Microsoft once again recommended that Exchange server administrators disable SMBv1 protocol support to protect themselves from cyber-attacks. This is primarily about the attacks of the Trojans TrickBot, Emotet and WannaCry.
Recall that a large-scale epidemic of the last of them broke out in May 2017. WannaCry demanded a ransom for decrypting information in bitcoins. The virus was active all over the world, but the greatest consequences from its activities were noted in Russia: it hit computers of the Ministry of Internal Affairs, the Investigative Committee, the Ministry of Health, the Ministry of Emergency Situations, Megafon, Yota and other organizations.
SMBv1 is an old network protocol for sharing files, printers, and serial ports. It also implements an authorized mechanism for exchanging data between processes. The protocol is almost 30 years old, it is full of vulnerabilities and, nevertheless, it is still used.
Microsoft assigned the protocol the status deprecated (not recommended) in 2014, and from 2016 it strongly recommends that you stop using it. In later versions of the protocol, numerous security mechanisms are implemented, including encryption, verification of data integrity before authorization, and others aimed at preventing MiTM attacks.
In 2017, Shadow Brokers published a large number of exploits used for intelligence purposes by the US National Security Agency. Most of them were aimed specifically at Windows, and some used just the weak spots of SMBv1. Among them are the notorious EternalBlue and EternalRomance, the exploits involved in such malware as causing the global epidemic WannaCry, as well as Emotet, TrickBot, Retefe, NotPetya and Olympic Destroyer. These programs are still very common and cause a lot of problems.
On Windows 10 and Windows Server from version 1709, SMBv1 is not installed at all, instead, SMBv3 is used. But it is still found in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
The released thematic publication Microsoft explains in detail what the main problems of SMBv1 are and step-by-step instructions for disabling it in different operating systems.
Why is it needed?
“There is no need to use the SMBv1 protocol almost 30 years ago if Exchange 2013/2016/2019 is installed on your system. SMBv1 is insecure, and you are losing key advantages in protecting later versions of SMB, ”says a Microsoft publication.
“Calls to abandon old protocols are heard regularly, and are just as regularly ignored,” said Alexei Vodyasov, an information security expert at SEC Consult Services. – Obviously, it will not be possible to completely clear out SMBv1 in the coming years, most likely, it will leave naturally, as the software in which it is still supported goes out of use. Attacks on SMBv1 are likely to accelerate the process but hardly much. Although, by and large, a massive campaign to get rid of this protocol would not hurt. ”