete glory. People still buy them and then cry when they don't work. The real fault lies with Linksys and Buffalo for foisting that worthless crap on the market.
Re: (Score:2)
Check out the 1 start reviews on This obsolete piece of trash. [amazon.ca] This crap is still being actively sold on the market.
Re: (Score:2)
Sure, you could try and put a Model T on a freeway
Actually, you probably can't. It appears [hotcars.com] that the top speed of Model T was 42 MPH. Most freeways (in the U.S.) have a minimum speed of 45 mph.
Re: (Score:2)
Sure, you could try and put a Model T on a freeway
Actually, you probably can't. It appears [hotcars.com] that the top speed of Model T was 42 MPH. Most freeways (in the U.S.) have a minimum speed of 45 mph.
Rush hour in California nobody will know if your car can make it to 30 mph or not.
Re: (Score:2)
And yet, if it's inside your LAN, is there a problem? I mean even telnet would be OK inside LAN or over VPN.
I would not use SMB directly over WAN, no matter what version.
Re: (Score:2)
When we say a decade ago in computing terms, just imagine a century ago in car terms.
No, I don't think I shall. These are devices that are still available at retail. Would you dare to buy a 2021 car?
I'm not arguing that removing the old protocol isn't the right thing to do -- it is. In any situation like this, in order for things to get better, some people are pushing and others are getting pushed. But you can't seriously argue that people buying these things are "insane", or that they're not entitled to be annoyed at MS (the one doing the pushing).
Re: (Score:2)
People buying these older devices have no idea they are supporting old protocols..
The box says "windows networking support"..
And when they connect from windows, it works without complaints - at least until recently. The user had no way to know if SMBv1, v2 or v3 was being used and still doesn't because transparent backwards compatibility is provided.
MS should start adding warnings whenever a connection fails back to an older protocol, as manufacturers will not update their devices until users start demandin
That's OK (Score:2)
Re: That's OK (Score:2, Funny)
Re: (Score:3)
Re: (Score:3)
BeOS?
Whew, thought they were coming for my OS/2.
Yo Grark
Re: That's OK (Score:2)
Re: (Score:3)
Nah man, just because most supercomputers, cloud computing centers, and almost the entire internet are based on Linux, doesn't mean anybody *really* uses it /sarcasm
Re: (Score:2)
they use it because it is CHEAPER (Score:2)
They don't use Linix because it is better or easier, they use it because it is CHEAPER
Re: That's OK (Score:2)
Re: (Score:3)
I use OS/390.
Re: (Score:2)
Most of my stuff that matters is running Windows XP.
I'm sure you're probably kidding, but that was the last version of Windows where I could actually get home file sharing to not be a nightmare of epic proportions to get working. If I had the patience to sit down and fuck with the permissions and user accounts for a few hours, I'm sure I could get it working.
With USB 3 speeds being what they are, it's usually just faster to use a portable SSD to move files between computers anyway.
Re: (Score:2)
Yeah. Honestly even back in the XP days it was often easier to just run a stripped-down SFTP server than try to get the "simple" built-in file sharing system to work properly.
Seriously, how is it that ancient Unix software is more secure and easier to use than the vast majority of "convenient" modern alternatives, and yet still gets so little love?
Re: (Score:2)
I'm sure you're probably kidding, but that was the last version of Windows where I could actually get home file sharing to not be a nightmare
Yes, I was joking, though I agree that basic network filesharing was pretty quick to enable in XP!
Re: That's OK (Score:2)
Heh! It was XP Home taking away filesharing permissions which I had got used to on Win2000 which annoyed me enough to start using Linux.
They had a working system and chose to use some of their finite resources to remove functionality instead of correcting actual faults. I was shocked that actual paid-for software was inferior to software given away by philanthropists with beards.
Of course, that gap has grown wider over the years.
Never worked well anyway (Score:3)
Sometimes it can be really hard in a home environment to do a share from PC to PC and get the computers talking to each other. It can be hard to get security working after that. There has to be a better way.
Re:Never worked well anyway (Score:4, Informative)
FileZilla server. Seriously. When you just need to access one computer's files from another and don't feel like going 12 rounds with Windows permission settings, it gets the job done.
Re: (Score:2)
When you just need to access one computer's files from another and don't feel like going 12 rounds with Windows permission settings, it gets the job done.
If you're going through permission settings then you've punked yourself. Sharing is trivial ... unless you're an expert and are trying to do things the way we did them back in the days of Windows XP.
Re: (Score:2)
The key to getting Windows file sharing working is that Windows marks some networks private and some public. You need the network to be private for file sharing to work (and RDP and the like). Unfortunately Microsoft makes changing a network from public to private difficult, and different in every version of Windows.
Re: (Score:2)
Put cygwin on the wintendo and use ssh. Or even just use putty and use pscp from the windows side, but I find it nicer to have cygwin so I can pipe tar | ssh, and also so I can have an sshd.
Re: (Score:2)
Or just use a recent version of windows which already has ssh by default...
Re: (Score:2)
Sometimes it can be really hard in a home environment to do a share from PC to PC and get the computers talking to each other. It can be hard to get security working after that. There has to be a better way.
I find the only people who really have trouble sharing files are those who try to shoehorn the "old way" of doing something into their device or those who ignore what settings do in the tooltips which pop up and just bash a button to make a message go away.
Two great examples:
From the Windows 7 days I overheard a coworker trying to tell a computer illiterate person how to enable accounts, manually turn on network discovery, and navigate advanced sharing settings to share the user's profile folder to get at t
Re:How is this news? (Score:5, Funny)
Windows 10 has been not installing SMBv1 since 1709
Indeed that is very old news. I didn't even know Microsoft already existed back then.
Re: (Score:2)
Windows then ran on Giovanni Poleni's Calculating Clock (1709) [wikipedia.org].
is this news? (Score:2)
Re: (Score:2)
Unless you enabled it, in which case when you upgrade it will remain enabled.
Maybe MS thinks people aren't talking about Windows 11 enough, and Slashdot is a good place to do that?
"Disabling by Default" (Score:4, Insightful)
Is a good thing. Forcing (cheap) NAS manufacturers to provide scary instructions to reenable obsolete/insecure protocols will hopefully influence them to either improve their product or suffer from bad reviews.
Re: (Score:3)
This sucks (Score:5, Funny)
Are they seriously dropping support for connecting Microsoft Network Client for DOS to a Windows 11 share? What next, tell me my paid license for Microsoft Workgroup Add-On for DOS is meaningless for serving files from a DOS box to Windows 11, I'll just have to hang onto Windows 10 where it actually still works. It was $89 for crying out loud. There is no excuse for leaving people out in the cold who haven't bought any new software in decades.
Re: (Score:2)
If you actually read the summary you will see that SMB1 isn't being removed just that it will no longer be enabled by default. Just like Windows 10 you will need to manually enable SMB1 if you should need it.
This applies whether you were being sarcastic or not. 8^)
RIP (Score:2, Interesting)
RIP Super Mario Brothers 1
Microsoft created the problem for themselves (Score:2)
We all know that Linux (embeded devices) only implement the easiest version of the protocol, no extra work, unless they have to.
I think the article is focusing on the wrong POV (Score:2)
SMB1 has already been disabled for years in Win10 (they even state that in article). The real news was that apparently the Win11 did NOT?!? lol
This is overdue (Score:1)
Re: (Score:2)
It's long past time to kill off SMBv1. Devices that do not support more modern versions of SMB are overdue for replacement anyway. If disabling SMBv1 means your NAS doesn't work anymore, the correct answer is to replace the NAS. Microsoft is totally justified in disabling this unsafe protocol.
Like SMBv2 is any safer.
Re: (Score:2)
SMB3 actually *is* safer, due to the cryptographic protection meaning you can't MITM downgrade it.
What difference does it make? (Score:2)
If I have the latest version of windows can I connect to a password protected SMB share and have the connection actually be secure? Or can it be trivially downgraded or compromised via offline dictionary attack on the **LM or Kerberos auth?
The last time I looked into this the answer was no. Has anything changed?
Re: (Score:2)
SMB3 can't be downgraded or compromised by dictionary attack.
Re: (Score:2)
If you're performing a MITM attack you can downgrade the connection to SMBv2 or SMBv1 which lacks many of the protections present in SMBv3.
If you have SMBv1 disabled obviously you can only downgrade to SMBv2, so some attacks can still be performed but it's not as bad as V1.
The problem here is that users aren't warned when the downgrade occurs, or if they access a server which genuinely only supports the older protocol. If you start warning users that they are using an older less secure protocol, this will t
Re: (Score:2)
No, you can't downgrade SMB3.1.1 to any lower protocol with a MITM attack. That was one of the fixes in SMB3.1.1.
Google "Pre-authentication integrity in SMB 3.1.1"
https://interopevents.blob.cor... [windows.net]
Warnings... (Score:2)
There are a LOT of protocols where the newer versions are better and more secure, but the older versions are still supported for backwards compatibility. This applies not just to SMBv1, but also to SMBv2 (ie SMBv2 is better than SMBv1 but ideally you should be using SMBv3), TLS/SSL, IPv6, HTTP etc.
The problem is that most software will try to use the latest protocols by default, but will silently degrade to the older ones without warning the user. As soon as a protocol is superseded, new software versions s