Security

Microsoft recommends Exchange admins to disable the SMBv1 protocol

Microsoft is recommending administrators to disable the SMBv1 network communication protocol on Exchange servers to prevent malware attacks.

Microsoft is urging administrators to disable the SMBv1 protocol on Exchange servers as a countermeasure against malware threats like TrickBot and Emotet.

“To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server.” reads an advisory published by the Microsoft Tech Community.

The SMBv1 protocol is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism.

Since 2016, Microsoft is urging admins to stop using SMBv1, later versions of the protocol implemented security enhancements, such as encryption, pre-authentication integrity checks to prevent man-in-the-middle (MiTM) attacks, and insecure guest authentication blocking.

Now the Exchange is remarking the need to disable the SMBv1on exchange servers.

“There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. If you want to learn more about SMBv1 and why you should stop using it, I’d recommend reading this blog post published and updated by Ned Pyle.” continues Microsoft

“Microsoft publicly deprecated the SMBv1 protocol in 2014 and so we stopped installing it by default when using Windows Server 2016 1709 (RS3). Please see this KB for more information.

In 2017, the Shadow Brokers hacking group released a collection of NSA exploits and hacking tools targeting Microsoft’s Windows OS, some of them were developed to exploit the SMBv1 protocol to execute commands on vulnerable servers with administrative privileges.

Two of the most popular exploits today implemented in several malware strains are EternalBlue and EternalRomance. The list of malware including the exploits is long and includes Emotet, TrickBot, WannaCry, Retefe, NotPetya, and the Olympic Destroyer.

SMBv1 is no longer installed by default since Windows 10 version 1709 and Windows Server version 1709, while latest versions of the operating systems are using SMBv3.

To check if SMBv1 is enabled on a Windows server, users can execute the following PowerShell commands depending on their Windows Server version.

Windows Server 2008 R2: By default, SMBv1 is enabled in Windows Server 2008 R2. Therefore, if the following command does not return an SMB1 value or an SMB1 value of 1, then it is enabled. If it returns an SMB1 value of 0, it is disabled.

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Windows Server 2012: If the command returns false, SMBv1 is not enabled.

Get-SmbServerConfiguration | Select EnableSMB1Protocol

Windows Server 2012 R2 or higher: If the command returns false, SMBv1 is not enabled.

(Get-WindowsFeature FS-SMB1).Installed
Get-SmbServerConfiguration | Select EnableSMB1Protocol

If SMBv1 is enabled on admins’ server, they can disable it using the following commands.

Windows Server 2008 R2:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name SMB1 -Type DWORD -Value 0 –Force

Windows Server 2012:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -force

Windows Server 2012 R2 or higher:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Microsoft Exchange, SMBv1)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

1 hour ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.