4

I was looking into the network traffic at our company while preforming a security audit and I found that we still have a server running SMBv1 on the network.

The server is a Windows 2003 Domain Controller and is also used as the file server for the company. As far as I can tell SMBv1 is being used to handle the login functions from users machines so that they can access the file server. When I create a firewall rule on the server to block all SMBv1 traffic it makes it so that no one can log on to the file server.

I have advised that we upgrade the domain controller and file server to a newer more secure platform however I know that this is not going to happen for some time. In the mean time I was wondering if there was a way that I could disable SMBv1 on the server and use a different more secure protocol instead to handle the login functions. Is this an option or do I just have to wait for the hardware to be upgraded.

Jack
  • 433
  • 4
  • 9
  • If you are having trouble changing a computer's name (due to smb1), in an environment where only one of the domain controllers is windows 2003. If you turn off the windows 2003 server (or change a computer's name while 2003 is rebooting), you'll avoid that smbv1 block warning. – Lonnie Best Sep 28 '18 at 09:27

1 Answers1

5

The real fix

First of all, I would strongly recommend to only focus on convincing the decision makers that it is very irresponsible to continue the use of Windows Server 2003 in production environments. The easiest way to do so is to point out their responsibility and liability and the potential risks. Clear that out and ask them if they really want to accept those risks, probably not! They likely just don't understand the risks.

Additionally, convince them with plenty of different reasons, most importantly:

Microsoft ended support for the Windows Server 2003 operating system on July 14, 2015. After that date, this product will no longer receive: Security patches that help protect PCs from harmful viruses, spyware, and other malicious software.

Also, if I'm not mistaken Ransomware like WannaCry and Petya exploited SMBv1. It got plenty of media attention to underline your statement.

Upgrading or migrating should get serious priority and (time) budget in order to fix the underlying issue here.


The best of the worst

Or, "the unrealistic and terrible workaround". If you are sure you tried everything in your power to convince them why it's a terrible idea to continue the use of Windows Server 2003. This goes against all my principles and hurts me to say but... make the best of the worst. I think you might be technically able to install and enable SMBv2 or even SMBv3 after which you can disable SMBv1 (probably server-side as well as client-side).

But, this is a path you really don't want to go. As far as I know, their is no official support for SMBv2 and v3 in Windows Server 2003 since it's end-of-life. But if you do manage somehow (first of all respect for your technical skills) secondly, now you have a new SMB version in place and can disable SMBv1 as well as block possibly SMBv1 traffic in the firewall. You probably need some kind of advanced firewall since I think SMB is using the same network ports for v1, v2 and v3. So basic firewall ruling is probably not gonna get you anywhere.

But again, you probably have more or other issues to worry about than disabling SMBv1 when you run Windows Server 2003.

Lastly, if the server was only used as a fileserver, you could maybe look into SMB alternatives like NFS. But that's not ideal for Windows servers (and clients).

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90