Ransomware exploits SMB1 : should we disable SMB1?

All questions regarding using our system with Windows XP, Vista, 7 may go here.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
UnitedOffice
I'm New!
I'm New!
Posts: 8
Joined: Mon May 15, 2017 11:16 am

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby UnitedOffice » Wed May 17, 2017 7:22 pm

Ok, so I've worked out that the board does not allow one to simply attach an image from the desktop...

So I've found something close online. Lets say my Synology is called 'NAS'. Below is what I DO want to see, but can only achieve if I enable SMB1/CIFS on the PC (note that the Diskstation is set to SMB2&3 only, not SMB1 which is odd, given that the PC requires SMB1/CIFS enabled and the Diskstation then confirms 'Connected Users ... CIFS'):

Image

How do you do the above - without SMB1/CIFS enabled on the PC? (wierdly, SMB1 is NOT enabled on the Diskstation, but this has no impact here either way).


For clarity, this is what I am seeing instead due to the removal of SMB1/CIFS from the PC:
Image
Notice the NAS has vanished from the left pane, so it is no longer possible to simply navigate its folders and files as if they were local.
killswitch
I'm New!
I'm New!
Posts: 1
Joined: Wed May 17, 2017 11:40 pm

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby killswitch » Wed May 17, 2017 11:55 pm

If you remove the feature SMBv1/CIFS, it also removes the computer browser protocol.
You should disable SMBv1 via powershell.


https://support.microsoft.com/en-us/hel ... erver-2012

https://blogs.technet.microsoft.com/fil ... sing-smb1/
UnitedOffice
I'm New!
I'm New!
Posts: 8
Joined: Mon May 15, 2017 11:16 am

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby UnitedOffice » Thu May 18, 2017 8:11 am

Thanks for the reply. Does that advice apply also to Windows 7?
I ask because of course in Windows 7 there is no SMB1/CIFS check box in 'add/remove Windows features' dialog, so I used the sc.exe method (also given in your links).
Anyway, I will give it a go, and if it works I will curse Microsoft for failing to make this less than subtle distinction in their guidance (as per your links).
Thanks again, I'll update later.
UnitedOffice
I'm New!
I'm New!
Posts: 8
Joined: Mon May 15, 2017 11:16 am

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby UnitedOffice » Thu May 18, 2017 11:04 am

killswitch wrote:If you remove the feature SMBv1/CIFS, it also removes the computer browser protocol.
You should disable SMBv1 via powershell.


https://support.microsoft.com/en-us/hel ... erver-2012

https://blogs.technet.microsoft.com/fil ... sing-smb1/


OK, I've tried what you suggested, unfortunately without success. Here is what I did:

On a Win10 (1607) laptop I first re-enabled SMBv1/CIFS via:
Control Panel>Programs and Features
>Turn Windows features on or off
>SMB1.0/CIFS File Sharing Support check box [checked - i.e. feature ENABLED]

I verified that I was able to see the Diskstation in the left pane of Windows Explorer under Network, and navigate the Diskstation files.
I verified that DSM showed me as a connected user in the Resource Monitor, connected as CIFS (even though the Diskstation is set to SMB2/3 ONLY)

Then I did as you suggest:
Powershell (Desktop app) run as Administrator
Disable-WindowsOptionalFeature -Online -FeatureName SMB1protocol
The only difference I noticed compared to the example shown in your link is that after the command had completed the display showed RestartNeeded : True [instead of False]
Image

So I did a restart.
No longer able to see the Diskstation listed under Network in the left pane of Windows Explorer, no longer able to browse files on the Diskstation.

What was the basis of your advice? Is this something you have done? I have tried to be as specific as possible in outlining the steps I took above in case you can see were I deviated.

