SMB1 Is Dead? (Unfortunately Not Yet)

KB ID 0001461

Problem

I recently did a migration for an engineering company, about a week later I got an email from them to say, “We have a new Windows 10 PC, and it can’t connect to the ‘N’ Drive?” I asked them to send me a screenshot, the error was;

You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

Some Googling told me that windows 10 (build 1803) had removed SMB1, and like most people who see this for the first time, I got thePowerShell to turn it on, client was happy end of problem right?

Well yes and no, ‘SMB1 is Bad‘, very bad in fact, enabling SMB1 is a bit like removing the windows from your house because your too hot, yes it solves the problem, but now anyone who wants to jump into your house can do so, at any time of the day!

OK What’s Changed?

With Windows 10 (Build 1803) SMB1 has been completely disabled. If you try and connect to a device/share that’s using it you will see the same error my client did.

However if you have an earlier build of Windows 10, and you simply let it update, (Including the 1803 July Security update), that will continue to work.

I tried to replicate this on my test network, like the client I had a 2008 R2 file server, and connected to it from a new Windows 10 and an old(er) updated Windows 10 machine. Everything worked? In fact to replicate the clients error, I had to manually disable SMB2 and force SMB1? That’s strange I thought, so I checked the clients server;

As you will discover (below) the DWORD highlighted disables SMB2 and forces the server to use SMB1. Now the server does not ship like this, and I doubt very much anyone did this manually, so where did it come from? Well as an educated guess, the software that runs on this server needs SMB1. (They have some older Linux machines and machinery that logs are collected from).

Solution

As Microsoft says;

Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

So the steps I outline below, are so you can actually do some troubleshooting, to see what’s wrong. The third law of engineering states ‘Just because you can do something, does not necessarily mean you should‘ That being said, I appreciate we operate in the real world. If your line of business software needs SMB1 you cant shut down production while the vendor fixes their ‘poorly written, and relying on 30 year old protocol‘ code. Or, what you are connecting to might not be a Windows machine at all! It might be an appliance tha’ts old, with no firmware to update it to SMB2/3, and there’s no budget to replace it.

Windows 10 Enable SMB1

Use the following PowerShell;

[box]

Get-WindowsOptionalFeature -Online –FeatureName smb1protocol
Enable-WindowsOptionalFeature -Online –FeatureName smb1protocol

[/box]

Again this is a temporary fix! As soon as possible disable it again.

[box]

Disable-WindowsOptionalFeature -Online –FeatureName smb1protocol

[/box]

Windows Server (Enabling/Disabling SMB1 & SMB2)

As with most things, SMB status is set in the registry (see above).

Enable or disable SMBv1 on the SMB server;

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Enable or disable SMBv2 on the SMB server;

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note:  You must restart the computer after you make these changes.

But things are much easier done with PowerShell, to see the settings;

[box]Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}[/box]

Note: Above SMB1 is enabled SMB2 is Disabled.

WARNING: To test this properly, I’d suggest converting this server to a VM and testing on a copy, or cloning the server, (if it’s already virtualised), then you can try out some non-destructive testing, to make sure your applications still work. Ideally start by enabling SMB2 and disabling SMB1 to test.

[box]Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 –Force
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force[/box]

Remember to reboot!

 

If your application still works great, ‘you didn’t need SMB1 anyway‘, sit back, light your pipe, and admire your handiwork!

If not, try with both Protocols enabled. (To be fair, security-wise this is just as bad as having SMB1 only, as all the ‘good bits’ in SMB2 can still be bypassed by using SMB1!) But at least (from a user perspective) your new Windows machines will connect via SMB2.

Remember to reboot!

 

Related Articles, References, Credits, or External Links

NA

VMware vSphere: Adding NFS Storage

KB ID 0001408

Problem

If you have some NFS storage, and you want to use it as a Datastore in your VMware environment, this is the procedure to follow.

Pre-Requisites

I’m assuming you already have a network connection between your ESX servers and the NAS box, (i.e you have a VM Kernel NIC) on the same network. I’m also assuming you have the NFS setup correctly, in this example I’m using  a Buffalo NAS box.

But you can also use a Windows NFS Share, see the follow article;

Solution

In Datastore View > Datastore > Add Datastore.

Next > NFS v3 > Next.

Enter your NFS mount details and IP address > Next > Select the Host(s) that will use the NFS storage > Next.

Finish

Related Articles, References, Credits, or External Links

Cisco Small Business (SG500) Link Aggregation (LAG) With LACP

KB ID 0001277 

Problem

At work a client was having trouble with a NAS Drive (Buffalo Terastation). It was being used as a backup target and some of the servers were dropping connections. I knew the client had some Catalist 3750’s So I suggested going and creating an Ether Channel to the two NICs in the NAS box, to try and cure the problem.

However when I went onsite, I noticed the 3750 didn’t have any spare Gigabit ports only FastEthernet ones. So I thought I’d create a port channel on one of their Cisco Small Business Switches (SG500-52P). I mean how difficult can that be?

Solution

SG500 LAG Configuration

Note: Configure the switch FIRST.

Before you start, the ports you want to use MUST NOT be a member of a VLAN, and this needs to be done for EVERY VLAN, and saved each time. VLAN Management  > Port to VLAN.

So the port should be a simple access port set as below, VLAN Management > Interface Settings.

Now you can create the Link Aggregate Group > Port Management > LAG Management > I set the global option to ‘IP/MAC Address’ > Then select the first free LAG  > Edit.

Tick LACP BEFORE you add in the ports. If you don’t, it creates the LAG, but the LACP option is ‘greyed out’. (The only way to solve this, is remove all the ports, save the settings, add LACP, then add the ports back in again!)

At this point you need to add your LAG interface into the appropriate VLAN, or more likely set it as a Trunk.

Buffalo Terastation NAS Settings for LACP

For LACP to work both ends need to be configured, on the NAS box, bond the two networks cards together, then set the ‘Port Trunking’ mode to ‘Dynamic link aggregation’ > Accept.

Related Articles, References, Credits, or External Links

NA

Using Openfiler and vSphere ESX / ESXi 5

KB ID 0000380

Problem

Openfiler is a free NAS / SAN prebuilt Linux distribution, that can provide iSCSI storage to your VMware environment, it’s ideal for small setups (This video was made with all the devices running in VMware workstation 7, on my laptop. That’s two ESXi servers, a vCenter server, and the Openfiler iSCSI target server).

Solution

Related Articles, References, Credits, or External Links

Openfiler Thanks to VMware for the free copy of VMware Workstation.

 

vSphere ESX – Configure Buffalo Terastation 5000 as an iSCSI Target

KB ID 0000899 

Problem

This little NAS box is a cheap way of adding a large amount of storage. Below I’m going to configure it as an iSCSI target, then connect my ESX5 host to it.

I’m not setting up any CHAP authentication, but I’ll show you where it’s configured, if you want to deploy yours a little more securely.

Also it’s considered good practice to separate your storage network traffic, from your actual network traffic (either physically or via VLANs). Here I’m also NOT doing that.

Solution

Initial Configuration of the TS5000

If you connect either of the NAS box’s NICs to your network they will pick up an IP address via DHCP (You will see it in your DHCP leases).

1. Connect to the NAS with a web browser, the default password is ‘password’.

2. To change the default password: Enter Easy Admin mode > Reset Password > Follow the instructions.

3. Team / Trunk The NICs: You can have each NIC with its own IP address, but I prefer to aggregate them > Network > Port Trunking > Configure port trunking.

4. Select ‘Link 1’.

5. Select All > Assign.

6. It may take a few seconds.

Configure iSCSI

7. First enable iSCSI > Drives > iSCSI > Click the switch to enable.

8. Configure iSCSI

9. Create Volume.

10. Give the volume a name, description, and specify the volume size > OK.

Note: If you wanted to configure authentication select enabled, and set accordingly.

11. Enter the numbers as requested > OK.

12. This can take a couple of minutes also.

Configure ESX For iSCSI

13. Connect to either your ESX host or vCenter > Select a host > Configuration > Networking > Add Networking > Create a new vSwitch > Add a VMkernel port group (called iSCSI or something sensible) > Assign a free NIC, and give it an IP address on the same range as the NAS box.

14. Storage Adaptors > If you do not see any, select ‘Add’ and add in a software iSCSI Adapter.

15. Right click your iSCSI Adapter > Network configuration > Bind it to the port group you created in step 13.

16. Then on either the Dynamic or the Static discovery tab, enter the IP address of the NAS box.

17. Storage > Add Storage > Disk/LUN > Select the iSCSI storage > Follow the instructions.

18. Repeat the process on your remaining ESX hosts. (Note: You will only need to create the VMFS volume(s) for the first one).

Related Articles, References, Credits, or External Links

Cisco Small Business (SG500) Link Aggregation (LAG) With LACP

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication