back to article Microsoft plans to drop SMB1 binaries from Windows 11

Microsoft has taken another step toward the final eradication of the venerable SMB1 protocol with plans to disable it by default in all editions of Windows 11. As is the company's wont, Dev Channel Windows Insiders will first have the protocol not installed for all editions. This will then be the default for the next major …

  1. Neil Barnes Silver badge

    That NAS under the stairs

    Can't help feeling that there are still an awful lot of them out there, and quite likely some with no practical hope of being updated themselves.

    <looks under stairs>... yup, there's one!

    1. Doctor Syntax Silver badge

      Re: That NAS under the stairs

      Same here. Debian & Devuan stopped talking to it with SMB some time ago but it also has an FTP server so it's still reachable. What's more the Brother all-in-one scans to it so it's still in use.

    2. Paul Crawford Silver badge

      Re: That NAS under the stairs

      I think I have an old Thecus that is SMB1 only, but it also has NFS which is what I normally use on odd occasion it is fired up to get old files off it.

    3. DJV Silver badge
      Happy

      @Neil Barnes

      I love the fact that you needed to go and check!

    4. Ace2 Silver badge

      Re: That NAS under the stairs

      How much data would we be talking about? For most cases I’d guess that moving it off onto something modern would be almost painless. You can buy a smartphone with more storage than a desktop had in 2006.

      Plus the electricity savings would be enormous.

      All of the data I’ve accumulated over the last 25 years occupies only a few hundred GB. YMMV of course.

      1. Ken Hagan Gold badge

        Re: That NAS under the stairs

        A raspberry pi with a big SD card would probably suffice, but as Ned Pyle is reported in the fine article, the affected users are probably the least able to set that up.

      2. Arkeo

        Re: That NAS under the stairs

        Well, mine isn't from 2006 but from 2015. It's a 4-way Buffalo Link Station in RAID 10. It's my secondary backup, so I only fire it up once a month (primary backup is a WD MyBook in RAID 1, once a week typically, but connected locally). 6-way, those *were* indeed expensive, just the cases, no drives. I see no reason to upgrade it since it works perfectly and suits my needs--plus I'm not Bezos, there *are* people who thanks to the pandemic actually lost money (and didn't go to space just for fun).

        MS should start fixing the massive memory leaks introduced with W11 and the new useless Start menu rather than creating even more problems--if that's even on their list of priorities...

      3. Pascal Monett Silver badge

        Yup, mileage varies.

        My Synology is now equipped with four 8TB drives, managed in RAID 5.

        It's occupied by about 55%.

        I don't think even the most recent, most expensive smartphone is going to be able to handle that, especially not in RAID 5.

      4. Blitterbug
        Meh

        ...only a few hundred GB

        I've two SMB1 8 year-old 4TB NAS boxes, both 80% full, so...

      5. Blackjack Silver badge

        Re: That NAS under the stairs

        If I count the data I moved to DVDs because they are more durable and last longer that hard disks... I have like 4000 GBs of data, maybe more. That includes legal backups of games that alone take like 1000 GB of that. Then again I have been hoarding digital data since like 2008, I started with CD backups, then DVDs, then USB sticks, then external hard disks and now I am back to using DVDs for some stuff as again they last longer. Some of the stuff is ridiculous, like backups of old shareware CDs that came with PC magazines. Others is stuff I keep going back to use; like point and click games. And I have not for example, downloaded my entire GOG library of games yet since my Internet is slow.

        1. herman

          Re: That NAS under the stairs

          OK so your DVDs last longer, but what are you going read them with one day - a microscope, pencil and paper? You can do RS Code with a pencil, but it is very tedious.

    5. bombastic bob Silver badge
      Devil

      Re: That NAS under the stairs

      Samba has supported SMB versions greater than one for quite a while now. If the NAS was designed before 2008 then maybe it would have SMB 1 only on it. But as hard drive sizes have improved so much since back then, I wonder why anyone would be using the old ones still... (my hard drives that are as old as that have all gone titsup long ago)

      Vista was the version that introduced SMB v2 (along with server 2008). So XP and earlier have V1. I would guess that if you use '9x for old games or XP for any reason, you _might_ have trouble if SMBv1 stops being supported at all...

      /me has an old XP-based book-sized Lenovo that does 3D printing occasionally

      1. martinusher Silver badge

        Re: That NAS under the stairs

        >I wonder why anyone would be using the old ones still...

        Because a) it works and b) its not worth the time and trouble 'upgrading' to a protocol that may be incompatible with some devices and may itself have Heaven Only Knows what quirks and vulnerabilities.

        I must confess to having 'an old NAS'. It holds my music collection. Its so old it supports NFS and RCP. These are the sorts of protocols that don't belong on the public internet unless they're tunneled but as the systems and their players are a closed entity I don't need to change anything -- should some joker get onto the NAS and screw it up I'll just rebuild it from an offline copy (its not happened in a decade or more).

        1. Paul Hovnanian Silver badge

          Re: That NAS under the stairs

          "I wonder why anyone would be using the old ones still..."

          Because someone sheet-rocked it into a cavity in the wall and everyone forgot where it was.

          1. David 132 Silver badge
            Coat

            Re: That NAS under the stairs

            Ah, the NASk of Amontillado?

            1. cosmodrome

              Re: That NAS under the stairs

              "Nemo me accessit impune".

          2. Pirate Dave Silver badge
            Pirate

            Re: That NAS under the stairs

            AFAIK, Netware 3.12 from that story didn't support SMB1... ;)

      2. ilmari

        Re: That NAS under the stairs

        Many current routers have USB3 ports and advertise hard drive support through smb1. I've seen a lot of people use this feature to plug in usb flash or hard drive for inexpensive backup destination.

        The reason routers never upgraded and are sold with smb1 even today is because the branch of samba with smb3 support is way too bloated to fit in a router. Smb2 results in half the performance of smb1, so most often it gets disabled even though the router's software could otherwise support it.

    6. Anonymous Coward
      Anonymous Coward

      Re: That NAS under the stairs

      Could you use a pi to mount the smb1 share on one network interface then share it as smb3 on another (both wired ofc)? If it's only smb1 it's more than likely 100mb/s so not much cost involved.

      I just checked and yes it is very doable.

      1. herman

        Re: That NAS under the stairs

        I would use SMB1 to the old NAS and SFTP to the real world.

    7. Wayland

      Re: That NAS under the stairs

      "Windows 10 Home and Pro still had the client just in case. It would, however, be uninstalled automatically in unmanaged environments if not used for 15 days (excluding time during which the computer is off)."

      Oh so that's why my client's Windows 10 PC stopped being able to connect to the server under the stairs. He only used it for archiving. ClearOS 5.

    8. Plest Silver badge
      Happy

      Re: That NAS under the stairs

      Yep, two old ReadyNAS boxes I bought in 2008 still running upstairs with 10TB of crap on them, I can't access them anymore from any PCs over SMB, only via SFTP for onsite backups.

  2. katrinab Silver badge
    Meh

    SMB2 has been available in Samba since August 2011. It was added to FreebSD Ports in October 2011, and as far as I can see, on Debian, it first arrived with Wheezy in May 2013. If you are using FreeNAS (now TrueNAS), I guess it would lag FreeBSD by a bit, but not 11 years.

    So surely everyone has had plenty of time to upgrade their NASes?

    1. Anonymous Coward
      Anonymous Coward

      If it ain't broken...

      My NAS is not exposed to the internet so why bother?

      1. A.P. Veening Silver badge

        My NAS is not exposed to the internet so why bother?

        Because your home network is?

        Once somebody gets access to your home network, that NAS is an easy target.

        1. Anonymous Coward
          Anonymous Coward

          an easy target for what, exactly? Stealing all my old forgotten photos from the 2000's? Looking at the resumes I faxed out in 2012? Deleting my UnrealTournament 2004 installer?

          Just because "somebody" can get to the files over SMB1 doesn't mean they've commandeered the OS to zombie it. (Well, assuming you aren't running it on a Windows 2000/2003 box, in which case, they might be able to)

          1. doublelayer Silver badge

            The average attacker might not do anything other than encrypt it and drop a ransom note, but someone who wanted to could attach malware to any executable files and hope that you'll eventually execute them. There are also code execution vulnerabilities in SMB1 that could be tried, but it would depend whose implementation and which OS they're using. Everyone has some services that really don't matter if an attacker gets access, but many people have things they think are like that but turn out to be more sensitive. I secure everything I have because I don't want to find out at short notice the problems I didn't anticipate.

            1. Anonymous Coward
              Anonymous Coward

              There are no more inherent code insecurities in SMB1 than there are in SMB3 or CIFS or NFS. SMB is a protocol, not code. If a vendor did a very poor job implementing it (*cough*Microsoft*cough*) and left it vulnerable to buffer overflows, etc, that's a totally different argument altogether.

        2. Anonymous Coward
          Anonymous Coward

          If someone gets access to my internal network the NAS is fucked even it's on SMBxx.

    2. Franco

      Some older NAS boxes don't support it and never will because the vendors want you to upgrade. Used to have a Netgear ReadyNAS and the Duo firmware didn't support anything other than SMB1.

      The second issue is that almost every contract I work at, there's still a few Server 2003 boxes lurking around with a legacy app that is still required but can't be moved to anything newer for whatever reason (vendor gone under or it's got to be kept for a few more years unused for compliance reasons).

    3. bombastic bob Silver badge
      Devil

      I was thinking that SMB v2 support was available earlier than that...

      and then i found release notes for SMB 3.6 which confirms 2011

      https://www.samba.org/samba/history/samba-3.6.0.html

      1. katrinab Silver badge

        It was available on Windows long before that. Samba 4 (December 2012) was the point where they caught up with Microsoft in functionality and feature parity.

    4. Wayland

      Brother Printer SCanner

      I have an old Brother Scanner which scans to a network folder. I won't since I installed TrueNAS because SMB1 is off.

    5. dajames

      So surely everyone has had plenty of time to upgrade their NASes?

      It doesn't take long to upgrade a NAS if it's still supported. If your NAS runs a proprietary application on top of a proprietary fork of a Linux distribution for a CPU that's no longer supported ... it may take a little longer.

      If, say, you had a SPARC-based Netgear ReadyNAS box (rather than one of the newer ARM-based ones).

      It would be nice if the manufacturers of such boxes would Open-Source at least the OS parts, so that people would have a chance to keep older still-working hardware out of landfill.

  3. cjcox

    Very old.

    Mind you, very old meaning 7+ years old. Just so you know what "very old" means.

    Microsoft created the beast, gave us the neighborhood, praised its holy name as lord god of os features.

    And now they admit they were absolute morons. Typical Microsoft.

    1. Anonymous Coward
      Anonymous Coward

      Re: Very old.

      Where do you get 7 years from? SMB 2.0 came out in 2006.

      1. cjcox

        Re: Very old.

        You're not thinking Microsoft. The protocol is old, but the devices still relying on it aren't that old, and that's the point. Experts (that is, people outside of Microsoft) hacked SMB1 eons ago, but it didn't stop appliances from continuing to rely on it.

        So, you say, Microsoft is smart... ok then, then they knew 15+ years ago that it was hack city, just like the rest of us. So, it took them 15+ years to close this down? Whatever....

        1. Anonymous Coward
          Anonymous Coward

          Re: Very old.

          MS knew the issues with it and fixed most of them in subsequent versions. They have been trying to wean people off it since then. Read some of Ned Pyle's articles from years ago on why you should not be using it. It has been left as an option precisely because there were still devices that used it. Even when it is removed by default you can still add it back with some effort, but you really shouldn't.

          If vendors have been making devices that only support SMB 1 in the last 10 years, then that is negligence on their part as they will have been advised that there were security issues and that the replacement protocol has been around since 2006. I have certainly been disabling SMB1 for at least that long. if a client had a device that required it and there was no firmware update available to add SMB2, then I advised them that it should be top of their list for replacement. 10 years is at least 2 or 3 hardware update cycles for most businesses, so there should be very little requirement for SMB1 now.

    2. martinusher Silver badge

      Re: Very old.

      SMB predates Microsoft, its that's old. I first came across it with PC-NET, the first IBM small scale networking technology, it certainly was around in 1985. I think its yet another Xerox original.

      1. cosmodrome

        Re: Very old.

