Is smbv1 enabled by default? If so, how can it be disabled?
Why do you want to disable it?
Which NS version are you referring to?
Maybe the question regards WannaCry ransomware? Just thinking…
How do they relate? Please explain!
You are asking me? if yes i think the NS7 is safe (done some testing)
Situation @my company
- I had one QNAP server where my users store all files
- i have got a NS7 server which is holding my MSSQL database backups
regarding to security advices regarding WannaCry malware/ransomware i had to patch all my Microsoft systems with their security patches, but there is one another think which security experts said that we should disable SMBv1 protocol. I had tested this on my Win machine and the problem was that i cannot connect to QNAP shares (it has by default enabled only SMBv1 authentication) but my NS7 server (which has no AD only pure file sharing) was able to accept my credentials and I was able to connect to NS7 shares (with disabled SMBv1 protocol on my Win7 machine)
I pressume that NS7 even if he uses only pure Samba4 file sharing that the Samba is using NTLMv2 or greater to authenticate users to allow mapping shares from it.
On my QNAP nas i have to enable option to authenticate users by NTLMv2 (which i haven’t tested yet).
So in my opinion the NS7 is secure.
Correct me if i am wrong.
For better security.
Currently v6.9, will be going to v7 when I get the chance (no eta as yet)
It is a bit of a knee jerk reaction to limit anything like that abusing SMBv1
We should read Samba and CentOS/RHEL documentation to get the correct answer. Also the output of testparm -v could provide some help.
IIRC smb1 is enabled in v6 and v7 by default. Many legacy clients do not support latest protocols so before disabling older ones, a detailed network inventory must be done.
Just for the record I’ve enabled the deprecated NTLM auth protocol in NS7 DC to support legacy scanners during ns6/sme8 upgrade procedure:
Is the deprecated NTLM auth protocol something which can be “easily” enabled/disabled with some very basic login behind a button in the GUI?
I haven’t looked into this, hence the question.
No buttons ATM: as usual we try to keep all parameters at upstream default value. Since badlock Samba cut off the NTLM proto by default. Here I re-enable it to provide backward compatibility during sme8/ns6 upgrade to ns7. However it should be turned off when all clients are fixed, as this PR explain:
https://github.com/NethServer/docs/pull/220/files
As said about smb1: it should be enabled on ns7 too. If you want to turn it off you need a custom template.
Then i would vote to either disable it completely, or make a button for it on the sambe pages.
v1 is a HUUUGE risk that we should really not want enabled, especially not by default!
We pitty those in the Windows world that still use Windows 2003, yet we enable the same protocols by default. From a security point of view, we have a HUGE problem. And for me, this would be a reason to put nethserver aside, if i wasnt able to manually fix things.
A question regarding WannaCry and SMBv1.
WannaCry spreads cause a SMBv1 intrinsic flaw or because a implementation flaw in Windows products?
So, if it’s the second hipothesys, maybe SMBv1 implementation in SAMBA isn’t affected if the two products don’t share same code…
From what I understood is the implementation of windows having problems … then resolved with the patch of March
i’ll do some other search… but some sources talks also of possible problem with smbv2
I ’ve seen conflicting reports about the exploit. Is it targeting SMBv1 or SMBv2?
The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection; however, while disabling SMBv1 (an old protocol) has no significant impact on modern systems, disabling SMBv2 can cause problems. This is why it is highly recommended to disable SMBv1 for the current attack and for the future.
only windows
Wannacry is windows specific:
https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99&tabid=2
WORM MODULE
The worm module is the component responsible for the propagation of the threat. It uses the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0144) and the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0145) to spread.
The vulnerabilities impact all versions of the Windows operating system running SMBv1. Patches were released by Microsoft on March 14, 2017.
But by now every decent AV manufacturer has a good protection against it already.
What you need to know about the WannaCry Ransomware
Since 80% of the ransomwares are coming through phishing mails, i would rather focus on generally decrease the attack surface of my environment, instead of just focusing on the smbv1:
Hardening Your Environment Against Ransomware
https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware
If you got hit by ransomware, you might like those tools for decryption,:
https://www.nomoreransom.org/decryption-tools.html
or
https://www.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools
Same information but from different sources: