SMB is Dead, Long Live SMB

Page 1 of 4 123 ... LastLast
    SMB is Dead, Long Live SMB

    SMB is Dead, Long Live SMB

    Posted: 26 Feb 2020

    Hello again, James Kehr here with another guest post. Titles are hard to do. They must convey the topic to the reader while being both interesting and informative, all at the same time. Doing this with a technical article makes life even harder. Now imagine my dilemma when starting an article about SMB1 behaviors in modern Windows. Think about that for a minute. Go ahead. The article will still be here.

    Today I'll explain why you still see a little SMB1 on your network even after you uninstalled SMB1 from Windows, and why it's a good thing.

    SMB1 is Dead!

    The end of SMB version 1 (SMB1) topic has been discussed in great detail by Ned Pyle, who runs the SMB show here at Microsoft. Go read this article if you have not.

    At first glance this seems like I’m beating a dead horse. If that’s what you thought, you’d be right. Unfortunately, this figuratively dead horse needs to be beaten1 some more.

    Please stop using SMB1. Please get rid of those ancient, legacy systems that only support SMB1. We constantly get cases from customers asking why modern Windows 10 doesn’t support SMB1 out-of-the-box so it will work with their old, insecure systems.

    Let’s go over this one last time.

    • The only versions of Windows that require SMB1 are end-of-support (EOS). By years! These are Windows Server 2003 (EOS July 2015), Windows 2000 Server (EOS July 2010), their client editions, and older.
    • Samba and Linux distros like Ubuntu have retired SMB1 as well. If you have a Linux/Unix-like distro that only supports SMB1, it’s time to upgrade.
    • Not only does Microsoft not support these EOS operating systems (OS’s), we do not support interoperability with them. Meaning, if the latest version of Windows 10 does no work with an EOS version of Windows over SMB, Microsoft will not support you.

    Why not? Let’s start by putting the age of Windows 2000 (W2000) and 2003 (W2003) into perspective.

    • EOS Windows versus Apple:
      • Windows 2000 was released 7 years before the first iPhone.
      • Windows 2003/XP was released 4 years before the first iPhone.
      • Apple computers were still running IBM PowerPC processors.
      • Asking for EOS Windows support is like asking Apple to support PowerPC Macs. I’m sure Apple support would get a good laugh out of the request, but I imagine that’s as far as the request would go.

    • … vs Android
      • Didn’t even exist.

    • … vs Linux
      • Kernel 2.2.14 was released the same year as Windows 2000.
      • Version 2.4 was the newest kernel when Windows Server 2003 launched.
      • Support for the last version of the version 2 kernel, 2.6.32, ended in 2016.
      • How fast do you think the “no” would come back from Linux distro support if you asked for support on kernel 2.2 or 2.4? Assuming your distro of choice even existed back then.

    By asking Microsoft to support EOS Windows, people are effectively asking us to support an OS that is so old that the modern smartphone didn’t even exist yet. Not counting Pocket PC or Windows Mobile here. An era when dial-up internet was still dominant and the world was still learning how high-speed Internet would impact computer security.

    Multi-core processors didn’t exist yet, outside of the mainframe space. Those didn’t come around until 2004 (AMD) and 2005 (Intel). X86 64-bit processors didn’t exist when W2000 was released and they were brand new for W2003. Running legacy OS’s is not just bad security, it’s scary security because you are running an OS built for a completely different era of computing.

    The real question here is: Why are you still running an OS or device that is so old it requires SMB1?

    The SMB1 Problem

    The biggest problem with SMB1 is that it was developed for the pre-Internet era. The first dialect came out in 1983 from IBM. Security and performance were designed for closed token ring networks and old fashion spinny disks. As EternalBlue and WannaCry would later prove, it is not a protocol that has aged well and it is no longer safe to use.

    Unlike most other deprecated protocols, however, SMB1 controls the keys to the kingdom: data, services, file systems, accounts, and more. This makes SMB1 exploits critically harmful.

