Hello again, James Kehr here with another guest post. Titles are hard to do. They must convey the topic to the reader while being both interesting and informative, all at the same time. Doing this with a technical article makes life even harder. Now imagine my dilemma when starting an article about SMB1 behaviors in modern Windows. Think about that for a minute. Go ahead. The article will still be here.

Today I'll explain why you still see a little SMB1 on your network even after you uninstalled SMB1 from Windows, and why it's a good thing.

SMB1 is Dead!

The end of SMB version 1 (SMB1) topic has been discussed in great detail by Ned Pyle, who runs the SMB show here at Microsoft. Go read this article if you have not.

At first glance this seems like I’m beating a dead horse. If that’s what you thought, you’d be right. Unfortunately, this figuratively dead horse needs to be beaten1 some more.

Please stop using SMB1. Please get rid of those ancient, legacy systems that only support SMB1. We constantly get cases from customers asking why modern Windows 10 doesn’t support SMB1 out-of-the-box so it will work with their old, insecure systems.

Let’s go over this one last time.

The only versions of Windows that require SMB1 are end-of-support (EOS). By years ! These are Windows Server 2003 (EOS July 2015), Windows 2000 Server (EOS July 2010), their client editions, and older.

! These are Windows Server 2003 (EOS July 2015), Windows 2000 Server (EOS July 2010), their client editions, and older. Samba and Linux distros like Ubuntu have retired SMB1 as well. If you have a Linux/Unix-like distro that only supports SMB1, it’s time to upgrade.

Not only does Microsoft not support these EOS operating systems (OS’s), we do not support interoperability with them. Meaning, if the latest version of Windows 10 does no work with an EOS version of Windows over SMB, Microsoft will not support you.

Why not? Let’s start by putting the age of Windows 2000 (W2000) and 2003 (W2003) into perspective.

EOS Windows versus Apple: Windows 2000 was released 7 years before the first iPhone. Windows 2003/XP was released 4 years before the first iPhone. Apple computers were still running IBM PowerPC processors. Asking for EOS Windows support is like asking Apple to support PowerPC Macs. I’m sure Apple support would get a good laugh out of the request, but I imagine that’s as far as the request would go.



… vs Android Didn’t even exist.



… vs Linux Kernel 2.2.14 was released the same year as Windows 2000. Version 2.4 was the newest kernel when Windows Server 2003 launched. Support for the last version of the version 2 kernel, 2.6.32, ended in 2016. How fast do you think the “no” would come back from Linux distro support if you asked for support on kernel 2.2 or 2.4? Assuming your distro of choice even existed back then.



By asking Microsoft to support EOS Windows, people are effectively asking us to support an OS that is so old that the modern smartphone didn’t even exist yet. Not counting Pocket PC or Windows Mobile here. An era when dial-up internet was still dominant and the world was still learning how high-speed Internet would impact computer security.

Multi-core processors didn’t exist yet, outside of the mainframe space. Those didn’t come around until 2004 (AMD) and 2005 (Intel). X86 64-bit processors didn’t exist when W2000 was released and they were brand new for W2003. Running legacy OS’s is not just bad security, it’s scary security because you are running an OS built for a completely different era of computing.

The real question here is: Why are you still running an OS or device that is so old it requires SMB1?

The SMB1 Problem

The biggest problem with SMB1 is that it was developed for the pre-Internet era. The first dialect came out in 1983 from IBM. Security and performance were designed for closed token ring networks and old fashion spinny disks. As EternalBlue and WannaCry would later prove, it is not a protocol that has aged well and it is no longer safe to use.

Unlike most other deprecated protocols, however, SMB1 controls the keys to the kingdom: data, services, file systems, accounts, and more. This makes SMB1 exploits critically harmful.

When Microsoft decided to retire SMB1 for real, and stop asking nicely, we tore off that band-aid by removing it completely from Windows 10 Spring 2017 Update (Win10 1703), when Windows detected that SMB1 was not in use. No SMB1 dialect was sent during negotiation, no SMB1 was allowed at all. And that broke things.

It turned out that some devices which only know about SMB1 weren’t quite sure what to do when getting an SMB request with no SMB1 in it. This caused a lot of strange behavior on the Windows-side; namely, hanging or pausing until everything finally timed out. This manifested in Windows as an unresponsive Windows Explorer (the technical name for the yellow folder icon you click on to access your files). People don’t like that. I don’t like that.

We ended up making changes to mitigate this without actually enabling SMB1.

Windows 10 1709 (2017 Fall Update) and newer will send SMB1 dialects as part of the SMB negotiate. We do this to help interoperability with legacy devices. I.E. prevent Windows Explorer from pausing/hanging.

We will not actually allow an SMB1 connection when SMB1 is disabled. We only pretend to. The connection will end up getting closed when the server or client tries to use an SMB1 dialect.

In addition to preventing uncomfortably long waits for Windows users, it lets us bubble up messages about SMB1 only devices on your network. System admins can look in the Event Viewer > Applications and Services Logs > Microsoft > Windows > SMBServer-Operational log for event ID 1001, which is created when SMB1 is used.

Log Name: Microsoft-Windows-SMBServer/Operational

Source: Microsoft-Windows-SMBServer

Date: 9/17/2019 12:17:41 PM

Event ID: 1001

Task Category: (1001)

Level: Information

Keywords: (8)

User: N/A

Computer: DC01

Description:

A client attempted to access the server using SMB1 and was rejected because SMB1 file sharing support is disabled or has been uninstalled.

Guidance:

An administrator has disabled or uninstalled server support for SMB1. Clients running Windows XP / Windows Server 2003 R2 and earlier will not be able to access this server. Clients running Windows Vista / Windows Server 2008 and later no longer require SMB1. To determine which clients are attempting to access this server using SMB1, use the Windows PowerShell cmdlet Set-SmbServerConfiguration to enable SMB1 access auditing.

SMB1 auditing can be also be enabled to get more details about what is using SMB1 on your network.

Set-SmbServerConfiguration -AuditSmb1Access $true

Log Name: Microsoft-Windows-SMBServer/Audit

Source: Microsoft-Windows-SMBServer

Date: 12/13/2019 11:37:53 AM

Event ID: 3000

Task Category: None

Level: Information

Keywords:

User: N/A

Computer: DC01.Contoso.com

Description:

SMB1 access

Client Address: 192.168.1.214

Guidance:

This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

Negotiation

The SMB Negotiate command is where the SMB dialect is …well… negotiated.

The SMB Client – the system requesting access to the remote file system – sends a list of all the dialects it supports. A dialect is a revision of the SMB protocol specification. Every revision of the SMB protocol has, so far, gotten a new dialect. Though SMB 3.1.1 was built to be more extensible so it may be a while before the next dialect is created.

The SMB Server – the system hosting the file system – then selects the newest dialect that both client and server support. When the server supports none of the client protocols it aborts the connection with a TCP RST (reset).

How does faux SMB1 support work with Negotiate? Delicately.

Here’s what it looks like when a Windows SMB Server rejects an SMB1 only connection from an SMB Client. This is the SMB1 only request, as seen by Wireshark.

No. Time Source Destination Protocol Length Info 24 6.892775 192.168.1.214 192.168.1.215 SMB 191 Negotiate Protocol Request

…

SMB (Server Message Block Protocol)

SMB Header

Negotiate Protocol Request (0x72)

Word Count (WCT): 0

Byte Count (BCC): 98

Requested Dialects

Dialect: PC NETWORK PROGRAM 1.0 <<<<<< These are all the old SMB1 dialects

Dialect: LANMAN1.0

Dialect: Windows for Workgroups 3.1a

Dialect: LM1.2X002

Dialect: LANMAN2.1

Dialect: NT LM 0.12

This is Windows saying “NOPE!” to SMB1 in the form of an immediate TCP reset. Get thee gone, SMB1!

25 6.893143 192.168.1.215 192.168.1.214 TCP 54 445 → 49769 [RST, ACK] Seq=1 Ack=138 Win=0 Len=0

Now let’s look at the Windows SMB1 discovery packet. In this test I have disabled SMB2 support on a Windows Server. The SMB Client is a standard Win10 1909 client.

No. Time Source Destination Protocol Info 4 15:50:48.03 192.168.1.211 192.168.1.109 SMB Negotiate Protocol Request

…

SMB (Server Message Block Protocol)

SMB Header

Negotiate Protocol Request (0x72)

Word Count (WCT): 0

Byte Count (BCC): 34

Requested Dialects

Dialect: NT LM 0.12

Dialect: SMB 2.002

Dialect: SMB 2.???

There are three Dialects listed in the Negotiate Protocol Request frame:

NT LM 0.12 – This is the final SMB1 dialect created, also known as the CIFS dialect.

SMB 2.002 – This is the first SMB2 dialect released with Windows Vista.

SMB 2.??? – This is the wildcard SMB2 dialect. Which I won’t go into here.

NT LM 0.12 (CIFS) is a red herring. This is the newer mechanism in Win10 to flush out SMB1 only devices. My test server, which only has SMB1 enabled, does what it’s supposed to do and tries to catch the red herring.

No. Time Source Destination Protocol Info 5 15:50:48.04 192.168.1.109 192.168.1.211 SMB Negotiate Protocol Response

…

SMB (Server Message Block Protocol)

SMB Header

Negotiate Protocol Response (0x72)

Word Count (WCT): 17

Selected Index: 0: NT LM 0.12 <<<<<<<< The server took the bait.

…

Can you guess what happens next? If you guessed that the Win10 SMB Client sent the SMB Server a big fat “NOPE!” in the form of a TCP RST, you would be correct.

No. Time Source Destination Protocol Info 6 15:50:48.04 192.168.1.211 192.168.1.109 TCP 53994 → 445 [RST, ACK] Seq=74 Ack=132 Win=0 Len=0

“Why not just fix SMB1?” you may ask. We did! It’s called SMB2.

Long Live SMB2

Devs and marketing teams like bigger version numbers. Devs because it allows them to track changes. Marketing teams because bigger numbers mean you have something new to sell. The number of changes made between SMB1 and SMB2 was staggering. The entire protocol was redesigned from the ground up. New commands, WAN optimizations galore, tightened security, more features…it was the stuff of marketer’s dreams.

Instead of adding yet another dialect to SMB, it was decided that a new major version of SMB was needed. This was a justified move given that the entire protocol spec was essentially rewritten. Only concepts from the original SMB and CIFS protocols were adopted. And thus, MS-SMB2 was born.

SMB2 has now become SMB3. This is more of a marketing move since SMB3 still uses the MS-SMB2 protocol spec. There were just enough changes between SMB 2.1 and SMB 3.0 to justify a new major version. On an interesting historical note, SMB3 was originally SMB 2.2 until the marketing team got involved.

Now, on top of the fancy protocol redesign, Microsoft has added several cool new features, and continues to do so. Things like SMB Encryption allows full AES encryption of data payloads to prevent man-in-the-middle (MITM) snooping and attacks. Continuous Availability provides seamless failover between clustered file servers. SMB Direct allows multiple hundreds of Gbps of throughput between RDMA capable servers while only sipping CPU cycles. The list goes on and new features are added all the time to adapt SMB to the ever-changing network landscape, like SMB over QUIC and SMB compression arriving in future builds of Windows. Or, now, if you’re reading this far enough in the future.

There really is no reason to keep SMB1 around anymore. Managers like to cite cost as the reason, but, when you think about the potential cost of a data breach, is it really worth the risk? Why would anyone want to keep around a system that can only use network protocols known to be exploitable and control the keys to the kingdom? Hopefully, the answer to these questions are, no and heck no.

SMB is dead, long live SMB!

1 – No animals were harmed during the creation of this article. Some electrons were deeply offended, but that’s about it.