How can users tell if Windows SMB v1 is on their systems?

US-CERT recently reminded users not to use an outdated version of Windows Server Message Block, such as Windows SMB v1. How can someone tell if it's enabled on their systems? What should be done if Windows SMB v1 is on their systems?

The Server Message Block, or SMB, protocol is a file sharing protocol that allows operating systems and applications to read and write data to a system. It also allows a system to request services from a server.

The latest versions of the Windows operating system support SMB v2 and SMB v3, and Microsoft is attempting to depreciate the use of SMB v1 within its software.

There have been numerous vulnerabilities tied to the use of Windows SMB v1, including remote code execution and denial-of-service exploits. These two vulnerabilities can leave a system crippled, or allow attackers to compromise a system using this vulnerable protocol.

Throughout the years, Microsoft has patched its operating system for similar vulnerabilities in Windows SMB v1, and has introduced new versions of the protocol to eliminate the use of this first version of SMB.

Windows 2003 was the last Windows operating system that was only using SMB v1, and it is now no longer supported by Microsoft. All the versions of Windows that have come after Windows 2003 are able to support SMB v2 or SMB v3, but normally, these systems are not the issue. Many times, it's the storage devices, printers or applications running in the network that need Windows SMB v1 enabled, but even then, it's possible that they're able to use a newer version of SMB.

Attackers are easily able to exploit these vulnerabilities in a network if it's enabled because, even when the system uses SMB v2 or v3, if the attacker can downgrade the communication to SMB v1, he can exploit the system. This is where the man-in-the-middle attack of a Windows SMB v1-enabled system can become an issue, even if it's not being used.

In newer versions of its operating system, Microsoft has enabled the ability to remove SMB v1 as an optional component, and allows an audit feature to determine if there is actual use of SMB v1 on the system. The auditing command is: Set-SmbServerConfiguration --AuditSmb1Sccess $True. If there's something using the protocol, it will show up in the logs, and admins will be able to investigate it further. If the audit shows printers, storage devices and applications that require SMB v1, then it may be time to consider upgrades.

If you audit a system, and you're sure you can disable the protocol without causing any damage, you can run the following command to disable the protocol: Set-SmbServerConfiguration -- EnableSMB1Protocol $false. This can also be done within Windows Server Manager.

It's also highly recommended to validate that all versions of the SMB protocol are blocked from ever being exposed publically to the internet. This is done by making sure TCP port 445, UDP port 137-138 and TCP port 139 aren't accessible from the outside.

Locking down your firewalls, determining if a system even needs Windows SMB v1 and updating your Windows operating system to the latest version of SMB will protect you from the concerns released by US-CERT.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)