Jump to content

Is SMBv1 still needed? Its vulnerable to WannaCry attacks


bcslaam

Recommended Posts

As the topic says. Given the latest WannaCry attacks I have disabled smb v1 in Windows 10pro 1607, but now v12 clients wont install on other machine.

 

Do we still need to have smb v1/cifs enabled to use Retrospect Professional v12 (latest ver)?

 

BTW I havent disabled smb 2 and 3. Only used the "graceful" way to disable the redundant smb v1 thats all over the net right now.

  • Like 1
Link to comment
Share on other sites

I suggest that bcslaam read this Ars Technica article, and especially the comments for it.  I am not a Windows user, but I gathered two facts.  

 

First, the Wanna Cry attacks seem to have worked almost exclusively on computers running Windows 7 that had not installed a patch Microsoft issued in March.  The attacks are not effective for either most computers running Windows 10, which includes a fix for the vulnerability that most users have installed, or for Windows XP, which is not subject to the vulnerability because of a bug in its version of SMB.  So, if all bcslaam's computers are running Windows 10, he/she shouldn't have to worry.

 

Second, contrary to what was originally reported, the Wanna Cry attacks seem not to have been seeded by malicious spam e-mails—but instead by a mechanism that scanned the Internet for open SMB 1 ports.  This wouldn't be effective for an installation if the SMB 1 port is blocked at the router.  

 

However, if you look at the "Edit" at the bottom of l27's first comment post on page 2 of  the Ars thread comments, he/she says "I am one of those companies that has to enable SMB 1 on windows 10 because of legacy software."  I hope that "legacy software" does not include Retrospect Windows 12.  IMHO bcslaam should file a Support Case with Retrospect Inc., to get them either to [a] deny that enabling SMB 1 is necessary to install V12 clients or both publish a workaround for installing V12 clients without enabling SMB 1 and fix Retrospect Windows 12 ASAP so that enabling SMB 1 is no longer necessary.

 

P.S.: Changed last sentence in fourth paragraph; should include both workaround and permanent fix.

 

P.P.S.: Changed second sentence in first paragraph; there are apparently some computers running Windows 10 that haven't installed the necessary patch.

Link to comment
Share on other sites

If you think this is a bug that should be fixed by Retrospect Inc., you will have to submit it as a Support Case.  For English speakers, that is done by going here http://www.retrospect.com/en/support/contact, and filling out the form (sorry, I don't know what the equivalent addresses are for non-English speakers, but they can figure it out from their appropriate Retrospect website address).  IMHO this is quite reasonable; obliging you to fill out the form provides Retrospect Inc. with useful details about your Retrospect installation that they would otherwise have to query you for.

 

As a result, Retrospect Inc. will pay no attention to your post in this forum.  On 12 December 2016, in response to a letter I snail-mailed to Mayoff,  I received an e-mail through a Mayoff account that was signed by JG Heithcock, CEO, Retrospect, Inc. http://www.retrospect.com/en/about#exec.  In it he says "From reading your letter, I think the main issue is that you view the forums as a good place to talk to us, Retrospect, Inc. But we view the audience of the forums as restricted to our customers [my emphasis]. The one caveat we have made on that is for feature requests, largely as we would like to see if other customers also agree on the desirability and feature set for these requests."

 

That means that the only audience for "Retrospect bug reports" in this forum will be other administrators of Retrospect.  Nevertheless, by posting in this forum you are providing a useful service to us administrator peasants  Thank you.

 

Please be aware that the "description of your issue" in the Support Case form is IME limited to about 2000 characters by the Support Case software.  If you go over that limit your "description" will be broken up into a "description" plus one or more "additional notes".  The same is true for any additional notes you may later post yourself.  I suggest that, to avoid the appearance of choppiness in your Support Case, you create your case in a post in this forum and then copy it paragraph-by-paragraph to your Support Case. 

 

Note that, despite the new dialogs in the Retrospect Inc. Support Case system urging you to sign up for Annual Support and Maintenance, Mayoff has verbally assured me that you don't need to be signed up for ASM to report a bug—only to get personal assistance with coping with it.

 

If this post sounds formulaic, that's because I intend it to be.  I intend to post it in every new thread that definitely reports a Retrospect bug in this forum, unless the OP indicates that he/she has or will open a Support Case for the bug that the thread reports.  Of course, Mayoff could take 5 minutes of his time to post a slightly-more-polite version of this post as a  "sticky thread" that will always appear at the top of the forum.  I don't intend to hold my breath until that happens (insert appropriate smiley here).

Link to comment
Share on other sites

As the topic says. Given the latest WannaCry attacks I have disabled smb v1 in Windows 10pro 1607, but now v12 clients wont install on other machine.

 

....

 

....

 

 

I presume that, when bcslaam says "now v12 clients wont install on other machine", he/she means when SMB V1 is disabled the Client software won't install on other machines using one of the procedures described in the "Updating Clients from the Backup Computer" section on pages 302 through 304 of the Retrospect Windows 12 User's Guide.

