News

Microsoft Explains the Fate of SMB1

• By Kurt Mackie
• 02/27/2020

Microsoft has not completely scrubbed Windows of Server Message Block 1 (SMB1), the company said this week, counter to its previously stated plans.

SMB1 is a deprecated and insecure Windows component still used by many systems and products that was targeted by the infamous "WannaCry" malware back in 2017. WannaCry is a wiper that destroys access to files, posing as ransomware. The malware hit organizations around the globe, disabling systems used by hospitals, pharmaceutical companies, shipping firms and more.

Microsoft had claimed back then that it planned to remove SMB1, starting with the Windows 10 fall 2017 feature update and Windows Server 2016 operating systems, but that's not exactly what happened.

Microsoft instead ended up adding a "mitigation" that lets legacy devices and applications dependent on SMB1, such as Windows Explorer, continue to function without hanging. If SMB1 is disabled in a system, then the connection will get disabled, according to this mitigation scheme.

Here's Microsoft's explanation of the SMB1 mitigation, per the announcement by James Kehr, a Windows escalation engineer at Microsoft:

• Windows 10 1709 (2017 Fall Update) and newer will send SMB1 dialects as part of the SMB negotiate. We do this to help interoperability with legacy devices. I.E. prevent Windows Explorer from pausing/hanging.
• We will not actually allow an SMB1 connection when SMB1 is disabled. We only pretend to. The connection will end up getting closed when the server or client tries to use an SMB1 dialect.

An "SMB dialect" is sort like a version. Kehr defined it as "a revision of the SMB protocol specification."

Kehr was clear that organizations should "stop using SMB1," as well as the legacy software and devices that depend on it. He included some tips on how IT pros can search for SMB1 use.

Microsoft rewrote the protocol with SMB2. The current SMB3 protocol "still uses the MS-SMB2 protocol spec," so it's not that different of a product, Kehr explained.

Newer SMB products feature "full AES encryption of data payloads to prevent man-in-the-middle (MITM) snooping and attacks." They support "seamless failover between clustered file servers." Additionally, the "throughput between RDMA capable servers" was improved, Kehr indicated.