Microsoft recommends Exchange admins to disable the SMBv1 protocol

Microsoft is recommending administrators to disable the SMBv1 network communication protocol on Exchange servers to prevent malware attacks.

Microsoft is urging administrators to disable the SMBv1 protocol on Exchange servers as a countermeasure against malware threats like TrickBot and Emotet.

“To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server.” reads an advisory published by the Microsoft Tech Community.

The SMBv1 protocol is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism.

Since 2016, Microsoft is urging admins to stop using SMBv1, later versions of the protocol implemented security enhancements, such as encryption, pre-authentication integrity checks to prevent man-in-the-middle (MiTM) attacks, and insecure guest authentication blocking.

Now the Exchange is remarking the need to disable the SMBv1on exchange servers.

“There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. If you want to learn more about SMBv1 and why you should stop using it, I’d recommend reading this blog post published and updated by Ned Pyle.” continues Microsoft

“Microsoft publicly deprecated the SMBv1 protocol in 2014 and so we stopped installing it by default when using Windows Server 2016 1709 (RS3). Please see this KB for more information.“

In 2017, the Shadow Brokers hacking group released a collection of NSA exploits and hacking tools targeting Microsoft’s Windows OS, some of them were developed to exploit the SMBv1 protocol to execute commands on vulnerable servers with administrative privileges.

Two of the most popular exploits today implemented in several malware strains are EternalBlue and EternalRomance. The list of malware including the exploits is long and includes Emotet, TrickBot, WannaCry, Retefe, NotPetya, and the Olympic Destroyer.

SMBv1 is no longer installed by default since Windows 10 version 1709 and Windows Server version 1709, while latest versions of the operating systems are using SMBv3.

To check if SMBv1 is enabled on a Windows server, users can execute the following PowerShell commands depending on their Windows Server version.

Windows Server 2008 R2: By default, SMBv1 is enabled in Windows Server 2008 R2. Therefore, if the following command does not return an SMB1 value or an SMB1 value of 1, then it is enabled. If it returns an SMB1 value of 0, it is disabled.

Get-Item HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters | ForEach-Object {Get-ItemProperty $_.pspath}

Windows Server 2012: If the command returns false, SMBv1 is not enabled.

Get-SmbServerConfiguration | Select EnableSMB1Protocol

Windows Server 2012 R2 or higher: If the command returns false, SMBv1 is not enabled.

(Get-WindowsFeature FS-SMB1).Installed
Get-SmbServerConfiguration | Select EnableSMB1Protocol

If SMBv1 is enabled on admins’ server, they can disable it using the following commands.

Windows Server 2008 R2:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" -Name SMB1 -Type DWORD -Value 0 –Force

Windows Server 2012:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -force

Windows Server 2012 R2 or higher:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false

Pierluigi Paganini

(SecurityAffairs – Microsoft Exchange, SMBv1)

Share On