SMBv1 in Windows 10 1909

[ubuysa]

We all remember that SMBv1 contained the vulnerability which the WannaCrypt ransomware malware from a year or so ago exploited. At the time Microsoft issued several patches and recommended that SMBv1 be disabled since it's only now used by legacy applications. A Microsoft advisory explained in its title that Windows 10 1709 and later would not have SMBv1 installed by default.

Having just clean installed Windows 10 1909 and done my usual looking around, I have discovered that the above statement about SMBv1 is not entirely accurate, at least where Home and Pro versions are concerned. These versions still contain the SMBv1 client by default after a clean installation. If the SMBv1 client is not used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself.

On checking in Windows Features on my clean installed 1909 version I discovered that not only is SMBv1 installed it's activated!

That means that for the first 15 days after a clean install of any current version of Windows 10 your system is vulnerable to the WannaCrypt ransomware attack - and any other malware that uses the long since discredited SMBv1 vulnerability.

Clearly Microsoft do this so that anyone with legacy applications that rely on SMBv1 will have them work seamlessly, but the price the rest of us pay for that convenience is the potential exposure of a well-known vulnerability for 15 (operational) days.

Thus, when clean installing any version of Windows 10 always go immediately into Windows Features and disable SMBv1.

 

[SpyderTracks]

God! Good catch!!!

They should seriously be notifying people about this!

 

[Scott]

That's really unusual. I can't remember which version it was I installed but I required SMBv1 in order to use Kodi effectively on my home network. It wouldn't work and I found out after a lot of head scratching that it was due to it being disabled by default. This was also a clean install. It happened with 2 separate systems too, my desktop and my laptop.... as when I built my new desktop at the start of the year it led to a little head scratching before I remembered.

Are there perhaps other factors that come into play?

 

[ubuysa]

That's really unusual. I can't remember which version it was I installed but I required SMBv1 in order to use Kodi effectively on my home network. It wouldn't work and I found out after a lot of head scratching that it was due to it being disabled by default. This was also a clean install. It happened with 2 separate systems too, my desktop and my laptop.... as when I built my new desktop at the start of the year it led to a little head scratching before I remembered.

Are there perhaps other factors that come into play?

I actually came at this from the other end. After finding SMBv1 active in my clean 1909 install I set about finding out why. That led me to the Microsoft doc I linked to which seemed to explain why.

Personally it seems dumb to me to have it active by default. Install it for legacy customers (for 15 days) but legacy customers should have to manually activate it, not the other way around.

TBH I was stunned when I came across it....

Sent using Tapatalk

 

[ubuysa]

Further to this, there is a PowerShell command that will show you whether SMBv1 is enabled on your clean installed Windows 10 system. Open an elevated PowerShell session and enter the command Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. What you want to see is a State of Disabled (see image).

If SMBv1 is enabled on your clean install (as it will be for 15 days) you can disable it from PowerShell via the command Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. You will be asked to restart, this is required to fully disable SMBv1.