Sergey Nivens - Fotolia
After a series of high-profile attacks exploiting Microsoft's Server Message Block protocol, the software giant is reportedly planning to disable SMBv1 by default.
According to a report from Bleeping Computer, Microsoft has already built internal versions of Windows 10 Enterprise and Windows Server 2016 that have version 1 of the Server Message Block protocol disabled by default, though the software giant said it is still in the early stages of deciding a course of action. Microsoft claimed the decision to disable SMBv1 by default was made five years ago, but the change may finally be implemented in the next major Windows updates this fall.
Microsoft had sent out a security advisory in September recommending users disable SMBv1 when possible; US-CERT followed suit with a similar advisory in January.
Nick Bilogorskiy, senior director of threat operations at Cyphort Inc., based in Santa Clara, Calif., said it is "excellent that Microsoft decided to finally take action and disable SMBv1 by default."
"Disabling by default is a welcome move, because running SMBv1 is no longer necessary for modern enterprise users, and [it] opens up a significant security vulnerability," Bilogorskiy told SearchSecurity. "This is where backward compatibility comes in conflict with security; while SMBv1 is enabled, the attacker can force a downgrade to that protocol, bypassing all security improvements of later versions."
The news comes on the heels of the highly publicized WannaCry ransomware attacks that used a leaked National Security Agency cyberweapon to exploit SMBv1 and infect hundreds of thousands of systems worldwide.
However, Ned Pyle, principal program manager in the Microsoft Windows Server high availability and storage group, told Bleeping Computer the plans to disable SMBv1 have been in the works at Microsoft for the past five years.
Pyle said the security issues of SMBv1 were the main factor in deciding to disable the protocol, but the fact that SMBv2 was released nine years ago was also a factor. Pyle also said Microsoft would prefer everyone use SMBv3 -- released in 2012 -- as the standard.
Pyle has been less diplomatic about his desire for users to disable SMBv1 on Twitter.
It's there, whether you ignore it or not pic.twitter.com/BIUq7oIJQb— Ned Pyle (@NerdPyle) June 5, 2017
Pyle claimed the ubiquity of SMBv1 made taking action more difficult, but confirmed when Windows 10 Redstone 3 is released, SMBv1 will be disabled by default.
Microsoft and security experts still urge users on older systems to patch the vulnerability, and Bilogorskiy said it was "unfortunate" that it took Microsoft five years after deciding to finally disable SMBv1.
"Microsoft operates at its own pace. I used to work at Microsoft in 2002, and I remember how gradually things moved there and how risk-averse they were as a company. Any change must be approved at many levels and full QA [quality assurance] cycle is quite long," Bilogorskiy said. "Microsoft suffers from corporate inertia, [and] they have more than 120,000 employees. Compared to an average startup, they have a lot more to lose, a much larger risk profile in terms of existing customers and revenue."
Learn how the WannaCry ransomware worm exposed enterprise security shortcomings
Find out about how cognitive hacking and bad data can affect enterprises
Get info on how to prevent privilege creep in software development