Windows Server Message Block (SMB) Vulnerabilities

By Dan P

If your company is among the 79% of desktop users who employ Windows operating systems, then this article may provide valuable information which if implemented, could prevent an unscrupulous person from carrying out an attack which could compromise your organisation’s network.

The result of an attack could be anywhere from gaining a foothold to total compromise of your network, allowing the criminal the ability to lock down all of your resources. In such cases, the criminals often demand a sum of money for unlocking your data, often referred to as ransomware.

This infamous vulnerability became known by a few names, Eternal Blue being the prominent one which was largely made famous due to the WannaCry ransomware attack.  On 14 March 2017, Microsoft released a security bulletin to patch against this vulnerability, MS17 010, this would soon become another name for this widely abused issue. In addition to this well-known SMB vulnerability, we will take this opportunity to apply other SMB settings which will further enhance your security by preventing a different attack vector.

SMB harbours various responsibilities on a network, some of which are; the access and sharing of files, performing remote administration and sending data to printers. It is a response-request protocol which is found in every Windows environment and plays a vital role in everyday tasks.

There are various versions of SMB found in a Windows environment, they vary depending on the specific operating system in use. SMBv1 entails a vulnerability in the way which it handles certain requests, this can be exploited by an attacker sending a specially crafted message to the server. A number of publicly available exploits exist which can be used to take advantage of this situation. An attacker does not have to be sophisticated, have access to state level tools or an extravagant budget to carry out this attack.

Luckily for the us, there are some simple configurations which will prevent an attacker from taking advantage of this weakness. Ensure that you do not disable SMB v2 or v3, as briefly mentioned, SMB plays an important role within a Windows environment and certain tasks won’t be possible should SMB as whole be disabled.

 

How To Disable SMBv1

To check/ disable SMBv1 on Windows 8 and Windows 10, navigate to; Control Panel > Programs > Turn Windows Features On or Off.

Ensure SMB 1.0 check box is unmarked.

For Windows 7,

Type ‘regedit’ in the windows search bar

 

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters

Right click on white area of the right panel and select ‘New’ ‘DWORD 32-bit Value’

Name the new value SMB1 then right click ‘Modify’, enter ‘0’ in the Value Data field.

Restart your machine to ensure the key has taken effect.

 

Whilst this article is the focus of SMB, I feel that the large elephant in the room would go undiscussed if I was not to mention that Windows 7 is no longer supported. The SMB setting has been mentioned here to support the 250 million Windows 7 users. Go ahead and disable SMBv1 however, ensure you upgrade to a supported version of Windows as soon as possible. It is definitely worth considering the lifespan of the operating system which you upgrade to, for example; Windows 10 1809 will reach end of service on 12 May 2020.

 

Let’s Double Up On Security

This next remediation will at the very least provide an extra layer of protection on your network. Security is a continuous and holistic approach which requires ones finger to be on the pulse in regards to threat landscape. Staying on the subject of SMB, we will now discuss a related vulnerability which can be used by an attacker to gain a foothold on your network.

A malicious person who has access to the network is able to freely intercept Windows New Technology Local Area Network Manager (NTLM)v2 hashes as they are passed between client and server. If users employ common passwords, these hashes can be ‘cracked’. A more preferred and often quicker method is to relay these hashes which enables the attacker to authenticate as a genuine user.

SMB Signing….

when enabled, ensures that communications over SMB are digitally signed. Digitally signing the packets enables the recipient to confirm their integrity. This security mechanism in the SMB  protocol helps prevent “man in the  middle” attacks. Although SMB signing can be found on all Windows systems, it is only enabled on Domain Controller’s by default.

By enforcing SMB signing, NTLMv2 hashes can still be captured, however they cannot be relayed successfully; ultimately preventing an attacker from using a simple technique to gain a foothold on your network. The capture of these hashes still presents a security issue which we will deal with in a later article.

Forcing message singing on SMBv2 will produce a notable difference in performance; high Central processing Unit (CPU) and reduced speeds are often seen. Each network will behave differently, the exact impact can only be calculated by trial and error. Ensure all settings are recorded prior to implementation. The issue of performance is somewhat alleviated where SMBv3.11 is used which was introduced on Windows 10 and Windows Server 2016.

There are a number of different settings required to ensure success, Microsoft has produced through guidance on how to make these changes. Click on the link below to view the documentation.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always

 

For further advice on how you can secure your systems please get in touch and speak with one of the team.

 

Share this article