Page 23 of 38 FirstFirst ... 131415161718192021222324252627282930313233 ... LastLast
Results 221 to 230 of 376
  1. #221
    Service Manager 5,000+ Posts
    White Privilege, clear cut.

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    6,169
    Rep Power
    216

    Re: White Privilege, clear cut.

    Quote Originally Posted by slimslob View Post
    Being retired for a few years I haven't worked with Server 2019. As for Windows 10 the biggest problem I see with SMB1 is that enabling it is only a temporary fix. The next time a security update installs in will disable SMB1.


    That is true. I've posted an article many times about SMB1 being dead and this is one reason why. The reason I turned on SMB1 is because the Kyocera MFP I was trying to get to scan didn't have the latest firmware and I didn't have the new firmware with me at the time. I wanted to make sure it was gonna work as I wasn't quite sure what the problem was. I went back yesterday and upgraded the firmware and turned SMB1 off.,

  2. #222
    Service Manager 5,000+ Posts
    White Privilege, clear cut.

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    6,169
    Rep Power
    216

    Re: White Privilege, clear cut.

    SMB1 is Dead


    Hello again, James Kehr here with another guest post. Titles are hard to do. They must convey the topic to the reader while being both interesting and informative, all at the same time. Doing this with a technical article makes life even harder. Now imagine my dilemma when starting an article about SMB1 behaviors in modern Windows. Think about that for a minute. Go ahead. The article will still be here.


    Today I'll explain why you still see a little SMB1 on your network even after you uninstalled SMB1 from Windows, and why it's a good thing.


    SMB1 is Dead!


    The end of SMB version 1 (SMB1) topic has been discussed in great detail by Ned Pyle, who runs the SMB show here at Microsoft. Go read this article if you have not.


    At first glance this seems like Iím beating a dead horse. If thatís what you thought, youíd be right. Unfortunately, this figuratively dead horse needs to be beaten1 some more.


    Please stop using SMB1. Please get rid of those ancient, legacy systems that only support SMB1. We constantly get cases from customers asking why modern Windows 10 doesnít support SMB1 out-of-the-box so it will work with their old, insecure systems.


    Letís go over this one last time.


    The only versions of Windows that require SMB1 are end-of-support (EOS). By years! These are Windows Server 2003 (EOS July 2015), Windows 2000 Server (EOS July 2010), their client editions, and older.
    Samba and Linux distros like Ubuntu have retired SMB1 as well. If you have a Linux/Unix-like distro that only supports SMB1, itís time to upgrade.
    Not only does Microsoft not support these EOS operating systems (OSís), we do not support interoperability with them. Meaning, if the latest version of Windows 10 does no work with an EOS version of Windows over SMB, Microsoft will not support you.


    Why not? Letís start by putting the age of Windows 2000 (W2000) and 2003 (W2003) into perspective.


    EOS Windows versus Apple:
    Windows 2000 was released 7 years before the first iPhone.
    Windows 2003/XP was released 4 years before the first iPhone.
    Apple computers were still running IBM PowerPC processors.
    Asking for EOS Windows support is like asking Apple to support PowerPC Macs. Iím sure Apple support would get a good laugh out of the request, but I imagine thatís as far as the request would go.


    Ö vs Android
    Didnít even exist.


    Ö vs Linux
    Kernel 2.2.14 was released the same year as Windows 2000.
    Version 2.4 was the newest kernel when Windows Server 2003 launched.
    Support for the last version of the version 2 kernel, 2.6.32, ended in 2016.
    How fast do you think the ďnoĒ would come back from Linux distro support if you asked for support on kernel 2.2 or 2.4? Assuming your distro of choice even existed back then.


    By asking Microsoft to support EOS Windows, people are effectively asking us to support an OS that is so old that the modern smartphone didnít even exist yet. Not counting Pocket PC or Windows Mobile here. An era when dial-up internet was still dominant and the world was still learning how high-speed Internet would impact computer security.


    Multi-core processors didnít exist yet, outside of the mainframe space. Those didnít come around until 2004 (AMD) and 2005 (Intel). X86 64-bit processors didnít exist when W2000 was released and they were brand new for W2003. Running legacy OSís is not just bad security, itís scary security because you are running an OS built for a completely different era of computing.


    The real question here is: Why are you still running an OS or device that is so old it requires SMB1?


    The SMB1 Problem


    The biggest problem with SMB1 is that it was developed for the pre-Internet era. The first dialect came out in 1983 from IBM. Security and performance were designed for closed token ring networks and old fashion spinny disks. As EternalBlue and WannaCry would later prove, it is not a protocol that has aged well and it is no longer safe to use.


    Unlike most other deprecated protocols, however, SMB1 controls the keys to the kingdom: data, services, file systems, accounts, and more. This makes SMB1 exploits critically harmful.


    When Microsoft decided to retire SMB1 for real, and stop asking nicely, we tore off that band-aid by removing it completely from Windows 10 Spring 2017 Update (Win10 1703), when Windows detected that SMB1 was not in use. No SMB1 dialect was sent during negotiation, no SMB1 was allowed at all. And that broke things.


    It turned out that some devices which only know about SMB1 werenít quite sure what to do when getting an SMB request with no SMB1 in it. This caused a lot of strange behavior on the Windows-side; namely, hanging or pausing until everything finally timed out. This manifested in Windows as an unresponsive Windows Explorer (the technical name for the yellow folder icon you click on to access your files). People donít like that. I donít like that.


    We ended up making changes to mitigate this without actually enabling SMB1.


    Windows 10 1709 (2017 Fall Update) and newer will send SMB1 dialects as part of the SMB negotiate. We do this to help interoperability with legacy devices. I.E. prevent Windows Explorer from pausing/hanging.
    We will not actually allow an SMB1 connection when SMB1 is disabled. We only pretend to. The connection will end up getting closed when the server or client tries to use an SMB1 dialect.


    In addition to preventing uncomfortably long waits for Windows users, it lets us bubble up messages about SMB1 only devices on your network. System admins can look in the Event Viewer > Applications and Services Logs > Microsoft > Windows > SMBServer-Operational log for event ID 1001, which is created when SMB1 is used.


    Log Name: Microsoft-Windows-SMBServer/Operational
    Source: Microsoft-Windows-SMBServer
    Date: 9/17/2019 12:17:41 PM
    Event ID: 1001
    Task Category: (1001)
    Level: Information
    Keywords: (8)
    User: N/A
    Computer: DC01
    Description:
    A client attempted to access the server using SMB1 and was rejected because SMB1 file sharing support is disabled or has been uninstalled.


    Guidance:
    An administrator has disabled or uninstalled server support for SMB1. Clients running Windows XP / Windows Server 2003 R2 and earlier will not be able to access this server. Clients running Windows Vista / Windows Server 2008 and later no longer require SMB1. To determine which clients are attempting to access this server using SMB1, use the Windows PowerShell cmdlet Set-SmbServerConfiguration to enable SMB1 access auditing.


    SMB1 auditing can be also be enabled to get more details about what is using SMB1 on your network.


    Set-SmbServerConfiguration -AuditSmb1Access $true


    Log Name: Microsoft-Windows-SMBServer/Audit
    Source: Microsoft-Windows-SMBServer
    Date: 12/13/2019 11:37:53 AM
    Event ID: 3000
    Task Category: None
    Level: Information
    Keywords:
    User: N/A
    Computer: DC01.Contoso.com
    Description:
    SMB1 access


    Client Address: 192.168.1.214


    Guidance:
    This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.


    The SMB Negotiate command is where the SMB dialect is ÖwellÖ negotiated.


    The SMB Client Ė the system requesting access to the remote file system Ė sends a list of all the dialects it supports. A dialect is a revision of the SMB protocol specification. Every revision of the SMB protocol has, so far, gotten a new dialect. Though SMB 3.1.1 was built to be more extensible so it may be a while before the next dialect is created.


    The SMB Server Ė the system hosting the file system Ė then selects the newest dialect that both client and server support. When the server supports none of the client protocols it aborts the connection with a TCP RST (reset).


    How does faux SMB1 support work with Negotiate? Delicately.


    Hereís what it looks like when a Windows SMB Server rejects an SMB1 only connection from an SMB Client. This is the SMB1 only request, as seen by Wireshark.



  3. #223
    Printer firmware is !&$! 50+ Posts
    Join Date
    Mar 2021
    Location
    London
    Posts
    60
    Rep Power
    7

    Re: White Privilege, clear cut.

    Quote Originally Posted by bsm2 View Post
    Wrong SMB1 is a Known Security threat Case Closed
    Notably, SMB1 was used as an attack channel for both the WannaCry and NotPetya mass ransomware attacks in 2017. SMBv1 is so insecure that most security experts now recommend that administrators disable it entirely via a group policy update.Dec 17, 2018
    Mate, USB Ports are a known security threat. Also, there was a patch fixing the Wannacry vulnerability.

  4. #224
    IT Manager 10,000+ Posts bsm2's Avatar
    Join Date
    Feb 2008
    Location
    Don't be a Billy
    Posts
    11,214
    Rep Power
    151

    Re: White Privilege, clear cut.

    Quote Originally Posted by Crowfeather View Post
    Mate, USB Ports are a known security threat. Also, there was a patch fixing the Wannacry vulnerability.
    Mate case closed for 3 years on Smb1
    The Answer is still NO

  5. #225
    Printer firmware is !&$! 50+ Posts
    Join Date
    Mar 2021
    Location
    London
    Posts
    60
    Rep Power
    7

    Re: White Privilege, clear cut.

    Quote Originally Posted by bsm2 View Post
    Mate case closed for 3 years on Smb1
    The Answer is still NO
    I think you misunderstand how much legacy equipment still requires this feature, and how breaking it can be for certain customers to have it removed. If you hadn't realized there are many industries that rely on 20 + year old tech.

    Try again in 30 years time. Certainly enabling SMB1 on a server, is not some crazy backwards horribly security mistake.


    Besides, an insecure file access protocol is merely a gateway, once you've already compromised your network or devices in someway. It is an accelerant of the problem, not the actual cause. The question should always be, how to avoid it at the source, damage limitation can come after that. There are multiple alternatives for malware to proliferate beyond SMB1 anyway.

  6. #226
    IT Manager 10,000+ Posts bsm2's Avatar
    Join Date
    Feb 2008
    Location
    Don't be a Billy
    Posts
    11,214
    Rep Power
    151

    Re: White Privilege, clear cut.


  7. #227
    IT Manager 10,000+ Posts bsm2's Avatar
    Join Date
    Feb 2008
    Location
    Don't be a Billy
    Posts
    11,214
    Rep Power
    151

    Re: White Privilege, clear cut.

    Yep the real terrorists


  8. #228
    Service Manager 1,000+ Posts
    Join Date
    Mar 2017
    Posts
    1,101
    Rep Power
    54

    Re: White Privilege, clear cut.

    Like it or not, security threats afforded by lax/indifferent dealers are a good way to get the crap sued out of you..We have Bizhub Secure here at KM..If a customer purchase this option and we don't set it up, or make a 1/2 ass attempt, once the hole has been found to be the copier or our software you better hide. Just like every other make of connected devices there are exploits than can be used as a back door to do any level of bad stuff..Take this stuff seriously..SMB, Email, Webdav..every one of these protocol has updated security features. Bypassing these could get you in a whole lot of trouble..For Bizhub Secure, we generate a 20 char random password (or have customer create one them selves). The code is not used anywhere else, and Km techs do not make a note of it..We turn on HDD lock, encryption and overwite modes..there are a ton of other settings including authenticaiton, changing the admin password, closing unused ports, enabling audit logs, ect..You better have a signed sheet saying "my company does not want this" on file..1st time HIPPA laws are broken and it can be traced back to the copier you must be able to say "hey, this is on you, we told you to turn on authentication"..E

  9. #229
    Printer firmware is !&$! 50+ Posts
    Join Date
    Mar 2021
    Location
    London
    Posts
    60
    Rep Power
    7

    Re: White Privilege, clear cut.

    Quote Originally Posted by emujo2 View Post
    Like it or not, security threats afforded by lax/indifferent dealers are a good way to get the crap sued out of you..We have Bizhub Secure here at KM..If a customer purchase this option and we don't set it up, or make a 1/2 ass attempt, once the hole has been found to be the copier or our software you better hide. Just like every other make of connected devices there are exploits than can be used as a back door to do any level of bad stuff..Take this stuff seriously..SMB, Email, Webdav..every one of these protocol has updated security features. Bypassing these could get you in a whole lot of trouble..For Bizhub Secure, we generate a 20 char random password (or have customer create one them selves). The code is not used anywhere else, and Km techs do not make a note of it..We turn on HDD lock, encryption and overwite modes..there are a ton of other settings including authenticaiton, changing the admin password, closing unused ports, enabling audit logs, ect..You better have a signed sheet saying "my company does not want this" on file..1st time HIPPA laws are broken and it can be traced back to the copier you must be able to say "hey, this is on you, we told you to turn on authentication"..E
    If you are doing that, and requested to do this, then this is a customer that obviously values high level security for a particular reason (E.G Medical company). Obviously, if you are not doing what you're paid to do then you are going to get done for non-performance and also negligence since you assumed a duty of care to the customer.


    If you want to avoid liability just ask the customer if you can enable SMB1 for the purposes of scanning to server or shared folder, and indicate that (if in the case the printer is not capable without this being enabled), that not enabling this will mean they cannot make use of this function.

    At the end of the day, the customer's security is not your responsibility. Their IT is not your responsbility. So don't make it your responsibility.




    Also as a note the responsibility of a manufacturer is different to that of a Dealer or service provider.
    Last edited by Crowfeather; 07-20-2021 at 10:38 PM.

  10. #230
    IT Manager 10,000+ Posts bsm2's Avatar
    Join Date
    Feb 2008
    Location
    Don't be a Billy
    Posts
    11,214
    Rep Power
    151

    Re: White Privilege, clear cut.

    Quote Originally Posted by Crowfeather View Post
    If you are doing that, and requested to do this, then this is a customer that obviously values high level security for a particular reason (E.G Medical company). Obviously, if you are not doing what you're paid to do then you are going to get done for non-performance and also negligence since you assumed a duty of care to the customer.


    If you want to avoid liability just ask the customer if you can enable SMB1 for the purposes of scanning to server or shared folder, and indicate that (if in the case the printer is not capable without this being enabled), that not enabling this will mean they cannot make use of this function.

    At the end of the day, the customer's security is not your responsibility. Their IT is not your responsbility. So don't make it your responsibility.




    Also as a note the responsibility of a manufacturer is different to that of a Dealer or service provider.

    At the end of the day, the customer's security is not your responsibility. Their IT is not your responsbility. So don't make it your responsibility.


    That's exactly how your company gets suied.
    Good luck with that in court.

    Smb1 OFF Period.
    Upgrade your copier with firmware if available or buy a new box.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Get the Android App
click or scan for the Copytechnet Mobile App

-= -= -= -= -=


IDrive Remote Backup

Lunarpages Internet Solutions

Advertise on Copytechnet

Your Link Here