Microsoft says turn off Windows feature to protect Windows
If you can't fix it, and Microsoft can't, rip it out is Microsoft's advice for Windows' SMB2 bug.
There's no real reason for SMB2, (Server Message Block 2), a Microsoft network file and print-sharing protocol that ships with Windows Vista, Windows Server 2008 and Windows 7, to exist. All it does is duplicate the basic network file and print functionality that Windows has provided for over a decade. But, SMB2 is in there, it is broken, and, now it can be used to take over PCs.
Microsoft admits that the problem is real. Mark Wodrich and Jonathan Ness, part of the MSRC (Microsoft Security Response Center) engineering team wrote that an experimental exploit is already out and that it can gain "complete control of the targeted system and can be launched by an unauthenticated user." Just what you didn't need.
There is a way to fix it. Well, sort of. You have to turn SMB2 off. You can do that the hard way, by editing the Windows' registry, or, the easy way, by clicking on this "Fix it" link from a Vista, Server 2008, or pre-RTM versions of Windows 7 PC. But, if you do, and you use SMB2 to connect to network drives or printers, you're also going to lose the ability to use any of them. That will go over big in many businesses.
You can still use network drives and the like with SMB, and, if you're using Server 2003 or earlier servers or Samba servers for sharing files and printers, you're already using the older, more reliable and secure protocol. Only people who've moved entirely to Microsoft's latest and greatest network sharing protocol are in trouble.
If that's you, you should be OK because, by default, Server 2008 should fall back to SMB if SMB2 isn't available. I'd try the fix first on test Vista and Windows 7 PCs before rolling out the fix to all the client PCs. You don't want to start Monday morning, after all, by locking everyone out of their files.
If you're not using SMB2, you should still run the Microsoft 'Fix.' SMB2 is on by default in all three versions of Windows that it used on. Even if you don't use networking at all except to connect to the Internet, you should still turn off SMB2. Chances are your PC firewall-you are running one right?--will stop any attack using SMB2, but why take a chance?
The ironic thing about all this is that the real reason that Microsoft moved to SMB2, according to Wikipedia, is that they wanted a protocol that they didn't have to share with Samba or anyone else. Too bad on their own Microsoft couldn't get it right.
On my own computer network, which includes Vista, Windows 7, and Server 2008, I turn off Microsoft's recent network 'improvements' since they tend to get in the way of connecting with Samba-based servers and NAS (network attached storage) devices and even older versions of Windows. I have yet to see any problems coming from sticking with Windows' older networking protocols.
Microsoft assures users, as usual, that they'll issue a real fix real soon now. I'm not holding my breath. If all goes well you can expect to see a real fix by Patch Tuesday, the first Tuesday of the month, in October.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Wikipedia?
C'mon, sjvn!! I like to use Linux, like you. But, at least give reliable sources in your articles--citing Wikipedia for reliable info as to why MS is using SMB2??? I doesn't look too good for a journalist to do this--of course, maybe a columnist isn't a journalist?!?!?!? --BuckyBoy - Talk about negative press - Jeesh Microsoft?
Where did all the good engineers go? Retired? Switched to Linux?My favorite part of this article was the "Only people who switched to Microsoft's latest and greatest are vunerable" (paraphrased)
The appalling thing is these kinds of "issues" are becoming the Norm with Microsoft it seems:
1: Not fixing Supported OS's because "it's to hard"
2: Vista - Completely Awful - Learn how to navigate your computer's file explorer all over again because all the software bloat and "Security" dialogs didn't slow you down enough...
3: Latest and greatest OS roll can be compromised by unauthenticated users...
Please - stick to making cool Mice, Vibrating Joysticks, DirectX, and Office (which the new UI I didn't find as productive for MSAccess at all)
--Jason
Losing the plot.
Wow, this is the worst-researched article I've read in a long time. Windows 7 and Server 2008 R2 are not affected by this issue, contrary to your article, except for people still using the RC version of Windows 7 32-bit, and that it is really only an issue if you allow untrusted networks to connect to your computer through your firewall. It's a serious bug, but it will be fixed by Microsoft, just like any other. You claim Microsoft can't fix it, and yet you have absolutely no reason to believe that, nor to you back up your assertion with anything.The Wikipedia article you linked to only backs up your statement in one line, marked "citation needed", and then goes on to list the actual benefits of SMBv2, contradicting your thesis. Also, portraying SMBv1 as more secure because a nasty bug was found in SMBv2 is laughable. Do you have any idea how many bugs have been fond in SMBv1 over the years?