Forums › Forums › SIMPOL Programming › SMB disabling in networks
- This topic has 2 replies, 2 voices, and was last updated 14 years, 7 months ago by Michael.
- AuthorPosts
- September 11, 2009 at 7:03 am #274Brian JohnsonMember
Well, well… Microsoft have just issued a security warning about the SMB2 protocol. http://www.microsoft.com/technet/security/advisory/975497.mspx This is the protocol that Vista uses by default. The one where you can’t turn off OpLocks. The one where you have to actually turn off SMB2 so that Vista will revert to SMB1 which is one where you CAN turn off OpLocks. If you have Vista use this: *———-8<-----cut here-----8<----------* Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanWorkstationParameters] "UseOpportunisticLocking"=dword:00000000 "UseLockReadUnlock"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters] "EnableOplocks"=dword:00000000 "Smb2"=dword:00000000 [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMRXSmbParameters] "OplocksDisabled"=dword:00000001 *----------8<-----cut here-----8<----------* -- Brian L Johnson Cambridge Computing
September 14, 2009 at 1:57 pm #2352MichaelKeymasterBrian L Johnson wrote:
> Well, well…
>
> Microsoft have just issued a security warning about the SMB2
> protocol.
>
> http://www.microsoft.com/technet/security/advisory/975497.mspx
>
> This is the protocol that Vista uses by default.
>
> The one where you can't turn off OpLocks.
>
> The one where you have to actually turn off SMB2 so that Vista will
> revert to SMB1 which is one where you CAN turn off OpLocks.Hi Brian,
Thanks for this. So if the file server is running Vista, you have to
turn off SMB2 in order to run SMB1? Interesting. And since SMB2 is on by
default and doesn't support turning off oplocks, this was no doubt the
culprit behind your recent problems with network locking.Another stupid move by Microsoft, just like the oplocks thing itself.
Instead of turning off dangerous settings by default, they prefer to
turn them on. The average SME won't have any on staff network admin and
would be more likely to be using a light-weight home-brew solution based
on a desktop database where this sort of functionality is required.
Microsoft should leave these sorts of settings off and teach their MSCE
types how to them on and *why* and *when* to turn them on, instead of
putting everybody else's data at risk just so they can squeeze a little
better performance out.Ciao, Neil
September 16, 2009 at 7:25 am #1756Brian JohnsonMemberNeil Robinson wrote:
> Brian L Johnson wrote:
>> Well, well…
>>
>> Microsoft have just issued a security warning about the SMB2
>> protocol.
>>
>> http://www.microsoft.com/technet/security/advisory/975497.mspx
>>
>> This is the protocol that Vista uses by default.
>>
>> The one where you can't turn off OpLocks.
>>
>> The one where you have to actually turn off SMB2 so that Vista will
>> revert to SMB1 which is one where you CAN turn off OpLocks.
>
> Hi Brian,
>
> Thanks for this. So if the file server is running Vista, you have to
> turn off SMB2 in order to run SMB1? Interesting. And since SMB2 is on by
> default and doesn't support turning off oplocks, this was no doubt the
> culprit behind your recent problems with network locking.Indeed. No matter how careful you are at turning off all the Lanman stuff,
none of it makes any difference under Vista because it doesn't apply. It
only applies *after* you've turned SMB2 off.In a way, Microsoft's security problem with is a blessing: now a lot more
people are aware that they should turn SMB2 off.Caution: when the 'fix' is released, watch out for SMB2 being turned back
on again.> Another stupid move by Microsoft, just like the oplocks thing itself.
> Instead of turning off dangerous settings by default, they prefer to
> turn them on. The average SME won't have any on staff network admin and
> would be more likely to be using a light-weight home-brew solution based
> on a desktop database where this sort of functionality is required.
> Microsoft should leave these sorts of settings off and teach their MSCE
> types how to them on and *why* and *when* to turn them on, instead of
> putting everybody else's data at risk just so they can squeeze a little
> better performance out.Exactly.
—
-brianlj- - AuthorPosts
- You must be logged in to reply to this topic.