back to article Kill it with fire: US-CERT urges admins to firewall off Windows SMB

The US computer emergency readiness team is recommending organisations ditch old versions of the Windows SMB protocol and firewall off access to file servers – after a potential zero-day exploit was released by the Shadow Brokers hacking group. The call from the US security clearing house does not name the Shadow Brokers as …

  1. bombastic bob Silver badge
    Devil

    Samba can disable SMB1 as well

    Apparently you can block SMB1 with Samba by adding an entry similar to the following in the '[global]' section:

    min protocol = SMB2

    - or -

    server min protocol = SMB2

    - and -

    client min protocol = SMB2

    source

    https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

    Apparently, this also prevents any XP, 2k, or Win '9x machines from using your Samba server.

    NOW: in all snarkiness, does it _REALLY_ surprise anyone that the "fix" for this is to (effectively) MAKE XP GO AWAY ??? Yeah, WHY am I *NOT* Surprised???

    1. Ken Hagan Gold badge

      Re: Samba can disable SMB1 as well

      But, but ... XP has already gone away, unless you are the NHS or a similar organisation which has paid loads of cash to MS, in which case I'm sure this vulnerability will be patched.

      Yes, that'll definitely happen. To suggest otherwise would imply that MS were simply laughing all the way to the bank and the NHS management were a bunch of fools pissing someone else's money down the drain.

    2. Solarflare

      Re: Samba can disable SMB1 as well

      XP is what, over 15 years old now? Why *shouldn't* it go away? People can argue over Win 7 vs Win 10 or the merits of ditching Microsoft altogether, but the loyalty that XP still seems to have (especially seen as though XP was a pain in the arse) baffles me.

      1. Paul Crawford Silver badge

        Re: Samba can disable SMB1 as well

        the loyalty lock-in that XP still seems to have

        Fixed it for you...

      2. Doctor Syntax Silver badge

        Re: Samba can disable SMB1 as well

        " but the loyalty that XP still seems to have (especially seen as though XP was a pain in the arse) baffles me."

        Time to do some hard thinking.

        Imagine you have some extremely expensive piece of kit, say a million or so of your favoured currency units. When bought it had a projected life of 20 years. A replacement would cost at least 50% more than the original, isn't in your budget and not likely to be within the next few years.

        This very expensive item is working hard. You can't afford not to have it. But it's controlled by software written for XP. It's proprietary code and you don't have source. The company that wrote it is long gone. There's a regulatory requirement that the entire installation have a specific certification which the original installation has.

        Do you

        (a) kill the PC because it's running XP, scrap the kit which is no longer able to work because you can't run the S/W, close down the service you were providing with it and sit on you backside doing nothing for several years until you can afford to replace it?

        (b) reverse engineer the S/W kill the PC, get the program rewritten for a different OS and in the meantime close down the service you were providing and sit on your backside soing nothing whilst the program is rewritten and recertified at considerable expense over the course of a year or so?

        (c) protect the PC from the net and carry on?

        Are you still baffled?

        1. Hans 1

          Re: Samba can disable SMB1 as well

          (d) NEVER BUY EXPENSIVE HARDWARE with proprietary OS

          There, fixed.

          That would be a sound "corporate policy", however, whenever I hear "corporate policy", it is always used as an excuse for lack of common sense.

          1. Anonymous Coward
            Anonymous Coward

            Re: Samba can disable SMB1 as well

            "(d) NEVER BUY EXPENSIVE HARDWARE with proprietary OS"

            Then don't go into the electronics assembly business. If your job was to buy a chipshooter, you're not going to find one running Linux. I'm guessing the same goes for metal fab, automated welding, high-speed printing, and a host of other industries as well. There's a lot of equipment out there that requires a conventional PC to run. The market for said equipment isn't big enough to justify A) developing their own OS from the ground up or B) developing a Windows version, a Mac version, and a Linux version of the software. You want to dig in an decide that Windows is unacceptable for your production equipment, that's fine, but Option 2 is to liquidate the facility and close the doors.

            1. Mike 16 Silver badge

              Re: Samba can disable SMB1 as well

              I once had to deal with a manufacturing automation system that would only work with Win2K at the "head of the line" and DOS on the individual machines. No, not that long ago.

              But it is a rare company with a factory worth automating that also has tech-savvy people making purchasing decisions, so it's moot.

              Of course it can get _way_ more "traditional":

              http://www.pcworld.com/article/249951/computers/if-it-aint-broke-dont-fix-it-ancient-computers-in-use-today.html

              Scroll down to Sparkler Filters.

        2. Anonymous Coward
          Anonymous Coward

          Re: Samba can disable SMB1 as well

          Very valid summary of the situation many are in.

          But it doesn't acknowledge the negligence of the people buy/implementing these systems to not plan for a very well documented support end date.

          Microsoft have a very clear support policy, and publish end of support dates when software is released.

          If your putting in a system that complicated, that's expected to last 20-30 years you need to look at things like escrow for source code, and factoring in recertification costs during procurement.

          It's piss poor planning

        3. truetalk

          Re: Samba can disable SMB1 as well

          Excellent comment. Most people are just thinking in terms of a bog standard PC. You Sir, have nailed it right on the head.

          If it was up to me I would insist that all critical bits of medical equipment do not run Windows. Preferably Linux. Once upon a time the expensive kit always ran on unix. Even now 20 year old unix system is vastly more reliable than a modern Windows version and requires next to no work to maintain it.

          Having to keep the system constantly patched and running the latest antivirus / malware detection. Unbelievable.

