SUMMARY
News has been circulating that certain ransomware and other viruses are exploiting a windows-specific vulnerability in SMBv1 file share protocols. This article discusses Unitrends response to these issues.
ISSUE
Due to the recent highlighted threats of ransomware and other viruses, many security outfits have been reporting that SMBv1 protocol is vulnerable and should be disabled in network environments. Much of this information was circulated due to a Windows-specific defect, and as of March 14, Microsoft has issues a patch to most versions of windows to correct this issue, rendering prior advice to disable that protocol itself obsolete. Some security scanning engines may continue to report SMBv1 as vulnerable in some environments. However, US-CERT is not currently making a recommendation to disable SMBv1.
Per the Unitrends appliance: our supported systems run on CentOS 6, a hardened Linux core, which is specifically not vulnerable to these defects. There is no concern about our platform in regard to this matter, and no requirement to disable SMBv1 or enforce SMBv2. Unitrends continues to leverage both SMBv1 and SMBv2 to ensure backward compatibility with numerous client systems we protect. Other Linux/Unix systems in your environment should be similarly secure, though some legacy operating systems may themselves need to be patched as Windows currently does.
Unitrends uses SMB connections in your network environment for numerous purposes. When SMB2 is enforced, applications that do not allow SMB2 connections will not function properly. While Unitrends fully supports SMB2, the following application features currently do not allow SMB2 support:
- Microsoft Hyper-V Instant Recovery - Hyper-V requires data restored to SMB1 shares
- Microsoft Sharepoint application protection - SharePoint exposes SMB1 shares for backups
- Oracle application protection - Oracle only supports SMB1 shares
If these functions are not required, then Unitrends can be configured to enforce SMB2 only.
RESOLUTION
Converting to SMB2-only is not required, as explained below, but Unitrends can be configured with SMB2 if desired.
How and why to configure SMB1 environments safely
Per this article dated May 19th 2017 from US-CERT, the disabling of SMBv1 should not be required.
Other US-Cert articles that contain less information including their own best practice article, which may contradict this advice, but actually is from March 16 and predates this updated advice. The best practice article (here) is incomplete and fails to note that said advice is only for unpatched systems.
Patching Windows systems is sufficient to prevent threats. The general use within your network of the SMBv1 protocol is not itself a security risk once patched. If you have disabled SMBv1 and thus negatively impacted backup or recovery operations with the Unitrends appliance, please follow the instructions and recommendations below which are mirrored in this article, and then re-enable the SMBv1 protocol on effected client systems.
To safely protect NAS assets where a suitable SMBv1 patch may not exist from the NAS vendor (some NAS vendors use Windows OS internally, and may not have updated their software to patch their systems yet), it may be possible to use NFS mounts to the same data set and Unitrends can protect that data set using that protocol instead of CIFS/SMB. In fact NFS is typically found to be a faster protocol and is recommended over CIFS/SMB where available. Optionally for some NAS platforms noted in our Admin Guide, the NDMP protocol can also be supported for an additional license fee.
The best protection from Ransomware and 0-day outbreaks is a strong backup regiment that runs as frequently as Recovery Points (RPO) are valuable within your organization.
With release 9.2, Unitrends is also leading the industry by including specific Ransomware detection features to alert you to rogue data activity. We also have references like this for further information on ransomware and recovery.
How to configure Unitrends for SMB2-only environments, where not using SharePoint, Oracle, Hyper-V IR
First, apply the security updates, via these commands from PuTTy or ssh:
wget https://sftp.kaseya.com/utilities/security_get.sh sh security_get.sh apply
Then set the SMB2 security option:
security_option smb2
To disable smb2 enforcement, follow the steps in How to disable SMB2 enforcement.
TASKS
Other recommendations to be protected from ransomware and threats as well as threats to the SMBv1 protocol are as follows:
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017 to all applicable windows systems.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
- Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
- Perform frequent backups of at-risk systems.
- Maintain 3 copies of all critical data, in at least 2 media formats, one of which is offsite at all times. A single backup of your data is not sufficient to protect from loss.
- Test your backups to ensure they work correctly upon use. Unitrends offers its Enterprise Plus customers features to directly automate such testing processes.