Disabling Server Message Block Version 1 (SMB v1) in Azure
Microsoft has always considered security to be priority #1. Whether it be in the cloud, on-premises, or across hybrid deployments, security is part of our DNA and we do whatever we can to help protect our customers and our platform. This is especially true when it comes to the Azure public cloud, where Microsoft has committed new energy, focus, and resources to make sure that we can protect, detect, and respond to threats better and faster than ever before.
Many of our customers have recently had to deal with the threat of ransomware attacks due to issues with the Server Message Block version 1 (SMB v1) protocol. While specific vulnerabilities were patched against the likes of WannaCrypt, the reality is that any Windows operating system with SMB v1 enabled is susceptible to this kind of attack. As such, we strongly believe that SMB v1 should be disabled – as it now has limited usefulness.
For this reason, the Azure security team has made the decision to disable SMB v1 by default on all Windows operating system images available in the Azure Marketplace for creating new Azure Virtual Machines, effective August 2017.
Note:
Disabling SMB v1 by default on new Azure Virtual Machines (VMs) that are created from Azure Marketplace Windows operating system images has no effect on existing VMs that are already running on Azure, or new Azure VMs based on customized images uploaded to Azure. Learn how to disable the SMB v1 protocol on already running virtual machines later in this article.
Which Windows Operating System Images will have SMB v1 ‘Disabled by Default’?
The following Windows operating system images now have SMB v1 disabled by default:
- HPC Pack 2012 R2 Compute Node with Excel on Windows Server 2012 R2
- HPC Pack 2012 R2 on Windows Server 2012 R2
- Windows Server 2008 R2 SP1*
- Windows Server 2012 Datacenter
- Windows Server 2012 R2 Datacenter
- Windows Server 2016 - Nano Server
- Windows Server 2016 Datacenter
- Windows Server 2016 Datacenter - with Containers
- [HUB] Windows Server 2008 R2 SP1*
- [HUB] Windows Server 2012 Datacenter
- [HUB] Windows Server 2012 R2 Datacenter
- [HUB] Windows Server 2016 Datacenter
- [smalldisk] Windows Server 2008 R2 SP1*
- [smalldisk] Windows Server 2012 Datacenter
- [smalldisk] Windows Server 2012 R2 Datacenter
- [smalldisk] Windows Server 2016 Datacenter
*Requires a reboot after installation completes
Note:
At this time, Windows Server 2016 Core continues to have SMB v1 enabled by default. We will update this blog when that situation changes
What about Linux ?
The service that enables the SMB protocol in Linux, Samba, is not installed by default on gallery images. If you choose to install Samba, CVE-2017-7494 provides information on vulnerabilities in Samba 3.5 and onward (current version at the time of writing is 4.6.7). Security updates are available. Advice in CVE-2017-7494 states that you should update as soon as possible.
Will Disabling SMB v1 have Adverse Effects?
SMB v1 has been superseded by SMB v2 and SMB v3 – both of which are significantly more secure than SMB v1. There are few modern use cases for SMB v1, however there is still a small number of applications and services that require this protocol. You can find a list of some of these services in the article SMB1 Product Clearinghouse.
Note:
While this list of products requiring SMB v1 is updated regularly, it should not be considered exhaustive. Always check with vendor documentation to determine if SMB v1 is required.
What about Virtual Machines Already Running in Azure?
We understand that having SMB v1 disabled on new VMs created from the Azure Marketplace images is just the first step. We are also strongly encouraging our customers and partners to disable SMB v1 in their environments – regardless of whether machines are running in Azure, in other public clouds, or on-premises.
After you have identified the virtual machines that have SMB v1 enabled, you can use the instructions in the article How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server to disable SMB v1. That article also has instructions on how to use PowerShell to determine if SMB v1 is enabled on a virtual machine.
In addition, we are planning to provide baseline settings in Azure Security Center that will check your environment for existing VMs with SMB v1 enabled, and alert customers to this. We will let you know when this is available in future updates on this blog. Finally, we will have information to share with you regarding SMB v1 and Azure Cloud Services (classic) VM services soon – make sure to follow the RSS for this blog so you know when that article is published.
Tom Shinder
Program Manager, Azure Security