Note that when I looked again at Windows Features etc after having used Powershell to disable SMB1 I notice that the checkbox had been cleared. In other words, it seems as if the Powershell method achieves exactly the same outcome as simply clearing the checkbox oneself.
siege00
I'm New!
I'm New!
Posts: 2
Joined: Thu May 18, 2017 4:20 pm

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby siege00 » Thu May 18, 2017 4:30 pm

UnitedOffice wrote:
killswitch wrote:If you remove the feature SMBv1/CIFS, it also removes the computer browser protocol.
You should disable SMBv1 via powershell.


https://support.microsoft.com/en-us/hel ... erver-2012

https://blogs.technet.microsoft.com/fil ... sing-smb1/


OK, I've tried what you suggested, unfortunately without success. Here is what I did:

On a Win10 (1607) laptop I first re-enabled SMBv1/CIFS via:
Control Panel>Programs and Features
>Turn Windows features on or off
>SMB1.0/CIFS File Sharing Support check box [checked - i.e. feature ENABLED]

I verified that I was able to see the Diskstation in the left pane of Windows Explorer under Network, and navigate the Diskstation files.
I verified that DSM showed me as a connected user in the Resource Monitor, connected as CIFS (even though the Diskstation is set to SMB2/3 ONLY)

Then I did as you suggest:
Powershell (Desktop app) run as Administrator
Disable-WindowsOptionalFeature -Online -FeatureName SMB1protocol
The only difference I noticed compared to the example shown in your link is that after the command had completed the display showed RestartNeeded : True [instead of False]
Image

So I did a restart.
No longer able to see the Diskstation listed under Network in the left pane of Windows Explorer, no longer able to browse files on the Diskstation.

What was the basis of your advice? Is this something you have done? I have tried to be as specific as possible in outlining the steps I took above in case you can see were I deviated.

Note that when I looked again at Windows Features etc after having used Powershell to disable SMB1 I notice that the checkbox had been cleared. In other words, it seems as if the Powershell method achieves exactly the same outcome as simply clearing the checkbox oneself.


I ran into the same issue you are having, same environment (Win 10 connecting to Synology NAS). Unchecking SMB1/CIFS in Windows features disabled my ability to hit the NAS via UNC (ie. \\nas.onmynetwork\share). I went into the Synology web interface, control panel, file services. Select SMB/AFP/NFS if it's not already selected, make sure SMB service checkbox is ticked, then click on Advanced Settings in the SMB section. Inside the advanced settings (which are likely set to SMBv1 only), for minimum SMB protocol I selected SMB2, and Max SMB protocol I selected SMB3. Make note that the "Max" dropdown is above the "Min" dropdown, which is contrary to what I expected it to be and I almost reversed the entries. Click Apply and network services on the Synology restarted.

At that point I was able to UNC to the Synology, so in theory, it should show up in the network section of Windows Explorer.

Hope this helps.
User avatar
eaz
Seasoned
Seasoned
Posts: 567
Joined: Sun Mar 04, 2007 9:04 pm

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby eaz » Thu May 18, 2017 5:16 pm

Most people would just make a drive for each share:

Like P: for photo and M: for music. They are then be permanently visible under Computer.


This makes navigation easy. Why not set it up like that?
Please share if a reply was useful or how the issue was solved, it helps other DS users.

DS415+ (2*4TB HD raid1 + 2*480GB SSD raid1), DS212+ (2*WD red 2TB), previous DS411J, DS106
UnitedOffice
I'm New!
I'm New!
Posts: 8
Joined: Mon May 15, 2017 11:16 am

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby UnitedOffice » Thu May 18, 2017 8:13 pm

@slege00
Thanks for the reply. As you will see from my earlier post I have already set the min/max SMB settings in the Synology as you suggest. Indeed, one of the things I don't understand is why, if the Synlogy is set to maximum SMB3, minimum SMB2, why does the SMB1/CIFS setting in the PC work with it at all? And why does the Synology report the connections as CIFS? Note that ES File Explorer (android) will not talk to the Synology set to SMB2 minimum. ES File Explorer does require SMB1 in the NAS. So the plot thickens.

You say that with those settings one "should" see the Synology in the Network listing (see my earlier post with pictures). "Should" indeed - could you confirm if you actually do?

@eaz
It may have to come to using mapped drive letters, but that will leave me scratching this itch! But also, multiple drive letters just is not as simple and friendly as just seeing the damn Synology in the Network list, able to navigate its drives at will. And if I ever change the directory listing in the NAS then I have to go back to each PC and adjust.

