Link to home
Start Free TrialLog in
Avatar of milhouse537
milhouse537

asked on

WannaCry/SMBv1 and Windows Server 2003

Hi, the client has Windows Server 2003 running on one server, it's the only server left on this old version. Everything else is 2012 R2. I am unable to do anything about it because the garbage ADP payroll software HandPunch will not run on anything newer.

Given the WannaCry malware issue this weekend, any way to disable SMBv1 on Server 2003? Can't find any guidance on this. It is not a DC, it's a virtualized server that exists solely for running the ADP software, so I'm hoping I can just disable SMBv1 and then go back to the client to talk about how crappy ADP software is.
Avatar of John
John
Flag of United Kingdom of Great Britain and Northern Ireland image
You could block smb at the firewall and rdp in to use ADP
Avatar of milhouse537
milhouse537

ASKER

An interesting idea that I never even thought of. RDP probably not needed in this case. I guess my question is then, does blocking SMB in the Windows firewall protect against the new malware infection? Microsoft's security announcement seemed to indicate that only removing SMBv1 was the option.
Avatar of milhouse537
milhouse537

ASKER

Actually cancel this request. I now see that it's possible to use the ADP software with Server 2008 R1 SP2. I'll just upgrade the OS to resolve this. Thanks.
Avatar of John
John
Flag of United Kingdom of Great Britain and Northern Ireland image
Either remove smb1, or block access to SMB ports (firewall) and the malware has no target.  simple short term fix until you can install on 2008.
Avatar of milhouse537
milhouse537

ASKER

Right, I'm trying to figure out how to remove SMBv1 on Server 2003. Not sure if that can be done, even.
ASKER CERTIFIED SOLUTION
Avatar of John
John
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of John
John
Flag of United Kingdom of Great Britain and Northern Ireland image
As per this site, 2003 ONLY does SMB1.  

https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/

I would just do as above to block it at the firewall.  If you try to disable SMB, then it could end up being unwittingly enabled again while doing other maintenance.
Avatar of milhouse537
milhouse537

ASKER

Just in case anyone else has this issue, they just released this today. Applies to XP and Server 2003.

https://www.engadget.com/2017/05/13/microsoft-windowsxp-wannacrypt-nhs-patch/