    When Microsoft decided to retire SMB1 for real, and stop asking nicely, we tore off that band-aid by removing it completely from Windows 10 Spring 2017 Update (Win10 1703), when Windows detected that SMB1 was not in use. No SMB1 dialect was sent during negotiation, no SMB1 was allowed at all. And that broke things.

    It turned out that some devices which only know about SMB1 weren’t quite sure what to do when getting an SMB request with no SMB1 in it. This caused a lot of strange behavior on the Windows-side; namely, hanging or pausing until everything finally timed out. This manifested in Windows as an unresponsive Windows Explorer (the technical name for the yellow folder icon you click on to access your files). People don’t like that. I don’t like that.

    We ended up making changes to mitigate this without actually enabling SMB1.

    • Windows 10 1709 (2017 Fall Update) and newer will send SMB1 dialects as part of the SMB negotiate. We do this to help interoperability with legacy devices. I.E. prevent Windows Explorer from pausing/hanging.
    • We will not actually allow an SMB1 connection when SMB1 is disabled. We only pretend to. The connection will end up getting closed when the server or client tries to use an SMB1 dialect.

    In addition to preventing uncomfortably long waits for Windows users, it lets us bubble up messages about SMB1 only devices on your network. System admins can look in the Event Viewer > Applications and Services Logs > Microsoft > Windows > SMBServer-Operational log for event ID 1001, which is created when SMB1 is used.

    Log Name: Microsoft-Windows-SMBServer/Operational
    Source: Microsoft-Windows-SMBServer
    Date: 9/17/2019 12:17:41 PM
    Event ID: 1001
    Task Category: (1001)
    Level: Information
    Keywords: (8)
    User: N/A
    Computer: DC01
    A client attempted to access the server using SMB1 and was rejected because SMB1 file sharing support is disabled or has been uninstalled.

    An administrator has disabled or uninstalled server support for SMB1. Clients running Windows XP / Windows Server 2003 R2 and earlier will not be able to access this server. Clients running Windows Vista / Windows Server 2008 and later no longer require SMB1. To determine which clients are attempting to access this server using SMB1, use the Windows PowerShell cmdlet Set-SmbServerConfiguration to enable SMB1 access auditing.

    SMB1 auditing can be also be enabled to get more details about what is using SMB1 on your network.

    Set-SmbServerConfiguration -AuditSmb1Access $true

    Log Name: Microsoft-Windows-SMBServer/Audit
    Source: Microsoft-Windows-SMBServer
    Date: 12/13/2019 11:37:53 AM
    Event ID: 3000
    Task Category: None
    Level: Information
    User: N/A
    SMB1 access

    Client Address:

    This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

    The SMB Negotiate command is where the SMB dialect is …well… negotiated.

    The SMB Client – the system requesting access to the remote file system – sends a list of all the dialects it supports. A dialect is a revision of the SMB protocol specification. Every revision of the SMB protocol has, so far, gotten a new dialect. Though SMB 3.1.1 was built to be more extensible so it may be a while before the next dialect is created.

    The SMB Server – the system hosting the file system – then selects the newest dialect that both client and server support. When the server supports none of the client protocols it aborts the connection with a TCP RST (reset).

    How does faux SMB1 support work with Negotiate? Delicately.

    Here’s what it looks like when a Windows SMB Server rejects an SMB1 only connection from an SMB Client. This is the SMB1 only request, as seen by Wireshark.

    No. Time Source Destination Protocol Length Info
    24 6.892775 SMB 191 Negotiate Protocol Request

    SMB (Server Message Block Protocol)
    SMB Header
    Negotiate Protocol Request (0x72)
    Word Count (WCT): 0
    Byte Count (BCC): 98
    Requested Dialects
    Dialect: PC NETWORK PROGRAM 1.0 <<<<<< These are all the old SMB1 dialects
    Dialect: LANMAN1.0
    Dialect: Windows for Workgroups 3.1a
    Dialect: LM1.2X002
    Dialect: LANMAN2.1
    Dialect: NT LM 0.12

    This is Windows saying “NOPE!” to SMB1 in the form of an immediate TCP reset. Get thee gone, SMB1!