          1. Anonymous Coward
            Anonymous Coward

            Re: Samba can disable SMB1 as well

            So you're saying 20 year old *nix never needs patching and the current version is 100% compatible with the 20 year old hardware?

      3. MJI Silver badge

        Re: XP Still in use

        Because it can run a lot of software.

        Unlike lots of other versions of Windows.

        There is still a lot of DOS software out in the real world.

        There is still a lot of 16 bit Windows software out there.

        It can also run WIN32

        What else do you need?

        Funny really but XP is also the ONLY OS that can run both our last generation of software and our current generation. (My WINE attempts failed)

        1. LDS Silver badge

          Because it can run a lot of software.

          Never heard of VMs? I heard they could run a lot of old software...

          1. Anonymous Coward
            Anonymous Coward

            Re: Because it can run a lot of software.

            True, but also consider that many old apps and processes need access to the hardware that a VM can't provide for. Couple this with a manufacturer that cannot produce a proper Linux version because their management thinks it too costly or unnecessary, or a threat to their IP. Either way you slice it, you lock your systems down to some old rev of crap that will never, ever get updated. Now, you want to provide more products or services, but spend $0 money on the development, and security is an afterthought if not just; "don't put it on the net." That's why we can't have nice things.

            I make my money moving shitty old apps to newer pastures. Or keep the old garbage barge from sinking. I don't care, the pay is the same. But I would never recommend to a customer that they should lock-in and never bother to update or upgrade, or move to open systems where this kind of crap has been dealt with already. You can slide an old OS into a VM template, providing there are no weird hardware dependencies. Migrate services and other apps to multiple VMs, or a big VM on a bigger machine. The problem then becomes the staleness of the OS and the need to migrate from older, EOL OSes to the new, and the ability or need to scale. Along with refreshing individual bits of the framework, without upsetting the apple cart. This is sure a lot more fun than chasing the Tuesday Patch Wagon.

            This current shop I'm at is heavy into Windows and wrapping up things in expensive, support contractable, chunks of tech with excessive security, but they also have discovered the beauty and elegance and supportability of what you can do with a nice, low-cost, Linux farm. The proof is in the cost. The licensing on all the big-box apps starts to make less sense when you can build what you need out of open source wares. I see it at more and more shops now.

        2. John Brown (no body) Silver badge

          Re: XP Still in use

          "There is still a lot of DOS software out in the real world."

          Yep, hardware diagnostics too. It's the only way to be sure your tests are hitting the hardware. I've never trusted Windows based hardware diagnostics for two reasons. 1. Windows may not boot with a hardware fault. 2. Windows might be shoving an iffy API between your diags and the hardware and maybe it's Windows causing the issue in the first place. The HDD manufactures still supply DOS based diag tools. AV vendors supply DOS or Linux based boot images for "raw" scanning so Windows doesn't even get booted.

    3. LDS Silver badge

      Re: Samba can disable SMB1 as well

      As long as the vuln is unconfirmed, is hard to tell if it is a protocol flaw, or an implementation flaw. In the latter case, Samba may be affected or not.

      SMB ports open outside a LAN has always been a bad practice - while XP, 2000 and 9x machine - if still in use for a good reason - should be heavily firewalled anyway, and special care applied to data they need or produce.

      I'm not surprised at all that old, no longer maintained OS became non secure.

    4. phuzz Silver badge

      Re: Samba can disable SMB1 as well

      Just to confirm, to disable SMB1 in Samba, you need at least Samba v3.6, and then put the following into the [global] section:

      server min protocol = SMB2

      ('min protocol' is depreciated, and 'client min protocol' is for which version will be used when accessing other servers).

      Updated one of our servers this morning, it's working fine.

    5. Sandtitz Silver badge
      Unhappy

      Re: Samba can disable SMB1 as well

      "Apparently, this also prevents any XP, 2k, or Win '9x machines from using your Samba server."

      While that may not be concern for many, in Small and Medium Businesses ("SMB") there are plenty of smaller MFPs which support direct scanning to a network folder - what a surprise that even some rather recent HP models only work with SMB1...

    6. CrazyOldCatMan

      Re: Samba can disable SMB1 as well

      Apparently, this also prevents any XP, 2k, or Win '9x machines from using your Samba server.

      We have an ancient Sparc box (Fire V880) running the version of solaris that was current when it was new. Needless to say - it doesn't do Samba 2. And can't cope with AD at a capability level above 2003..

      The sooner that box has a fatal accident the happier I'll be. Sadly, being build of cast iron that's not going to be any time soon. Maybe rapid toggling of the power can do something..

  2. Alister
    Facepalm

    Why would anybody with an ounce of sense allow SMB through boundary firewalls anyway?

    If anything outside the network needs SMB access, it should be over a VPN, not by opening ports.

  3. Mage Silver badge
    FAIL

    Only now?

    I've been blocking SMB with a firewall ever since I started installing networks with Internet access, well over 20 years ago.

  4. Anonymous Coward
    Anonymous Coward

    It was an inside job!

    Don't you see!? SMB?! Shadow Malware Brokers!? I mean, it's right there, it's been there. For years! Or was it four years? I don't know. Don't get me started or i'LL TURN ON MY CAPLOCKS. NEVER MIND, TOO LATE!!1!

    +++ATH0

  5. Anonymous Coward
    Anonymous Coward

    Regarding the "XP SMB1 workaround submitted by a reader"

    I'm not having much luck finding it. If anyone can point me there, I'd appreciate. I need it for 2003, a pair of boxes that will be going away in about 2 months.

    Also, kudos to the Reg, I've forwarded the updates from here and my team has appreciated it. Especially when they see some of your other articles (newbies)....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021