It is not just a Synology problem - I see the same issue with my old white-light WD NAS

Thanks for all the input, appreciated.
siege00
I'm New!
I'm New!
Posts: 2
Joined: Thu May 18, 2017 4:20 pm

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby siege00 » Fri May 19, 2017 9:04 am

UnitedOffice wrote:@slege00
Thanks for the reply. As you will see from my earlier post I have already set the min/max SMB settings in the Synology as you suggest. Indeed, one of the things I don't understand is why, if the Synlogy is set to maximum SMB3, minimum SMB2, why does the SMB1/CIFS setting in the PC work with it at all? And why does the Synology report the connections as CIFS? Note that ES File Explorer (android) will not talk to the Synology set to SMB2 minimum. ES File Explorer does require SMB1 in the NAS. So the plot thickens.

You say that with those settings one "should" see the Synology in the Network listing (see my earlier post with pictures). "Should" indeed - could you confirm if you actually do?

@eaz
It may have to come to using mapped drive letters, but that will leave me scratching this itch! But also, multiple drive letters just is not as simple and friendly as just seeing the damn Synology in the Network list, able to navigate its drives at will. And if I ever change the directory listing in the NAS then I have to go back to each PC and adjust.

It is not just a Synology problem - I see the same issue with my old white-light WD NAS

Thanks for all the input, appreciated.


It does show up as CIFS, and after I connect, it does show up in the network list in Explorer. My guess is that the identified protocol is just displayed basically instead of in detail, maybe using the same module to log the info. As to how you can connect with SMB1 enabled, I would guess that Windows goes up to the connection level available after failing with SMB1 (this is only a guess) but it does similar things with RDP and NTLM IIRC. Try connecting via UNC, then actually browsing folders, not just viewing the root folder, and see if it appears in Network. You can also try right-clicking it, if it appears, and pinning to Quick Access for convenience. It may stay there between reboots, but I'm not sure.
lolotlse
I'm New!
I'm New!
Posts: 7
Joined: Wed May 17, 2017 5:17 pm

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby lolotlse » Fri May 19, 2017 6:58 pm

Enable SMB2 & SMB3 to client
you could be use SC for register service for support SMB2 & 3 on clients
if you leave depend= bowser/mrxsmb10/mrxsmb20/nsi you cannot use smb because the services cannot start because you client not support SMB1 and mrxsmb10 is the service for SMB1 if not exist or is noticed to deactivated this inhibe to start and smb2 or 3 cannot start because this depedency. You must configure your clients like this.. I hope this thread could be help someone.

On cmd Admin privilege

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
sc.exe config mrxsmb20 start= auto

Reboot PCs
BBloke
Novice
Novice
Posts: 40
Joined: Wed Jun 11, 2014 12:30 am

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby BBloke » Fri May 19, 2017 8:08 pm

I feel your pain and dilemma. I have the same here.

If I switch to SMB2/SMB3 I can no longer use file manager on android to get to my NAS box. Whilst DS File works. I can no longer use network browser in linux mint to "smb://" view the nas shares.

Whilst I have Win 10 and a Win 7 machine which are up to date I guess the issue is if WannaCry was to get executed on a patched machines it shouldn't do anything? Therefore rendering whether SMB1 is active or not.

Of course I can map network drives on the PC but not found a way to get connected to the NAS on Linux Mint via SMB2. There's the kicker for me.

Whilst disabling a 30 year old protocol is a good thing it does seem as though it's not the right thing to do whilst OS's are not geared up to use the newer protocols! So frustrating.

On a positive you can get ES File Explorer for Android to work with SMB2 if you install Audible. It's ok but there's no date info!
DS414 - 4 x 2TB WD Reds (SHR)
bouvrie
Trainee
Trainee
Posts: 15
Joined: Tue Feb 02, 2010 12:58 pm

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby bouvrie » Mon May 22, 2017 5:00 pm

BBloke wrote:On a positive you can get ES File Explorer for Android to work with SMB2 if you install Audible.
huh?
BBloke
Novice
Novice
Posts: 40
Joined: Wed Jun 11, 2014 12:30 am

Re: Ransomware exploits SMB1 : should we disable SMB1?

Postby BBloke » Fri Jun 23, 2017 3:39 pm

bouvrie wrote:
BBloke wrote:On a positive you can get ES File Explorer for Android to work with SMB2 if you install Audible.
huh?


Android App ES File Explorer can use SMB 2. You have to activate it by installing Audible app. Strange requirement but it is what it is.
DS414 - 4 x 2TB WD Reds (SHR)

Return to “Windows OS”

Who is online

Users browsing this forum: No registered users and 4 guests