NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
SMB 1.0 (Given Wanna Cry)
Out of curiosity in the latest 6.7.1 firmware is SMB 1.0 disabled?
Can we control SMB so that it ONLY used 3.0 or 2.0-3.0 for example?
The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.
The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x
Experimental SMB2 support was added in samba 3.5.x, but really you should be using a newer version of samba to use it. 3.6 isn't much newer. I'd be wanting to use newer than that. To my knowledge we don't have any plans to update samba on these old OSes.
I think SMB2 support is turned off by default on all those models.
OS6 currently uses samba 4.4.x, a much newer samba series.
I've passed on the feature request to be able to disable SMB1 support from the GUI for OS6 devices.
Therein lies the problem...
There was no need for Microsoft to have installed SMB 1.0 for modern versions of Windows. And have it enabled.
Especially for new installs. And for non-corporate users.
Yet they did so for "backward compatibility"
A better story, to have reduced the surface area of attack, was to get people that need it to install it explicitly.
I was surprised that SMB 1.0 was still part of Windows 10 which was freshly installed a couple of months ago.
So my question was related to whether SMB 1.0 is supported on my RN316 and whether I can turn it off.
All my clients use SMB 3.0, so there is no need for SMB 1.0. It's such an ancient version of the protocol.
WannaCry is an agrument against "maintaining backward compatibility forever", or having old protocols enabled by default.
I would rather only support SMB 3.0. And then be forced to upgrade clients to a later version of SMB 1.0, if I desire.
Thus the question. I could not find any configuration for the SMB version anywhere.
As opposed to stepping down protocol versions....
Same example can be made with browsers that try TLS 1.2 then TLS 1.1 then TLS 1.0 then SSL 3.0 then SSL 2.0 then SSL 1.0.
Time to move on...
You can configure samba to only allow SMB3 connections. I don't THINK there is a way to do this in the GUI at this point. Adding the following to /etc/frontview/samba/smb.conf.overrides would seem to achieve what you're after:
min protocol = SMB3
There is also an app called SMB Plus that lets you do other things to tighten down SMB security if you are so inclined.
Actually, for current versions of Samba the syntax looks like it should be:
server min protocol = SMB3
Installing SMB plus will force SMB3 to be used as default to my knowledge.
Thanks all.
Am using latest version of SMB Plus (1.0.6).
It says:
ReadyNAS supports SMB protocol 3.0 by default. Some Windows applications will not work with SMB 3. For example, Microsoft System Image Backup for Windows 8/Server 2012 will not work with anything higher than SMB 2.0. Adjust the maximum protocol version ReadyNAS will support by changing the setting below.
New SMB connections will adopt the new settings. Establish connections will remain connected as the previous setting. To force existing connections to change settings, the ReadyNAS or the client should be restarted.So it would be good if there was also a Minimum Protocol Version option.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
