ned wasn’t kidding: the end of smb1 - interopevents.com wasn’t kidding2... ·...
TRANSCRIPT
Ned wasn’t kidding: The End of SMB1
Ned Pyle
Microsoft
SMB 3.1.1
The evolution of SMB
Past 5 yearsThe 1980s The 1990s mid 2000s
The primordial ooze SMB1/”CIFS” SMB2 SMB3
SMB 1
DOS, Windows, LANMan(!)
Ubiquitously abused
Slow, unsafe $%^#
SMB 2
Windows Vista+ / Windows Server 2008+
User-optimizedRequest compounds, large reads and writes
Folder & file property caching
Durable handles
Improved message signing - HMAC SHA-256
Large MTU support
SMB 3
SMB 3.0
SMB 3.02
SMB 3.1.1
Windows 8+ / Windows Server 2012+
Datacenter application-optimized
Software-defined fabric
Modern user
Security-oriented
Deprecated years ago
Removable since WS2012 R2/Win8.1
Disable-able since Vista/2008
Gone in WS2016 Nano
uninstalled by default
uninstalled by default
uninstalled if not used
Attacker
Blocked – no SMB1 server
Home and Pro editions
SMB1 Client
disabled by default
allowed client dialects
Find it
Aka.ms/StillNeedsSMB1
Zap it
Zap it
Zap it
KB2696547
38
10
11
2
fuzzing, review, & pentests pay off
Set-SMBShare –LeasingModeFull = default
Shared = grant read-caching lease, not write or handle-caching
None = no oplocks or leases
New to RS3
Should never be used
End-to-end SMB encryptionPrivacy
AES-128-GCM & AES-128-CCM
SMB Signing updatedIntegrity
AES-CMAC
Pre-auth Integrity
Plus all SMB can make use of UNC Hardening
aka.ms/StopUsingSmb1
SMB1 vendor & product list - aka.ms/StillNeedsSmb1
SMB & Windows Server - aka.ms/windowsserver
SMB team blog - aka.ms/serverstorage
Old SMB blog - aka.ms/josesmb3
Spec Team -blogs.msdn.microsoft.com/openspecification
Which side do you want to be on?
Thank You!Questions?