back to article Have to use SMB 1.0? Windows 10 April 2018 Update says NO

The Windows 10 April 2018 Update has been out for over a month now, and the rumbling of user dissatisfaction continues. This time it's networking problems for users still clinging to the venerable SMB1 protocol. Users have taken to support forums, including Microsoft's own, complaining that the latest version of Windows 10 is …

Silver badge

smb 1

Got told off the other day by IT, had uninstalled anti-virus to upgrade to 1803^H4^H5.

They asked me to reinstall asap, but I could not reach file server, since I had disabled SMBv1 forcefully... and it was running the obsolete protocol...

8
9
Anonymous Coward

Re: smb 1

You might need to have a word with the head of your IT dept. as if a file server is being used in a work environment that doesn't support at least SMBv2 then something needs to change ASAP

Even if you disable SMBv1 on Windows 10, it will either use SMBv2 or if possible then SMBv3

28
0
Silver badge
Trollface

Re: smb 1

SOLUTION: dump Win-10-nic, install XP. problem solved. heh.

21
30
Silver badge

Re: smb 1

List of broken stuff here:

https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

2
0

Re: smb 1

Indeed! Our Win98 workgroup runs sweet-as, though I can never work out where all those pop-ups telling me the Registry is corrupt and to call Microsoft on an Indian phone number come from...

16
2
Silver badge

Re: smb 1

"You might need to have a word with the head of your IT dept. as if a file server is being used in a work environment that doesn't support at least SMBv2 then something needs to change ASAP"

Probably including users being able to uninstall their own antivirus if they feel like it, too.

11
0

Re: smb 1

"Even if you disable SMBv1 on Windows 10, it will either use SMBv2 or if possible then SMBv3"

As Microsoft note on one of their support pages, disabling a particular version of SMB in an environment with mixed versions of Windows is a right kerfuffle -- and this really is the URL:

https://support.microsoft.com/en-gb/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

Replacing old NAS devices sounds like a good idea most of the time.

I recall working with a £x00,000 NAS device which had been written according to the CIFS/SMB standards of the time. We were dumping files generated on Windows XP systems for an OS upgrade. The official spec for SMB 2.0 -- as interpreted by the NAS vendor -- was that some extended file attributes were optional, so the vendor did not support them for SMB 2.0 file transfers. If a file with certain extended attributes was transferred to the NAS from a Windows 2008 R2 server, the file was rejected. However the file was deemed valid when transferred by SMB 1.0.

The NAS vendor suggested a very long timescale for a fix. So we turned off SMB 2.x on the intermediary Windows servers and progressed at a s-l-o-w-e-r pace.

No doubt that bug/misunderstanding is fixed, but there'll be different bugs or the need to go back in time which require SMB 1.0.

2
0

Re: smb 1

I have to have SMBv1 enabled on the file server, our (relatively new) printers only use SMBv1. At least that what tech support tells me. A firmware update still didn't enable SMBv2.

2
0
Anonymous Coward

Was wondering why my NAS wasn't working. Never mind, I'll just go upgrade to the latest firmware. Oh, there isn't any and they're not planning the upgrade? For this device still in shops? Fk off.

73
3
Gold badge

Depending on how pissed off you are, you might want to argue that the device is not fit for purpose. MS have spent about half a decade pleading with everyone to stop using it ASAP. There's no way this device is fit for purpose even now, let alone for however many years a consumer product is supposed to receive support. (Looks like 6 in the UK: https://www.which.co.uk/consumer-rights/advice/what-do-i-do-if-i-have-a-faulty-product)

Failing that, name the vendor here and we can all tell as many of our friends as possible to steer clear of the brand forever.

50
2

D-Link is one, I own their DNS-323. I am avoiding D-Link from now onwards.

14
1
Silver badge

D-Link is one, I own their DNS-323. I am avoiding D-Link from now onwards.

That's Gemini which is actually nice hardware, but the software originally skirted GPL by not releasing working kernel sources for it. The original software was actually Debian based by the way. There was a ghastly "original kernel grafted onto a generic Debian distro" load for it a while back, but that died due to lack of maintenance.

That has now been fixed, so after a very long hiatus it should work with the latest kernels. I believe 4.17 works out of the box, there are backport patches for openwrt and Debian. As a result there will be firmware for it in the next releases (finally). I am waiting for the next LEDE release to pull mine out of the dusty drawer and put it to use - the hardware in it is actually quite good.

5
1
Gold badge

And whilst I'm thinking about this, if Ned Pyle really wants to see the end of SMB1 he should push for MS and people like CERT to issue official statements that any device that defaults to SMB1 is, their considered expert view, not safe to connect to a network in 2018 and therefore not fit for purpose. *That*, from them, would greatly assist anyone who wants to pick a fight with vendors on this point. They could go to their Trading Standards people and say "Expert opinion is on my side here.".

27
0

Hows about Sonos. Set it up for my dad he has loads of music on his PC but Sonos only connects via SMBv1

7
0
Mushroom

ASUS are another one.

Currently shipping "top of the line" ASUS routers are being shipped with firmware that includes Samba 3.0.33, which is a decade old for crying out loud, riddled with security bugs, and supports only SMB1 (which is being deprecated everywhere, fast). And ASUS have no plans to update their current (let alone legacy) products to a modern, (more) secure version of Samba, such as Samba 4.

You can use third-party firmware alternatives for the ASUS routers that do include a more recent version of Samba 3, which would at least get you SMB2 support, but apparently the devices don't have enough flash storage to allow Samba 4 to be included.

So please, give ASUS routers a very wide berth as ASUS don't give a fsck about basic security, or their users. Alternatively, disable the outdated and insecure ASUS Samba server entirely, and use something else (Raspberry Pi3+?) for your Samba file sharing.

17
0
Silver badge

"Was wondering why my NAS wasn't working. Never mind, I'll just go upgrade to the latest firmware. Oh, there isn't any and they're not planning the upgrade? For this device still in shops? Fk off."

SMB2 came out in 2006. I am amazed that anyone would buy a NAS in the last decade that didn't support it.

2
1
Silver badge

"but Sonos only connects via SMBv1"

I too have Sonos, so does Jeremy Allison.

0
0

Replace it with a product that actually cares a bit about security of your data.

5
0

My experience has been that the people selling such rubbish are severely clue-deficient, and take the labelling on trust, which as often as not never mentions SMB version support. SMB is SMB is SMB.

So it's a combination of piss-poor documentation from the manufacturer, and low-paid sales staff.

For most of this century the well-informed salesman has been a dying breed, but at least I can download the manuals. But does that help?

Last week I was working on an old Dell workstation, it is good kit and I got a good deal. But the manual (and Dell support) are inadequate on how to fit anything in the front-of-case drive bays. Problem sorted, but it doesn't impress.

4
1
Anonymous Coward

ASUS are another one

ASUS also sends all your data to TrendMicro:

https://www.ctrl.blog/entry/review-asuswrt

2
0
Silver badge

"I'll just go upgrade to the latest firmware. Oh, there isn't any and they're not planning the upgrade? For this device still in shops? "

"Unfit for purpose" springs to mind as a stick to beat the retailer with.

3
0
Silver badge

"So please, give ASUS routers a very wide berth as ASUS don't give a fsck about basic security, or their users. "

About 20 years ago, ASUS responded to a plethora of customer complaints about problems with their TNT2 video cards by shutting down their entire customer forum system. This caused me to set a policy of "never deal with ASUS"

More recent interactions caused by a vendor who sold us rebadged ASUS servers showed that the attitude hasn't changed (when the stuff arrived I expressed my misgivings and was overruled, things quickly turned to shit from there on the support front as the vendor was left high and dry by ASUS.)

5
0
Silver badge

Can you ssh in and furtle smb.conf?

0
0
Silver badge

"And whilst I'm thinking about this, if Ned Pyle really wants to see the end of SMB1 he should push for MS and people like CERT to issue official statements that any device that defaults to SMB1 is, their considered expert view, not safe to connect to a network in 2018 and therefore not fit for purpose."

Think more or less everyone now has issued such statements. Repeatedly. For most of the last 5 years.

0
0
Silver badge

Given that the protocol has been depricated for nearly 2 decades, it is astonishing how many products still use it as standard / don't support SMBv2 or SMBv3!

At a previous employer, we had it the other way round, we disabled SMBv1 on all servers, only for the Minolta scanners to stop working, because the scan-to-folder option only supported SMBv1, and they were new (less than 2 years old) printers!

3
0
Silver badge

"he should push for MS and people like CERT to issue official statements that any device that defaults to SMB1 is [...] not safe to connect to a network"

Well, Ned works for Microsoft, and regularly tells people in his official capacity to stop using SMBv1 (eg), and US-CERT say the same. That's about as emphatic as warnings get.

2
0
Anonymous Coward

...erm...

If you read Ned's blog, who works for MSFT, he just about says that:

"Hi folks, Ned here again and today’s topic is short and sweet:

Stop using SMB1. Stop using SMB1. STOP USING SMB1!

In September of 2016, MS16-114, a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.

The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle :).

If you don’t care about the why and just want to get to the how, I recommend you review:

How to remove SMB1

The SMB1 clearinghouse

SMB1 is being removed from Windows and Windows Server

Otherwise, let me explain why this protocol needs to hit the landfill.

SMB1 isn’t safe"

1
0

"Oh, there isn't any and they're not planning the upgrade? For this device still in shops? Fk off."

Add Netgear to the list. We bought had some of their switches foisted on us recently by sales. Turns out you can't remove the vlan 1 untag on all the ports or something daft along those lines.

Last firrmware update was 2013 and they are still being sold.

Never again.

1
0

Some small Kyocera lasers are also SMB1. Took me an age to work around that problem on 2008 with RDP on Windows 10 clients.

0
0
Silver badge

This time it's networking problems for users still clinging to the venerable SMB1 protocol.

Surely you mean Vulnerable SMB1 protocol ??

28
3
WTF?

Fix it, don't disable it

Why not just patch the vulnerability rather than disabling it?

I suspect Microsoft's engineers are just being lazy.

SMB1 is widely used by legacy NAS devices and most Android clients.

2
35
Silver badge

Re: Fix it, don't disable it

Why not just patch the vulnerability rather than disabling it?

You can't. It is fecked up by design. That is what v2 fixes amidst other things.

33
2
Silver badge
Terminator

Re: Fix it, don't disable it

"Why not just patch the vulnerability rather than disabling it?"

Because, THAT is NOT how "The Borg" operates. They are in control. Your distinctiveness will be added to the collective. And you will be assimilated.

5
43
Trollface

Re: Fix it, don't disable it

Bob, have you tried vacuuming out your keyboard? The constant toggling of caps lock is driving us nuts. Otherwise I'm going have to take up a collection to get you a new keyboard.

35
2
Silver badge
Facepalm

Re: Fix it, don't disable it

It's called "being expressive" by use of punctuation, capitalization, etc.. I think it is MUCH better than "monotone" and puts the emphasis where _I_ want it. (NOT putting emphasis on the right words changes its meaning, JUST a bit)

facepalm icon for various reasons.

4
34
Holmes

Re: Fix it, don't disable it

Why not use the tools that come with the silver badge next to your name? Things like bold, italics, and underlining can add just as much emphasis in the same places and make your posts easier to read at the same time. You have earned the privileges and no one will think less of you for using them.

On the other hand, by insisting on using caps to accomplish your goals you are coming across like a guy that thinks the volume of the message makes it a better argument. People will discount what you have to say because of it. Or worse, just ignore you.

32
0

Re: Fix it, don't disable it

Rather than using excessive caps, why not let the force of your words alone provide the weight you're looking for?

You may as well be using emoji to make a strong point.

14
1
J27

Re: Fix it, don't disable it

That patch wouldn't be backwards compatible, so there isn't any point.

6
0
J27

Re: Fix it, don't disable it

I don't think you understand what quotation marks are for. Using them for emphasis just makes you look stupid.

4
0
Silver badge

Re: Fix it, don't disable it

"Why not just patch the vulnerability rather than disabling it?"

Microsoft HAVE patched all the SMBv1 OS security vulnerabilities to date in supported OSs - and in quite a few that were no longer supported.

There is however an unpatched denial of service issue called SMBLoris:

http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

“The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”

4
0
Coat

Re: Fix it, don't disable it

I don't think it was "fecked up by design" - i.e. the original intention in the design being to feck it up.

"The design was fecked-up" is perhaps what you meant.

Then again, that's pretty standard for any networking protocol designed at the same time, when security was, well, not considered at all. SMTP probably stands out most of all :-) (although that does of course predate SMB by some considerable margin)

9
0
Silver badge

Re: Fix it, don't disable it

SMB1 is widely used by legacy NAS devices and most Android clients.

Given that SMBv1 was depricated nearly 20 years ago, maybe you should be using a somewhat newer NAS or Android device - although I wasn't aware that Android was around 20 years ago...

2
0
Anonymous Coward

I like SMB1, one of the better NES titles.

16
0
Silver badge

Our Princess is in another castle!

0
0

typical

damned if you do, damned if you don't

11
0

so, just activate it again?

SMB1 is disabled as a Feature in 1803 but only for new installs, not for upgrades. Just reactivate it and it works...

2
0

Re: so, just activate it again?

No it doesn't for a lot of stuff.

See some of the links etc.

1
0
Silver badge

"...running naked down the street while singing a variety of ribald rugby songs..."

I don't get how this is supposed to be A Bad Thing. =-)p

15
1
Silver badge

Re: "...running naked down the street while singing a variety of ribald rugby songs..."

I played at prop forward for many a year.

And now I'm fuck ugly with cauliflower ear.

They moved me to hooker 'coz my propping had sunk

But no-one pays money for a fat ugly c*nt.

...

1
0
Silver badge
Facepalm

Arf, arf, arf!

Must be some real BOFH bellends about if business system are still on SMB1

7
8

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018