        Novell, IIRC. The whole "Microsoft network" (aka NetBEUI) stuff was bought from Novell for NT sometime back in nineteen-tobacko, if I'm not all wrong.

      2. theOtherJT Silver badge

        Re: Very old.

        https://en.wikipedia.org/wiki/Server_Message_Block

        According to wikipedia it was an MS protocol they implemented in LAN Manager in 1987... but wiki has been known to be wrong.

        1. martinusher Silver badge

          Re: Very old.

          I worked on this stuff in the mid-80s. IBM's first PC networking attempt, PC-NET, used full length adapter cards

          that modulated the data so it could be transmitted over standard TV coaxial cable. The interface to the network was through BIOS extensions on the adapter card, their NETBEUI. MS-NET, Microsoft's version of the same, was more general. File sharing across a network was enabled with MS-DOS 3.0 and the BIOS extensions could be managed as 'terminate and stay resident' programs, allowing you to substitute whatever adapters you could access (consumer adapters used 50 ohm coaxial cable to interconnect systems). There were all sorts of problems with this technology; it definitely worked but its performance wasn't that good. Novell produced a working version of this type of networking which led rapidly to its universal adoption by business oriented PCs.

  4. BJC

    Problems ahead for old Sonos units

    I believe that the original Sonos boxes can only connect to servers with SMB1, so that's going to be an issue for anyone trying to get them to connect to a new Windows box. I ran into the same problem when a NAS upgrade disabled SMB1 by default. As ever, it was only later that I tried streaming music to the Sonos and didn't immediately tie the failure to the previous NAS upgrade. Of course, Sonos sell upgrades for their boxes but that can be a tidy sum for a multi-room system.

    I use the Sonos units to stream the music from a NAS and then out of an optical output to the proper hi-fi. Gives a nice interface on a variety of phones and tablets in the household. The hi-fi is fine - and likely will be for years - but the Sonos units not so much. I'd love to switch away from SMB1 but unless Sonos release a feature upgrade that isn't an option. I haven't checked the dates, but I'm pretty sure there were later versions of SMB available when the Sonos first shipped, or within their lifetime, so there's an argument that they could/should have added support.

    1. Mr D Spenser

      Re: Problems ahead for old Sonos units

      I have the same issue. For Sonos, the killing off of SMB1 is a godsend. By the magic of doing nothing they shift people away from the non-profitable practice of playing locally stored music to the profitable practice of having to use either a paid service that they get a cut from or their own ad laden streaming service.

      1. Jeremy Allison

        Re: Problems ahead for old Sonos units

        SONOS v2 includes SMB2+ support. It's only the old SONOS v1 boxes that only do SMB1.

        Don't get me wrong, I'm not incredibly happy with this as I have many SONOS v1 boxes and no way am I giving them any more money, but they have added SMB2+ support (finally), if only for the latest releases.

        I'll probably go the SMB2+ mount on a Raspberry PI re-exported via SMB1 to my old SONOS kit.

    2. Wayland

      Re: Problems ahead for old Sonos units

      Same problem on a Brother Printer Scanner after replacing ClearOS 7.7 with TrueNAS Core. Won't scan to the file server.

  5. Fuzz

    Can't believe this has taken so long. It's insecure and hasn't been needed by most people for nearly 10 years on the other hand .net 3.5 which is still supported and still used a lot in enterprise has required a separate install since windows 8.

    1. david 12 Silver badge

      "It's insecure" is a myth perpetuated by the ignorant. It's prolix, and after being moved to tcp/ip, and having had encryption and authenticated added, it has high latency, which is an issue because it's prolix. Because it's prolix, and because the modern implementation has such high latency, it's been replaced by SMB2, which is less prolix, and has lower latency.

      That means that the SMB1 servers and clients are falling out of support. The o/s version on my SMB1 NAS has been out of support many years: even on my ancient hardware, it's moved from 3.x to 5.x.

      "Server falling out of support" is insecure, not "SMB1" is insecure.

      And, as demonstrated here, most of the those SMB1 servers are appliances, and are the reason why MS has been slow to discontinue SMB1.

