Early versions of Server Message Block are still present on many Windows networks and devices, leaving them open to attack. Here's how to detect and disable them. Credit: Thinkstock / Microsoft Server Message Block (SMB) is a foundational service that has been used for many years. This internet standard protocol enables Windows to share files, printers and serial ports. SMB is used over the internet on top of the TCP/IP protocol.SMB v1 has been in use since Windows 95, and in 2019, it’s still often found and abused in networks. If you have SMB v1 enabled in your network, it can be used in blended attacks that might include ransomware and other malware. In a 2016 blog post, Ned Pyle lists the protections you lose when using SMB v1:Pre-authentication Integrity (SMB 3.1.1+). Protects against security downgrade attacks.Secure Dialect Negotiation (SMB 3.0, 3.02). Protects against security downgrade attacks.Encryption (SMB 3.0+). Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing!Insecure guest auth blocking (SMB 3.0+ on Windows 10+) . Protects against MiTM attacks.Better message signing (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.As Pyle points out, “The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. “ How to detect and disable SMB v1You can use various means to disable SMB v1 in your network. For example, you can use group policy to disable it with a registry key as noted in a 2017 blog post. In addition, you can follow the guidance in KB2696547 to detect if SMB v1 is still in use in your network and to gracefully disable it. On Windows 10, you can use PowerShell to determine if SMB v1 is enabled on your computer. For example, the command Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol on my Windows 10 system provides the following information: MicrosoftDetermining support for SMB v1You might find that older copiers and printers or older network-accessible storage still depends on SMB v1 to be functional. You need to determine if the risk of SMB v1 is acceptable, or you can contact the vendors on your impacting devices to determine if you can get a firmware update to support SMB v2 and SMB v3 on these older devices. There is even a list of products that demand SMB v1. If you are having issues disabling SMB v1 at home, check out the guidance on the Barbs Connected World blog. Next, as recommended by the U.S. Cert, you can block SMB v1 at the firewall and internet. Most firewalls do this by default, but review if yours automatically blocks all SMB versions at the network boundary. It would do so by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139.Take the time now to review your SMB v1 status and tighten up your Server Message Block. Related content how-to Buyer’s guide: The 6 best password managers for business A password manager can help you implement strong passwords everywhere for your business. Here are the features to look for and top choices for business use. By Josh Fruhlinger and Tim Ferrill 11 May 2023 11 mins Small and Medium Business Android iOS feature Review your on-prem ADCS infrastructure before attackers do it for you Attacks through Active Directory Certificate Services are fairly easy for bad actors to perform but basic vigilance and built-in Windows protections can help mitigate the risk of a breach. By Susan Bradley 08 May 2023 6 mins Small and Medium Business Active Directory Windows news Cybercriminals bypass Windows security with driver-vulnerability exploit CrowdStrike says cybercrime gang Scattered Spider has exploited longtime Windows security issues to use bring-your-own-vulnerable-driver (BYOVD) techniques against its own and other endpoint tools. By Apurva Venkat 11 Jan 2023 5 mins Small and Medium Business Windows Vulnerabilities news analysis PrintNightmare vulnerability explained: Exploits, patches, and workarounds Public exploits are available for a remote code execution vulnerability in the Windows Print Spooler that could allow attackers to take full control of systems. The vulnerability affects all editions of Windows and organizations are urged to deploy t By Lucian Constantin 07 Jul 2021 4 mins Small and Medium Business Windows 10 Windows Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe