There is a security_option for SMB2 available.
An Unitrends system may be configured to use SMB1 or SMB2.
Beginning in release 10.4.8, the SMB 2.0 security option is enabled by default on Unitrends appliances.
- Steps for enabling SMB2
- Steps for disabling SMB2
- Using SMB2 with file recovery from Windows VMs
- Using SMB2 with Hyper-V Instant Recovery
- Using SMB2 with Windows Replicas on Hyper-V
- Using SMB2 with Sharepoint
- Using SMB2 with Unitrends Agent Push
- Using SMB2 with Oracle on Windows
- Using SMB2 with Oracle on Solaris
- Using SMB2 with Windows RDP sessions
- Access the samba share without the Unitrends agent
- Navigate to Configure, select your Unitrends appliance then click Edit.
- Under the Advanced tab, select the Support Toolbox.
- Click the Samba SMB2 option button to enable SMB2.
Alternatively, SMB2 can be enabled from command line by issuing the following command:
To disable from SMB2 and enable SMB1, run the following commands:
After disabling SMBv2, the Unitrends Samba Service must be restarted. From the screen seen above, select the samba on/off toggle to disable then re-enable samba. or, type the following command:
systemctl restart smb.service
To use a CIFS share for the recovery, SMB 2.0 must be enabled on the target Windows asset.
Note: Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the following must be enabled on the target Windows asset: Insecure Guest Login and SMB 2.0.
To run a Windows replica on Hyper-V, SMB 2.0 must be enabled on the Hyper-V server.
Note: Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the the following must be enabled on the Hyper-V server: Insecure Guest Login and SMB 2.0.
Release with Unitrends release v.10.4.2, enables Windows Replicas to a Hyper-V host utilizing SMB2 following these steps:
- On the Unitrends appliance, first disable smb1 then enable smb2 with the new 10.4.2 configuration:
security_option smb1 security_option smb2
- On the Hyper-V host, enable "Insecure Guest Logons"
- Open Local Group Policy Editor
- Navigate into Administrative Templates - Network - Lanman Workstation
- Enable the setting "Enable insecure guest logons"
To perform backup and recovery operations, SMB 2.0 must be enabled on each node in the farm.
- Backup appliances running pre-10.4.8 releases – If the appliance is configured to use SMB 2.0, the following must be enabled on each node in the farm: Insecure Guest Login and SMB 2.0.
- SharePoint 2007 on Windows 2003 and prior is not supported on SMB 2.0 appliances. (To configure your appliance to use SMB 1.0, contact Unitrends Support.)
- SharePoint may require custom client configuration for use with SMB 2.0. If SharePoint backups do not run successfully, see this Microsoft article for client configuration details: SharePoint Ports, Proxies and Protocols...An overview of farm communications.
SMBv2/v3 on SMB Client processes for Windows
sc.exe qc lanmanworkstation
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start= disabled
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb20 start= auto
To push install the Windows agent, SMB 2.0 must be enabled on the Windows asset.
- If SMB 2.0 is enabled on your Unitrends appliance, agent push is NOT supported for the following: Windows 2003 R2, Windows XP, Windows Vista. Agent push to these operating systems is supported on appliances where SMB 1.0 is enabled. (To configure your appliance to use SMB 1.0, contact Unitrends Support.)
- Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the following must be enabled on the Windows asset: Insecure Guest Login and SMB 2.0.
SMB 2.0 must be enabled on the Windows server so that the Unitrends agent can access the appliance's SMB 2.0 Samba share when performing backup and recovery operations.
Note: If the backup appliance is running a pre-10.4.8 release and is configured to use the SMB 2.0, the following must be enabled on the Windows server: SMB 2.0 and Insecure Guest Login
Log On and Log Off procedures are executed to provide secure credential management and access to SMB2 shares. When using a RDP session, it is recommended to Log Off at the conclusion of the session. If the RDP session is closed, the Log Off procedure does not execute. Subsequently, the following Log On procedure will not execute and SMB2 shares will not be accessible.
To prevent unsuccessful log-off operations, the command below may be used to save user credentials. This action is required only once as long as the session is used at least once every 30 days.
cmdkey /add:<appliance_ip> /user:samba /pass:samba
To access the samba share from a Windows system where the Unitrends agent not already installed, run the following command. Use the IP address of your Unitends appliances instead of 'appliance_ip'.
net use appliance_ip /user:samba /pass:samba
The Unitrends agent must have access to the appliance's SMB 2.0 Samba share to perform backup and recovery operations. These requirements apply:
A Samba client must be enabled. See KB 1303 for details.
A Samba key must be added for the backup appliance. To add the key, issue this command (the default password is samba):
smbadm add-key -u samba@<applianceIP>Example:
smbadm add-key -u firstname.lastname@example.org
*Mounting external CIFS shares with SMB2-only access from the Unitrends system is not yet supported via CentOS6 on the Unitrends system.
The introduction of WannaCry illuminated a security flaw in the SMB1 protocol. While Microsoft security patches have been made available to Windows systems, many have chosen to upgrade their environment to use only the SMB2 protocol.
Furthermore, Microsoft is increasingly requiring their customers to configure environments with SMB1 disabled in favor of SMB2.
While Unitrends is not directly at risk, Unitrends supports both SMB1 and SMB2 environments.
Many customers will have already configured their Windows environment for SMB2-only before contacting Unitrends, but below is an article from Microsoft describing methods to disable SMB1 and enable SMB2 on various Windows systems. Usually the registry entries are the key component.