    2. Lusty

      Insecure isn't relavent for the people still running SMB 1. The vast majority are running it on a private network at home and serving pictures of their cats. A few will be running it in factory networks which aren't even routable from the other networks in the business, let alone somewhere an attacker would be coming from.

      This is the problem with security folks, they think every installation is being designed for fort knox.

      1. doublelayer Silver badge

        And as one of those security folks, this is the problem with non-security folks. They assume they're safe because this box they're looking at isn't very important. They don't think about all the methods an attacker would use, including getting a beachhead in something unimportant and infrequently managed so they can attack the network from within. Since you're posting here, I think it's more likely that you really know what you mean when you say the box is on a network that never will be available to the internet, but many people also say that and find that someone did connect a cable, long ago, forgot about it, and someone has found it and used it to install malware or extract data.

        I've worked with those people before. One colleague I've had was of the opinion that no security mattered because, as long as it could defeat the average five-year-old (basically as long as there was a password on any administrative or root accounts), we would be fine. His frequent explanation of this was that, as hard as we worked, we would never get a system the Russian government (for some reason, it was always them in the example) couldn't break into. This despite having several networks compromised with malware, including ransomware, during his tenure. When malware is involved, it doesn't matter that your system is more secure than someone's. It doesn't matter that it doesn't contain particularly interesting data compared to others. While being interesting can make you a bigger target, there are enough attackers attacking indiscriminately that you will always be targetable. If you set up a server with SSH access, even if the disks are otherwise blank and the machine has never sent out a packet, bots will find it and attempt to gain access within hours. Lots of other protocols are also attacked in that manner.

        1. Anonymous Coward
          Anonymous Coward

          "They don't think about all the methods an attacker would use, including getting a beachhead in something unimportant and infrequently managed so they can attack the network from within. "

          The network that contains a lightbulb and a fridge. You are literally the problem. Yes, home networks are connected to the Internet, no that doesn't make the threat a problem either. It's literally just some cat pictures and holiday photos. Meanwhile you're preventing progress in a thousand projects by insisting on a change control to open port 80 on a SaaS web service that only has port 80 open and no other services running.

          Crack on though, we all need a wall around our gardens with an open gate in front of the only (locked) door. You're bringing real value to your employer.

  6. captain veg Silver badge

    WinHelp

    So this is the same fate that met Windows .hlp files -- the (sub)system is insecure in ways which we can't be bothered to fix, so you will have to do without it.

    The .hlp files were "replaced" by .chm. Anyone remember them?

    Current Microsoft "help" seems to be to launch a browser with a search query. Hey, why bother making documentation when you can just outsource the gig to random strangers, most of whom have the same problem and no solution?

    I can believe that current implementations of SMB1 are insecure. I can be persuaded that it is difficult to make them secure.

    I baulk at impossible.

    -A.

    1. Wayland

      Re: WinHelp

      HLP files were perfectly servicable tech but they just abandoned them like a chained up bicycle after someone stole the wheels.

    2. Richard 12 Silver badge

      Re: WinHelp

      Many protocols are simply insecure by design.

      The specified security is either laughably easy to break, or not even there at all. So even when implemented perfectly, it's easy for an attacker to read, write or change things that they definitely shouldn't.

    3. philstubbington

      Re: WinHelp

      You’ve not discovered https://docs.microsoft.com/en-gb/ then?

      Microsoft have a huge amount of freely available documentation and learning materials online.

      1. Pascal Monett Silver badge

        The fact remains that a URL is not much help when your desktop is screwed to the point where it cannot connect to the Internet.

        Once upon a time, documentation was a local affair, and it was more or less useful following how much work was put into it.

        Nowadays, it's just a throwaway thought and you've got to scour the Web's technical forums and pray that enough people have had your problem so that somebody might have been good enough to post something somewhere that is actually a solution.

        But actual help from the original vendor ? Or some technical specifications that are up-to-date ?

        Rarer than hen's teeth, these days.

        1. Anonymous Coward
          Anonymous Coward

          Once upon a time, documentation was a local affair,

          and out of date before the electrons were dry ...

          This matters in a day and age where many versions of what's installed bear fuck all resemblance to the documentation - looks very hard at Android.