 

However let me point out that at the bottom of page 304 there is a section "Updating Clients from the Client Computer".  That in turn links to the section "Installing Clients" on pages 289 through 292.  Assuming bcslaam wants to install Client software on one Windows 10 machine at a time, he/she can use the procedure in the sub-section "Installing Windows Clients for Individual Log In" on page 290.  That procedure does not require any inter-machine communication during installation, so presumably disabling SMB V1 wouldn't stop it from working.  The procedure refers to a Retrospect CD, but he/she can substitute for that a USB thumb drive containing the Retrospect Client software downloaded from here.

 

I personally use the procedure described in the sub-section "Installing the Client Software on Mac OS Computers" to install Client software on my MacBook Pro, using a USB thumb drive.  If there is already older Client software on that machine, I first have to run the Uninstall app that is downloaded together with the Installer app.  I do not have a Windows computer, but it turns out the Windows equivalent of running the Uninstall app is running Add/Remove Programs from Settings->Control Panel.  Presumably the downloading from the Retrospect Inc. site does not involve SMB V1, but only HTTPS.

 

I realize the procedure described in the second and third paragraphs of this post will be a "pain in the butt" if bcslaam has multiple client machines, especially if the machines are in different physical locations.  Therefore I suggest that he/she consider blocking the SMB V1 port (port 445) at the Internet router, so he can go back to using the procedures described in the first paragraph.  However he should first make sure that no machine on his LAN is infected with WannaCry, since that malware can spread itself via SMB V1 to other machines on the LAN from one infected machine.

 

P.S.: Corrected third paragraph per third paragraph in post #6 in this thread.

Link to comment
Share on other sites

Hi David

Thanks for your replies. I ended up re-enabling my win10pro machines with smb v1 (reluctantly) because of said patch. Apparently then, the problem I had with installing the clients might be due to not running the separate uninstall app but running windows uninstall from control panel. I eventually got it installed on one machine. Havent done the other 3 yet. But for those I will run the uninstall app which I didnt see (will search harder for it)

 

I had so many problems with all my machines not being able to browse the network thru through windows explorer without smbv1 that I hade to re-enable it. Also my printer share from a usb printer attached to xubuntu laptop wasnt visible without samba services. (Yet to test if that can be done with the "Samba direct" feature in Windows Features)

 

Without smb1 I could type the IP address in directly on the address bar but that doesnt help my sound and video software when importing media from the network using the standard dialog box.

 

Do you know of a way to bring back explorer local lan browsing without smb v1? I have tried enabling Samba Direct and NFS to no avail.

 

Question still remains if Retrospect v12 can run without smb v1. I will investigate further or email support.

Link to comment
Share on other sites

As I said in the second sentence of the first paragraph of post #2 in this thread, I am not a Windows user.  Therefore I cannot advise bcslaam on any solutions for problems he/she is having trying to run with SMB V1 disabled on his Windows 10 Pro machines.  If any Retrospect administrator can give him/her answers, I'm sure he/she would appreciate it.

 

However, from the Ars Technica article and its comments I linked to in post #2, it seems as if the easier solution for bcslaam is to simply block the SMB V1 port(s?) on every Internet-facing router on his/her LAN—see the fourth paragraph in post #4.  He/she should then conduct a mandatory meeting of every staff member at his installation, for a briefing on how to recognize a "phishing" e-mail and avoid opening its payload.  No doubt some malware developer (from North Korea?) will eventually figure out a way of downloading an attack over the more modern versions of SMB, so IMHO the ports for those versions too (if there are any such ports) should be blocked on every Internet-facing router.

 

It turns out I made an incorrect extrapolation from Retrospect Mac to Retrospect Windows in my third paragraph of post #4, which I've now fixed.  Under the "Uninstalling a Client and Its Software" section on page 305 of the Retrospect Windows 12 User's Guide, the "Windows" sub-section says to use Add/Remove Programs from Settings->Control Panel—so there evidently is no Retrospect Client Uninstaller app for Windows.   However the "Mac OS X" section directly below that says to choose Uninstall from the Retrospect Client Installer app; I extrapolated from my Retrospect Mac experience that is the equivalent of that.

 

Directly below that, starting at the bottom of page 305 in the UG, is the "Advanced Networking" section and its "Access Methods" sub-section.  The "Multicast" sub-sub-section in that sub-section describes Retrospect's default method of accessing client computers.  That method uses Retrospect's proprietary Piton protocol over TCP/IP, which sounds to me as if it doesn't depend on any version of Samba (SMB) since it communicates over Retrospect-Inc.-reserved well-known port 497 instead of port 445.   If bcslaam has internal routers in his/her LAN, he/she will have to read the "Subnet Broadcast" sub-sub-section directly below that on page 306 and configure his /her Live Network window accordingly; however that access method also uses the Piton protocol.

Link to comment
Share on other sites

Since it would not be my place to file a Support Case for this problem, I just phoned Retrospect Inc. Support and spoke to Mayoff.  He says there is no part of Retrospect that uses SMB V1.  In his opinion, bcslaam must have messed up something else when he/she disabled SMB V1 on his/her Windows Pro 10 computer.  Did you—bcslaam—disable it on your "backup server" machine, your client machines, or both?  Did you disable port 445 on internal software firewalls and/or routers, and possibly mistakenly disable port 497 along with it?  (The last sentence is my thought, not Mayoff's; I wanted to keep the phonecall as short as possible because I know Mayoff is busy handling calls from administrators who are entitled to at least 30 days of ASM, so I didn't ask for suggestions from him.)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...