SMB on Windows 7

Recently there has been a major attack world wide by the creators of ransomware known as WannaCrypt, and it has had a major effect on numerous computer systems - however there seems to be a wide diversity of opinion about which versions of Windows were affected - it was exclusively Windows computers that were infected.

WannaCrypt has been very successful in propagating, because although it can be picked up by a computer through an email attachment, it is also a worm, so as well as attacking the individual computer, it can propagate across networks.

WannaCrypt propagates using a vulnerability in SMBv1, an early form of networking used by Microsoft to enable file and printer sharing in Windows 2000 and Windows XP.

SMBv1 lives on in later versions of Windows, including Windows 7, Windows 8, and Windows 10, because Microsoft have this obsession with making every new version of Windows backward compatible with every previous version of Windows.

Microsoft have issued patches for SMB to try and remove the vulnerability - even for Windows XP - so a fully patched computer should be immune to the worm - I haven`t seen any comment as to whether a patched computer can still be infected by WannaCrypt via an email attachment.

However since SMBv1 is such an old protocol, not many people require it now, and if you are interested in hardening your computer then it is a good idea to disable it, especially if you are going to run Server and Workstation to interconnect with other computers running Windows 7 or later.

SMBv1 has been known to be buggy for a long time, so there may well be other vulnerabilities in it that either haven`t been found, or have been found, and the information hasn`t been made public.

Versions of SMB

SMB continues to evolve with each new version of Windows :-

• Windows 2000 and Windows XP - SMBv1
• Windows Vista - SMBv2
• Windows 7 - SMBv2.1
• Windows 8 and Windows 10 - SMBv3

However as noted above, many of these version of Windows also contain all earlier versions of SMB.

SMB in Windows 7

I have previously advised that various services that run by default in Windows 7 should be disabled - and the list included the two services known as Server and Workstation.

Their full names are LanmanServer and LanmanWorkstation.

They are used by the Microsoft file and printer sharing service.

Server and Workstation both rely on SMB, and in Windows 7 they are both configured to use either SMBv1 or SMBv2, depending on what version the opposite end of the connection requires - part of the set up of a SMB file share connection between two computers is to negotiate the best protocol to use.

If your Windows 7 computer is never going to try and connect to another computer running an earlier version of Windows, then you can safely disable SMBv1.

LanmanServer

It is quite straight forward to disable SMBv1 in LanmanServer, it can be done through a registry entry.

Go to

       HKLM/System/CurrentControlSet/Services/LanmanServer/Parameters

Add a DWORD with the name of "SMB1", and set the value to "0"

Note that you can also do this through Powershell if that is your preference.

       Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanmanServer\
          Parameters" SMB1 -Type DWORD -Value 0 -Force

The above is all one line.

LanmanWorkstation

Not quite so straight forward - to disable SMBv1 in Workstation you have to use a command line tool called "sc.exe", and you need to run the command line window as an administrator.

You need to enter two lines, and of course press Return after each one.

The first line tells the SMB file sharing service not to use SMBv1, the second line stops the SMBv1 service from running at all.

       sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

       sc.exe config mrxsmb10 start= disabled

Note that in both these lines there is no space before the equal sign, and there is a space after the equal sign.

After making any of the above changes a reboot is required to make the changes effective.

mrxsmb10.sys and mrxsmb20.sys are file system drivers, they live in C:/Windows/System32/drivers - you can check their status using the query function within sc.exe

If you want a belt-and-braces approach to getting rid of SMBv1, you could also try deleting mrxsmb10.sys after you have done all the above reconfiguration - don`t delete it until you have done the reconfiguration, otherwise you may leave the system in an unuseable state.

Deleting it is not a trivial exercise, as it is a system file, and is owned by TrustedInstaller, and even administrators only have read and execute rights.

Disclaimer

The usual disclaimer applies - this all works on my computers, but I can give no guarantee that it will work on your computer(s), and you make these changes to your computer(s) entirely at your own risk.

• home page
• image gallery
• about this website
• about the colour bar

website design by ron-t

website hosting by freevirtualservers.com

© 2024   Ron Turner

+                                   +  

• grayscale