Microsoft has long been warning developers in the sternest terms not to use SMBv1 unless it is absolutely necessary. It says in a September 2016 blog, “SMB1 isn’t safe. The nasty bit is that no matter how you secure all these things if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!”
It all boils down to cyber criminals working out how to exploit a decades-old vulnerability designed for a world that no longer exists. If that is not a good argument for drawing a line in the sand on legacy support for Windows and devices then I don’t know what is. Damned if you do and damned if you don’t.
in its latest blog on build 16226 Microsoft states:
Windows 10 and SMB1: As part of a multi-year security plan, we are removing the SMB1 networking protocol from Windows by default. This build has this change, however, the change only affects clean installations of Windows, not upgrades. We are making this change to reduce the attack surface of the OS. Here are some more details to take note of:
- All Home and Professional editions now have the SMB1 server component uninstalled by default. The SMB1 client remains installed. This means you can connect to devices from Windows 10 using SMB1, but nothing can connect to Windows 10 using SMB1. We still recommend you uninstall SMB1 if you are not using it. In a later feature update of Windows 10, we may uninstall SMB1 client if we detect that you are not using it.
- All Enterprise and Education editions have SMB1 totally uninstalled by default.
- The removal of SMB1 means the removal of the legacy Computer Browser service. The Computer Browser depends exclusively on SMB1 and cannot function without it.