SMB disabling in networks

[Brian Johnson]

Well, well… Microsoft have just issued a security warning about the SMB2 protocol. http://www.microsoft.com/technet/security/advisory/975497.mspx This is the protocol that Vista uses by default. The one where you can’t turn off OpLocks. The one where you have to actually turn off SMB2 so that Vista will revert to SMB1 which is one where you CAN turn off OpLocks. If you have Vista use this: *———-8<-----cut here-----8<----------* Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanWorkstationParameters] "UseOpportunisticLocking"=dword:00000000 "UseLockReadUnlock"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters] "EnableOplocks"=dword:00000000 "Smb2"=dword:00000000 [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMRXSmbParameters] "OplocksDisabled"=dword:00000001 *----------8<-----cut here-----8<----------* -- Brian L Johnson Cambridge Computing

[Michael]

Brian L Johnson wrote:
> Well, well…
>
> Microsoft have just issued a security warning about the SMB2
> protocol.
>
> http://www.microsoft.com/technet/security/advisory/975497.mspx
>
> This is the protocol that Vista uses by default.
>
> The one where you can't turn off OpLocks.
>
> The one where you have to actually turn off SMB2 so that Vista will
> revert to SMB1 which is one where you CAN turn off OpLocks.

Hi Brian,

Thanks for this. So if the file server is running Vista, you have to
turn off SMB2 in order to run SMB1? Interesting. And since SMB2 is on by
default and doesn't support turning off oplocks, this was no doubt the
culprit behind your recent problems with network locking.

Another stupid move by Microsoft, just like the oplocks thing itself.
Instead of turning off dangerous settings by default, they prefer to
turn them on. The average SME won't have any on staff network admin and
would be more likely to be using a light-weight home-brew solution based
on a desktop database where this sort of functionality is required.
Microsoft should leave these sorts of settings off and teach their MSCE
types how to them on and *why* and *when* to turn them on, instead of
putting everybody else's data at risk just so they can squeeze a little
better performance out.

Ciao, Neil

[Brian Johnson]

Neil Robinson wrote:

> Brian L Johnson wrote:
>> Well, well…
>>
>> Microsoft have just issued a security warning about the SMB2
>> protocol.
>>
>> http://www.microsoft.com/technet/security/advisory/975497.mspx
>>
>> This is the protocol that Vista uses by default.
>>
>> The one where you can't turn off OpLocks.
>>
>> The one where you have to actually turn off SMB2 so that Vista will
>> revert to SMB1 which is one where you CAN turn off OpLocks.
>
> Hi Brian,
>
> Thanks for this. So if the file server is running Vista, you have to
> turn off SMB2 in order to run SMB1? Interesting. And since SMB2 is on by
> default and doesn't support turning off oplocks, this was no doubt the
> culprit behind your recent problems with network locking.

Indeed. No matter how careful you are at turning off all the Lanman stuff,
none of it makes any difference under Vista because it doesn't apply. It
only applies *after* you've turned SMB2 off.

In a way, Microsoft's security problem with is a blessing: now a lot more
people are aware that they should turn SMB2 off.

Caution: when the 'fix' is released, watch out for SMB2 being turned back
on again.

> Another stupid move by Microsoft, just like the oplocks thing itself.
> Instead of turning off dangerous settings by default, they prefer to
> turn them on. The average SME won't have any on staff network admin and
> would be more likely to be using a light-weight home-brew solution based
> on a desktop database where this sort of functionality is required.
> Microsoft should leave these sorts of settings off and teach their MSCE
> types how to them on and *why* and *when* to turn them on, instead of
> putting everybody else's data at risk just so they can squeeze a little
> better performance out.

Exactly.

—
-brianlj-

[Author]

Posts