RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

RM advice on disabling SMBv1 on networks
Published Date : 19 May 2017   Last Updated : 31 Jan 2020   Content Ref: TEC5705399  





Symptoms

SMBv1 and Ransomware

A few years ago (2017) a Ransomware exploit (refer to NWS5696059 in the Other Useful Articles section below) spread due to a vulnerability in the SMBv1 protocol. The Microsoft advice (repeated in our NWS article) was to patch all affected computers and servers immediately.

A number of customers have asked about disabling SMBv1 across their network, as this is now an outdated technology. This article sets out our reasoning for not releasing an update that does this for all customers.

NB. As schools move more and more to Windows 10 for their computers, then you will find that SMBv1 is disabled by default (see below for more info) and you will need to review your legacy systems still relying on SMBv1 and look for an alternative solution.



Cause

CC4, Windows 10 and SMBv1 disable PowerShell script

When we released the 1709 W10 build pack for Community Connect 4® (CC4), we included a PowerShell script in a GPO called 'Win10 Search'. This PowerShell script disables SMBv1 for Windows 10 devices (and was mainly provided to catch any in-place upgrades happening from earlier versions of Windows 10).

SMB v1 is now disabled by default in all versions of Windows 10 above 1709. As such, any SMBv1 connectivity needed by legacy servers or solutions on your CC4 network will not work from Windows 10 devices.


SMBv1 may be used by some legacy devices / applications

Ideally, we would like to disable SMBv1, but unfortunately a blanket ban on SMBv1 can cause issues. The number of systems potentially using SMBv1 in a school is so large that a mandate to turn it off, delivered by a patch or CC4 update could cause problems in some schools' systems. CC4 itself has no requirement for SMBv1, but we cannot guarantee the rest of your schools' systems, including ones that could be critical to safeguarding, child safety as well as education could make this move.



Procedure

MS17-010 - Response
  • Always have offsite / backups that are not accessible via a share (since if it can see your backups it will encrypt them first).
  • If using cloud storage services such as OneDrive or Google Drive your documents are backed up in version control - though some viruses / Ransomware can make it difficult to restore these / get the original filename back and you may require assistance to recover these.
  • Patch - Patch everything and make sure you got everything (refer to NWS5696059 in the Other Useful Articles section below for a link to a tool to scan your network to identify computers not patched).
  • Have up to date anti-virus - RMVP and now most anti-virus vendors' products are also blocking the SMBv1 manipulation that WannaCrypt is using (you still need to patch but your AV is helping (if it's up to date)).

The advice to respond to MS17-010 - WannaCrypt is to patch - remember the HyperV physical servers, if you have them, as these are often found unpatched or waiting to install a patch from some time ago. 

If you cannot patch a device, then disabling SMBv1 can be used (though resolution of why you cannot patch a device should be high on your to-do list). If you blanket ban SMBv1 on your network, you may cause issues.

The problem is that disabling SMBv1 could affect all those other, often forgotten, systems on the network - Signage, Cashless Catering, Visitor Entry Systems, BMS, CCTV, VLE - as well as potentially any older Mac OSX, IOS, Android, BYOD, guests and potentially systems brought into your school by social services / council employees etc. Even older versions of Smoothwall (pre-Inverness release) uses SMBv1 to contact your domain controllers, so user based filtering rules will not work.

There will be other systems not listed - so patch now - and then plan a project to remove SMBv1 later when it can be done in a controlled manner.

If you need a hand please do get in touch with RM Support or your normal support provider.



Other Useful Articles

RM advice following the WannaCry & Petya Ransomware outbreaks (NWS5696059)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: rm, SMBv1, ransomware, wannacrypt, wannacry


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page