    4. David 132 Silver badge

      Re: WinHelp

      > Current Microsoft "help" seems to be to launch a browser

      ..any browser you want, as long as it's Edge...

      > with a search query.

      ...to any search engine you want, as long as it's Bing.

      Grrrr.

    5. veti Silver badge

      Re: WinHelp

      I worked with (as in, created documents in the formats of) both ".hlp" and ".chm".

      And good riddance to the both of them. One of the happier days of my career was when I finally got the go-ahead to maintain all the documentation online only.

  7. Anonymous Coward
    Anonymous Coward

    NAS box HA!

    "Something for that NAS that has lurked beneath the stairs for a decade or so, or the one weird bit of hardware on the factory floor."

    Or for the Windows 2000 domain your company is still running on and the Windows 2003 File Server that is still in use.

    Yes really. Yes I've told them... Pays the mortgage though eh.....

    1. J. Cook Silver badge

      Re: NAS box HA!

      And for that one weird bit of hardware on the factory floor? put it on it's own network, either air-gapped, or on it's own vlan that has a firewalled gateway out to anything else that's locked down tighter than a waterfowl's anatomy...

  8. DaemonProcess

    ID theft

    NCSC recommend stopping SMB2 where possible, also. Unfortunately it shares Windows internals with SMBv3 so cannot be disabled in your registry without also clobbering SMBv3. I don't know if NFSv4 is any better, but a lot of devices won't support it out without re-configuration.

    Now that 1gbit broadband is becoming more common, a lot of these home NASs will be replaced by Cloud storage. The only thing stopping me at the moment is the pathetic 1.2mbit/second uplink speed.

    Your home NAS may also photos / scans of your passport, driving licence, utility bills and bank statements someone in your house once needed to apply for something.

    Yes it needs to be secure, encrypted and protected from all access. I use a mirrored pair of USB drives on a raspberry pi with nft protection.

    Preferably behind a 2nd firewall because you shouldn't trust the broadband provider's router/firewall to be right up-to-date with patches. I just discovered my Sky Q router has a 2nd non-visible set of firewall rules that we cannot see - for example try blocking 10.123.234.1 both ways and then point your browser at it - yep it still works and sends you out to the internet. There's no way of knowing if that is a second chain or forward/pre-routing rule, or what else they have hidden from us. I don't even know if my rules to stop UPNP are worthless now, because it don't have anything that uses it.

    1. Down not across

      Re: ID theft

      Now that 1gbit broadband is becoming more common, a lot of these home NASs will be replaced by Cloud storage. The only thing stopping me at the moment is the pathetic 1.2mbit/second uplink speed.

      That is rather optimistic.

      I think you would find that its a minority that will be able to get 1Gbit/s broadband, and of those majority quite possibly won't see the need nor want to pay for the additional cost.

      i don't see that changing very fast either.

    2. Anonymous Coward
      Anonymous Coward

      Re: ID theft

      "Now that 1gbit broadband is becoming more common, a lot of these home NASs will be replaced by Cloud storage. "

      Why? One would think that someone tech-savy enough to know how to setup and use a NAS at home would also be tech-savy enough to be very, very leery of moving all of their digital stuff out to the "cloud" and losing control of it. Not to mention, well, let's face it - those of us running a NAS at home are already more than a little paranoid about our data. Sure, a NAS disk could blow out, but nobody can take it away from you without a warrant. Your "cloud storage" could evaporate at the drop of a hat, entirely on someone else's whim.

    3. that one in the corner Silver badge

      Re: ID theft

      Paint me confused: you are concerned over ID theft and urge the use of extra layers of router to protect your encrypted NAS, but are also looking forwards to the day when you can just gleefully hand everything over to sit on someone else's computer? Just as soon as you get a fast enough upload speed so you don't keep them waiting in suspense.

  9. IGotOut Silver badge

    I love the comments

    People complain about MS being bloated and insecure.

    MS try to remove insecure bloat and people complain.

    1. Anonymous Coward
      Anonymous Coward

      Re: I love the comments

      "MS try to remove insecure bloat and people complain."

      If only they'd set their removal sights on Teams (the poster child for bloated), it'd have been crickets,

  10. Colonel Mad

    SMB

    Server Message Block

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like