Need SMB1

al4629740 used Ask the Experts™
I just had an issue with getting a network share to be written to from a network scanner and the problem was because the scanner needed the SMB1 protocol enabled on all the Windows 10 machines.  Whats the big deal with SMB1?  If this is enabled, what is the security issue and what can be done to address it if SMB1 is enabled?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dr. KlahnPrincipal Software Engineer
If SMB V1 is enabled, network security is severely crippled.  This is why Microsoft disabled SMB V1 by default in Windows 10.  Microsoft has released some patches but the fact that they disabled SMB V1 says that it is doubtful that they covered all possibilities.

There are four known exploits, all of which were supposedly stolen from the NSA:  EternalBlue (used by WannaCry and Emotet), EternalRomance (NotPetya, Bad Rabbit, and TrickBot), and EternalChampion. EternalSynergy had not been seen in the field as of last year.  If four exploits exist there is a high probability there are more.

I strongly advise against enabling SMB V1 on a network used for business, and if your firm has a network security department they will land on you with both feet if they discover that SMB V1 has been enabled.  Much better to update the scanner software, or if this is not possible, scrap the scanner and replace it with something that is compliant with straight TCP/IP or a recent, more secure version of SMB.  The fanciest scanner that I know of is less than $5,000 and this is much less than the cost @ $100/hour to rebuild even a small workgroup with one server.

Finally:  In situations where there is a high risk of unpleasant outcome, CYA first.  If SMB V1 is enabled on your say-so and an incident occurs traceable to an SMB V1 vulnerability, every finger will point directly at you and this will do nothing for your promotability or future salary increases.  And if your company tries to claim a computer incident -- any incident -- on their insurance policy and the insurance company discovers that SMB V1 was enabled, the phrase "contributory negligence" will come up and the results will be unpleasant.
SMB 1 was superseded well over a decade ago, when Windows Vista was released. If you scanner does not support SMB 2, then it is probably past the end of its design life.

Have you explored a firmware update for the scanner? Many archaic devices have added SMB2 support with newer firmware.

Here is a good overview of the problems that SMB1 might introduce:
Pete LongTechnical Consultant

I've had this problem with a few clients now, as soon a I hear the word 'Scanner', I bring it up. And stress that the client check their scanners/MFPs to ensure they support SMB 2.02 or above.

Thankfully most expensive MFPs are hired and can be swapped out for newer models, the solution to this problem is to replace your scanners NOT try and re-enable SMB1 on the servers!

The only time I would say enable SMB1 is if if all you servers and clients are running OLD OSs, and 1 or 2 New Windows 10 machines are affected, then Id enable it on THEM . Otherwise don't even consider it.

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2016

issue with getting a network share to be written to from a network scanner

if the goal is to write the scan results to a share, i wonder why the scanner requires SMB1 enabled by (all the) windows 10 clients.  can you explain the use case?

Distinguished Expert 2018

If your scanner can be configured to use something other than SMB1, switch to that. Alternatively, replace the scanner.

If this is enabled, what is the security issue and what can be done to address it if SMB1 is enabled?
How to address the security issues? That's exactly why SMB1 is disabled by default. It's that big a risk, and others have already answered to what the issues are.
Distinguished Expert 2018
As Mal Osborne says, you should look for a firmware upgrade and see if it can do without smbv1, afterwards.
Else, short of duping the scanner, you could use the firewall and limit access to the smb port to the IP of the scanner. That wouldn't be perfectly secure, but at least a start, in case the only device that you are allowing to use your share(s) is the scanner.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial