SMB Vulnerability Best Practices
In response to public reporting of a potential Server Message Block (SMB) vulnerability last month, the United States Computer Emergency Readiness Team (US-CERT) is recommending that organizations disable older versions of the Windows SMB protocol and use firewall rules to provide added protection.
SMB is widely used in Microsoft operating systems to provide access to files at a remote server as well as other resources. Version 1 of that protocol was used on the older operating systems. The US-CERT says administrators should disable SMB v1 and block all SMB traffic at network boundaries as a precaution. By default, his service is universally available for Windows systems, and could allow a remote attacker to obtain sensitive information. While incoming SMB traffic is most likely already blocked at the firewall (ingress), administrators should explicitly forbid this traffic going from internal hosts to the Internet (egress).
According to the US-CERT, it’s recommended that users and administrators follow these steps:
- Disabling SMB v1, and
- Blocking all versions of at the network boundary by denying TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices, both in and out of the internal network.
If you feel as though your organization is not prepared to handle this type of vulnerability, then it’s time for a serious conversation with our security experts.