    25 6.893143 TCP 54 445 → 49769 [RST, ACK] Seq=1 Ack=138 Win=0 Len=0

    Now let’s look at the Windows SMB1 discovery packet. In this test I have disabled SMB2 support on a Windows Server. The SMB Client is a standard Win10 1909 client.

    No. Time Source Destination Protocol Info
    4 15:50:48.03 SMB Negotiate Protocol Request

    SMB (Server Message Block Protocol)
    SMB Header
    Negotiate Protocol Request (0x72)
    Word Count (WCT): 0
    Byte Count (BCC): 34
    Requested Dialects
    Dialect: NT LM 0.12
    Dialect: SMB 2.002
    Dialect: SMB 2.???

    There are three Dialects listed in the Negotiate Protocol Request frame:

    • NT LM 0.12 – This is the final SMB1 dialect created, also known as the CIFS dialect.
    • SMB 2.002 – This is the first SMB2 dialect released with Windows Vista.
    • SMB 2.??? – This is the wildcard SMB2 dialect. Which I won’t go into here.

    NT LM 0.12 (CIFS) is a red herring. This is the newer mechanism in Win10 to flush out SMB1 only devices. My test server, which only has SMB1 enabled, does what it’s supposed to do and tries to catch the red herring.

    No. Time Source Destination Protocol Info
    5 15:50:48.04 SMB Negotiate Protocol Response

    SMB (Server Message Block Protocol)
    SMB Header
    Negotiate Protocol Response (0x72)
    Word Count (WCT): 17
    Selected Index: 0: NT LM 0.12 <<<<<<<< The server took the bait.

    Can you guess what happens next? If you guessed that the Win10 SMB Client sent the SMB Server a big fat “NOPE!” in the form of a TCP RST, you would be correct.

    No. Time Source Destination Protocol Info
    6 15:50:48.04 TCP 53994 → 445 [RST, ACK] Seq=74 Ack=132 Win=0 Len=0

    “Why not just fix SMB1?” you may ask. We did! It’s called SMB2.

    Devs and marketing teams like bigger version numbers. Devs because it allows them to track changes. Marketing teams because bigger numbers mean you have something new to sell. The number of changes made between SMB1 and SMB2 was staggering. The entire protocol was redesigned from the ground up. New commands, WAN optimizations galore, tightened security, more features…it was the stuff of marketer’s dreams.

    Instead of adding yet another dialect to SMB, it was decided that a new major version of SMB was needed. This was a justified move given that the entire protocol spec was essentially rewritten. Only concepts from the original SMB and CIFS protocols were adopted. And thus, MS-SMB2 was born.

    SMB2 has now become SMB3. This is more of a marketing move since SMB3 still uses the MS-SMB2 protocol spec. There were just enough changes between SMB 2.1 and SMB 3.0 to justify a new major version. On an interesting historical note, SMB3 was originally SMB 2.2 until the marketing team got involved.

    Now, on top of the fancy protocol redesign, Microsoft has added several cool new features, and continues to do so. Things like SMB Encryption allows full AES encryption of data payloads to prevent man-in-the-middle (MITM) snooping and attacks. Continuous Availability provides seamless failover between clustered file servers. SMB Direct allows multiple hundreds of Gbps of throughput between RDMA capable servers while only sipping CPU cycles. The list goes on and new features are added all the time to adapt SMB to the ever-changing network landscape, like SMB over QUIC and SMB compression arriving in future builds of Windows. Or, now, if you’re reading this far enough in the future.

    There really is no reason to keep SMB1 around anymore. Managers like to cite cost as the reason, but, when you think about the potential cost of a data breach, is it really worth the risk? Why would anyone want to keep around a system that can only use network protocols known to be exploitable and control the keys to the kingdom? Hopefully, the answer to these questions are, no and heck no.

    SMB is dead, long live SMB!

    1 – No animals were harmed during the creation of this article. Some electrons were deeply offended, but that’s about it.


    How to Enable or Disable SMB1 File Sharing Protocol in Windows

    Brink's Avatar Posted By: Brink
    26 Feb 2020

  1. Posts : 4,201
    Windows 10 Pro x64 Latest RP

    SMB1 is way past it's sell by date, no doubt about it, unfortunately it is still used in devices that I have that I only bought last year, and in others that I bought in the last few years It's still the only way to use the USB3 port on my Netgear Nighthawk Router that I use as an Ad Hoc data store with a 4TB Drive, It's also used with two Samsung TVs and other Media devices.

    I will happily get rid of my devices when suitable replacements that do not require SMB1 are made available, I will do this immediately, as long as Microsoft pay for the replacements, if not it will have to wait until the devices I have and use every day are end of life.

    |In reality it's not the windows users that microsoft should be issuing their edicts to, but Samsung. Sony, Netgear and other major developers who still use the old protocol
      My Computers

  2. Posts : 5,899
    Win 11 Pro (x64) 22H2

    Barman58 said:
    |In reality it's not the windows users that microsoft should be issuing their edicts to, but Samsung. Sony, Netgear and other major developers who still use the old protocol

    However, by killing off SMB1 Microsoft is now "forcing" vendors hands.
      My Computers

  3. Posts : 4,201
    Windows 10 Pro x64 Latest RP

    Totally agree with that but the only way that is likely to work is a total switch off which would hurt everyone, including Microsoft, and more importantly, us users
      My Computers

  4. Posts : 5,899
    Win 11 Pro (x64) 22H2

    No arguments here on that
      My Computers

  5. TV2
    Posts : 2,221
    W10 Pro 22H2

    Great read. 'Splains a lot of things.

    Here's the thing: If I am out shopping for a new TV or router, where do I look in the specs to find out what protocol the device uses? I don't recall ever seeing that in a spec.

    My Trendnet TEW-827DRU router offers File Sharing Server options of iTunes Server, DNLA, and Samba (SMB).
    But nowhere in the specs on the website do you find this information, or which version of SMB it uses.

    As usual, the consumer is stuck in the middle.
      My Computers

  6. Posts : 4,201
    Windows 10 Pro x64 Latest RP

    Independent reviews will sometimes have details, as will some PDF or online user guide/manual

    I've got into the habit of always reading/watching reviews and downloading the manual Before I even place an order, it's often surprising what the fancy high gloss colour brochure leaves out
      My Computers

  7. TV2
    Posts : 2,221
    W10 Pro 22H2

    Everything geeky and important!
      My Computers

  8. Posts : 1,656
    Windows 10 Pro x64

    Barman58 said:
    It's still the only way to use the USB3 port on my Netgear Nighthawk Router that I use as an Ad Hoc data store with a 4TB Drive, It's also used with two Samsung TVs and other Media devices.

    Nigel, I don't understand how SMB1 is a risk to an external storage drive connected to the router via USB. Surely if the router is sufficiently protected from outside attack then so is the connected storage? Am I missing something?
      My Computers

  9. Posts : 4,201
    Windows 10 Pro x64 Latest RP

    Not at all, Microsoft are the issue, yes there is a risk, a very small one, but only if you are not running the Router's built in protection - The hardware Firewall for a start, SMB is used for the router to communicate with the network and the devices on it, the USB connection is a standard setup in the router hardware.

    The TVs and media players use the SMBv1 for communications needed for DLNA or DNLA whatever it's called
      My Computers


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 18:56.
Find Us

Windows 10 Forums