Hello again, James Kehr here with another guest post. Titles are hard to do. They must convey the topic to the reader while being both interesting and informative, all at the same time. Doing this with a technical article makes life even harder. Now imagine my dilemma when starting an article about SMB1 behaviors in modern Windows. Think about that for a minute. Go ahead. The article will still be here.
Today I'll explain why you still see a little SMB1 on your network even after you uninstalled SMB1 from Windows, and why it's a good thing.
SMB1 is Dead!
The end of SMB version 1 (SMB1) topic has been discussed in great detail by Ned Pyle, who runs the SMB show here at Microsoft. Go read this article if you have not.
At first glance this seems like I’m beating a dead horse. If that’s what you thought, you’d be right. Unfortunately, this figuratively dead horse needs to be beaten1 some more.
Please stop using SMB1. Please get rid of those ancient, legacy systems that only support SMB1. We constantly get cases from customers asking why modern Windows 10 doesn’t support SMB1 out-of-the-box so it will work with their old, insecure systems.
Let’s go over this one last time.
The only versions of Windows that require SMB1 are end-of-support (EOS). By years! These are Windows Server 2003 (EOS July 2015), Windows 2000 Server (EOS July 2010), their client editions, and older.
Samba and Linux distros like Ubuntu have retired SMB1 as well. If you have a Linux/Unix-like distro that only supports SMB1, it’s time to upgrade.
Not only does Microsoft not support these EOS operating systems (OS’s), we do not support interoperability with them. Meaning, if the latest version of Windows 10 does no work with an EOS version of Windows over SMB, Microsoft will not support you.
Why not? Let’s start by putting the age of Windows 2000 (W2000) and 2003 (W2003) into perspective.
EOS Windows versus Apple:
Windows 2000 was released 7 years before the first iPhone.
Windows 2003/XP was released 4 years before the first iPhone.
Apple computers were still running IBM PowerPC processors.
Asking for EOS Windows support is like asking Apple to support PowerPC Macs. I’m sure Apple support would get a good laugh out of the request, but I imagine that’s as far as the request would go.
… vs Android
Didn’t even exist.
… vs Linux
Kernel 2.2.14 was released the same year as Windows 2000.
Version 2.4 was the newest kernel when Windows Server 2003 launched.
Support for the last version of the version 2 kernel, 2.6.32, ended in 2016.
How fast do you think the “no” would come back from Linux distro support if you asked for support on kernel 2.2 or 2.4? Assuming your distro of choice even existed back then.
By asking Microsoft to support EOS Windows, people are effectively asking us to support an OS that is so old that the modern smartphone didn’t even exist yet. Not counting Pocket PC or Windows Mobile here. An era when dial-up internet was still dominant and the world was still learning how high-speed Internet would impact computer security.
Multi-core processors didn’t exist yet, outside of the mainframe space. Those didn’t come around until 2004 (AMD) and 2005 (Intel). X86 64-bit processors didn’t exist when W2000 was released and they were brand new for W2003. Running legacy OS’s is not just bad security, it’s scary security because you are running an OS built for a completely different era of computing.
The real question here is: Why are you still running an OS or device that is so old it requires SMB1?
The SMB1 Problem
The biggest problem with SMB1 is that it was developed for the pre-Internet era. The first dialect came out in 1983 from IBM. Security and performance were designed for closed token ring networks and old fashion spinny disks. As EternalBlue and WannaCry would later prove, it is not a protocol that has aged well and it is no longer safe to use.
Unlike most other deprecated protocols, however, SMB1 controls the keys to the kingdom: data, services, file systems, accounts, and more. This makes SMB1 exploits critically harmful.
When Microsoft decided to retire SMB1 for real, and stop asking nicely, we tore off that band-aid by removing it completely from Windows 10 Spring 2017 Update (Win10 1703), when Windows detected that SMB1 was not in use. No SMB1 dialect was sent during negotiation, no SMB1 was allowed at all. And that broke things.
It turned out that some devices which only know about SMB1 weren’t quite sure what to do when getting an SMB request with no SMB1 in it. This caused a lot of strange behavior on the Windows-side; namely, hanging or pausing until everything finally timed out. This manifested in Windows as an unresponsive Windows Explorer (the technical name for the yellow folder icon you click on to access your files). People don’t like that. I don’t like that.
We ended up making changes to mitigate this without actually enabling SMB1.
Windows 10 1709 (2017 Fall Update) and newer will send SMB1 dialects as part of the SMB negotiate. We do this to help interoperability with legacy devices. I.E. prevent Windows Explorer from pausing/hanging.
We will not actually allow an SMB1 connection when SMB1 is disabled. We only pretend to. The connection will end up getting closed when the server or client tries to use an SMB1 dialect.
In addition to preventing uncomfortably long waits for Windows users, it lets us bubble up messages about SMB1 only devices on your network. System admins can look in the Event Viewer > Applications and Services Logs > Microsoft > Windows > SMBServer-Operational log for event ID 1001, which is created when SMB1 is used.
Log Name: Microsoft-Windows-SMBServer/Operational
Source: Microsoft-Windows-SMBServer
Date: 9/17/2019 12:17:41 PM
Event ID: 1001
Task Category: (1001)
Level: Information
Keywords: (8)
User: N/A
Computer: DC01
Description:
A client attempted to access the server using SMB1 and was rejected because SMB1 file sharing support is disabled or has been uninstalled.
Guidance:
An administrator has disabled or uninstalled server support for SMB1. Clients running Windows XP / Windows Server 2003 R2 and earlier will not be able to access this server. Clients running Windows Vista / Windows Server 2008 and later no longer require SMB1. To determine which clients are attempting to access this server using SMB1, use the Windows PowerShell cmdlet Set-SmbServerConfiguration to enable SMB1 access auditing.
SMB1 auditing can be also be enabled to get more details about what is using SMB1 on your network.
Set-SmbServerConfiguration -AuditSmb1Access $true
Log Name: Microsoft-Windows-SMBServer/Audit
Source: Microsoft-Windows-SMBServer
Date: 12/13/2019 11:37:53 AM
Event ID: 3000
Task Category: None
Level: Information
Keywords:
User: N/A
Computer: DC01.Contoso.com
Description:
SMB1 access
Client Address: 192.168.1.214
Guidance:
This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.
The SMB Negotiate command is where the SMB dialect is …well… negotiated.
The SMB Client – the system requesting access to the remote file system – sends a list of all the dialects it supports. A dialect is a revision of the SMB protocol specification. Every revision of the SMB protocol has, so far, gotten a new dialect. Though SMB 3.1.1 was built to be more extensible so it may be a while before the next dialect is created.
The SMB Server – the system hosting the file system – then selects the newest dialect that both client and server support. When the server supports none of the client protocols it aborts the connection with a TCP RST (reset).
How does faux SMB1 support work with Negotiate? Delicately.
Here’s what it looks like when a Windows SMB Server rejects an SMB1 only connection from an SMB Client. This is the SMB1 only request, as seen by Wireshark.
Dislikes: 0
Originally Posted by slimslob
Posting Permissions
Thanks: 
Likes: 
Reply With Quote
Bookmarks