Help me convince a customer how dangerous SMB1 is
Posted by Agentum@reddit | sysadmin | View on Reddit | 152 comments
Greetings fellow admins,
so for almost 10y I have over and over again tried to get a customer to migrate the legacy stuff so we can disable smb1. We offered help, deployed new systems, create sandbox environments and so on. Nothing ever got done because they actually have to do something themselves.
\~300 users, just refreshed hardware and almost all server vms to 2022. Mostly onprem/hybrid environment.
Still they have "critical" applications running on 2003, some 2008 and now 2012 also still around.
We (MSP) have segmented the network, deployed ESR, airgapped Backup, lots of email hardening and more good stuff.
Still I need to keep smb1 around on the dcs, file and db servers for those 2k3 machines.
Everything is documented and I told em over and over again, so one could argue job done, their decision.
For my part thats not how I choose to do my job, and also when they burn down we have to restore. So I will keep trying.
I was thinking of cloning DCs, DBs to a sandbox, drop a Kali VM in there and metasploit/script kiddy the Systems. Not sure if that makes sense, I have limited time to invest into this "project"
For the next meeting I would like to have like a 10m demo of stuff going boom! in some dramatic way.
What would you do?
ZAFJB@reddit
No you don't. Segment them off with their own DCs, isolate their networks.
Or even consider not using DCs at all and just work with local accounts on their isolated network.
Designer_Delivery922@reddit
Tell your customer that there is no legal protection for them if they choose to stick with technology that is end of life and exploitable.
MDKagent007@reddit
SMB1 (Server Message Block version 1) is considered highly dangerous due to its severe security vulnerabilities.
Here’s a summary of the main risks:
Known Vulnerabilities: SMB1 is vulnerable to several critical exploits, such as the infamous EternalBlue exploit used in the WannaCry ransomware attack. These vulnerabilities allow attackers to execute arbitrary code, leading to data theft, system compromise, or complete control over affected systems.
Lack of Security Features: SMB1 lacks modern security features found in later versions, such as encryption and improved authentication methods. This makes it easier for attackers to intercept, modify, or manipulate SMB traffic.
Obsolete Protocol: SMB1 is outdated and has been deprecated by Microsoft. It’s no longer maintained or updated, meaning any new vulnerabilities discovered will not be patched, leaving systems using it permanently at risk.
Network Worm Propagation: Because of its vulnerabilities, SMB1 can facilitate the spread of malware across networks quickly. This was a key factor in the rapid spread of several high-profile ransomware attacks.
Disabled by Default: Modern operating systems like Windows 10 and Windows Server 2016 and later versions have SMB1 disabled by default due to these security concerns.
To mitigate the risks, it is highly recommended to disable SMB1 on all systems and use more secure versions like SMB2 or SMB3. Keeping systems updated and following best security practices is also crucial to protect against potential threats associated with SMB1.
Fresh_Dog4602@reddit
thanks for the chatgpt answer. you ARE on the sysadmin reddit. The issue here is not that people don't know smbv1 is obsolete, EOL or otherwise unsafe
MDKagent007@reddit
I responded directly to the subject title. If you disagree, you can simply ignore it rather than resorting to acting like a troll.
Valencia_Mariana@reddit
You are trolling by copying and pasting a chatgpt answer. If the op wanted an LLM response, I'm he could have done that himself. If you don't know the subject matter, don't respond.
Fresh_Dog4602@reddit
And yet your answer even failed to do that. I'm not trolling. Every admin already has to wade through tons of shit posts done by people copy pasting shit to get either MVP status or copy pasting chat gpt shit to boost their own online presence.
If you think that posting non-relevant chatgpt answers in the sysadmin subreddit is somehow "contributing", maybe you should go to linkedin or the microsoft forums.
MDKagent007@reddit
so in other words you are the reddit police, got it
PedroAsani@reddit
You sweet summer child.
Plane parts are still made on machines controlled by win 3.11, nt4 and nt 3.51.
Air gap everything you can, firewall and segment the rest. When they get hacked, you have a paper trail for what you did, what you warned them about.
tehreal@reddit
Can you give me an example of a specific machine that is still using 3.11? I work in plane parts and our oldest stuff is XP. Not on the network though.
PedroAsani@reddit
Not a specific part, because I don't work in plane parts, just sysadmin. But I know the reason they still use them is that it is written into the contract that they will use the same process, machines and equipment for the life of the part which can be 60+ years.
No room in the language for improvements, upgrades or anything of the sort. So you end up trawling ebay for replacement motherboards when something craps out.
Jrunnah@reddit
We just need the computer. Vendor: "Buy a new CNC machine." But we just need the computer "Buy a new CNC machine again"
eldridgep@reddit
I'm going to guess those are Boeing parts? 😉
PedroAsani@reddit
I cannot confirm or deny such an accuracy.
QuiteFatty@reddit
"I can't confirm your true statement."
jdanton14@reddit
I may have taught an azure training class at this company, and several senior architects may have been unable to figure out to reboot a windows vm. My jaw kind of dropped when that happened
mahsab@reddit
And how exactly are they going to hack that? 0days all the way straight hrough your firewall, switches, old machines, new machines?
pdp10@reddit
The majority of compromises today require at least one piece of bad human judgement. I wouldn't expect legacy system compromises to be any different.
Mindestiny@reddit
And also like... what's the real risk? OP spends a lot of time beating the SMB1 = bad drum but like... This is on DCs and the like. Nobody should be doing anything on those servers that is putting them at direct risk for an SMB vulnerability to be exploited, and they better not be directly touching the internet.
Now if someone is already on the network to the point of being able to scan your internal DCs and file servers for SMB vulnerabilities... you're already in a shit heap of trouble because they're on your network.
PedroAsani@reddit
WannaCry would be the most famous example of real world risk. Most hackers and ransomers aren't original: they use pre-packaged kits that look for well-known exploits.
Mindestiny@reddit
But again, a wannacry infection should be impossible on these servers, because
A) the endpoints touching these servers are patched against wannacry
B) the servers themselves are not internet facing and no one should be doing anything like browsing the web or installing random exes on these servers.
Someone would have to specifically be on the network already and then target these servers with wannacry. Which, again, if someone has that level of access to your internal network an SMB vulnerability is the least of your worries.
PedroAsani@reddit
Because you always secure as many attack vectors as you can, to minimize the possibility of intrusion. You are effectively saying "there's no point locking the safe, if the burglars get in it's too late"
Mindestiny@reddit
No, I'm saying that OP is making a mountain out of a molehill, because the vulnerable servers in question are already protected by a defense in depth strategy that precludes this attack from being likely.
To use your analogy, this is closer to OP being upset that the client isn't concerned about keeping the closet door locked, because accessing the closet is business critical, when the actual doors to the home are deadbolted from hell to breakfast anyway. It's a known and accepted risk that is already mitigated through other means.
Stonewalled9999@reddit
Have you see asphault plants ? DOS 5 on 486 SBC
ZPrimed@reddit
At least that shit probably doesn't have viable networking anymore and isn't wormable.
Fresh_Dog4602@reddit
*Novel netware enters the chat* you rang?
Stonewalled9999@reddit
No but my 14.4 USR sportster did
ZPrimed@reddit
Yeah and what else on your network is running IPX these days?
Netware eventually supported IP but I don't think during the dos5 days
Fresh_Dog4602@reddit
it was a yolk
Rich-Parfait-6439@reddit
When I did msp work, we made them sign a waiver if something happened to their network because of this security vulnerability then all repair time is billable. You also make them aware (in writing) there might be a chance Microsoft could end support and make a change to break it leaving them in a huge pickle. It’s not a lie but sometime putting that fear in the back of the mind, they may allow you to help them move forward.
techvet83@reddit
Have them read the Ned Pyle post at Stop using SMB1 - Microsoft Community Hub. I believe Ned's still the high priest of SMB at Microsoft.
tmontney@reddit
That's the article I was about to link. No question about it when Microsoft tells you to stop using it.
jdanton14@reddit
The tl;dr of Ned’s piece, is “we’ve put in all this cool shit to improve the security and performance of SMB, but if you light up SMB 1.0 anyone can bypass it all”
Fresh_Dog4602@reddit
this is management you're talking about, why shove them a tech article in their face? that won't work
tmontney@reddit
On top of it being a strong Microsoft recommendation, you inform them that WannaCry used this as their primary attack vector, hitting hundreds of thousands of computers costing billions in damage.
Fresh_Dog4602@reddit
Stop trying to think like some techy who wants to get his point across and start talking a language management understands. None of this needs to involve putting in effort in some damn POC.
techvet83@reddit
You may very well be right that they'll ignore it, but there's no harm in trying.
DarthPneumono@reddit
Sure there is: bore management with technobabble, and they're less likely to listen your actual argument. You can't just try 100 things and hope one works your audience will start ignoring you.
Fresh_Dog4602@reddit
exactly, this is not like an RPG situation where you reload a save file and try the other option.
AtomicRibbits@reddit
Eternal Blue is exactly how dangerous SMB1 is. Eternal Blue often fails too, but when it fails, it doesn't forget to blue screen the VM in question. So in case they don't get in, they fuck your host up instead. If any of that is at all hooked up to the internet, you can describe how much it would cost to fix such a fuckup.
If they have a solid mitigation such as airgapping on the hosts in question, it can help mitigate it.
roger_27@reddit
Super Mario Bros 1 is quite easy and a good time would be had by all
Zealousideal_Mix_567@reddit
Wait long enough and they'll figure it out. Lol
bitslammer@reddit
They don't care because you're there to rescue them. Tell them if they don't you are not going to be able to support them and if they don't budge walk away.
UntrustedProcess@reddit
So long as "they" accept the risk, it should not matter to a MSP. If things go sideways due to customer decisions, those are billable hours.
MasterIntegrator@reddit
this get an RA and add Incident Response Fees with a non binding estimate of likely response cost. Also if they say "insurance will pay" the fuck they will. Read the terms. SMB1 is a known EOL method. not covered. Then at the end of the year hit them with a unsupported legacy fee per month to help cover the shit show that will happen soon.
BespokeChaos@reddit
Exactly!
WANGblizzard@reddit
I preached this so hard at an old MSP, speaking to shrugs on shrugs.
spin81@reddit
This is the correct response right here.
Wendals87@reddit
This is the right answer
I work for an MSP and we implement what they ask but only after giving advice on why it's a bad idea
Everything has approval from them so if shit hits the fan it's "we told you so. What cost centre should this be billed to?"
HoggleSnarf@reddit
This was our position. Anything pre-2016 was their problem and anything that was on 2016 should be rolled forward to 2019 as a minimum.
We only had a few clients who were insistent on keeping their old 2003-2012 installations when we drew a hard line, and it meant there was a paper trail to cover us when the non-compliant customers inevitably had to invoke DR when they got hit.
If I were OP I'd be spending more time fine-tuning the DR plan and making sure these servers aren't considered BAU. These types of clients generally do not learn until the worst happens, and the internal person blocking major security fixes is moved on.
General_Importance17@reddit
BAU?
HoggleSnarf@reddit
Business as usual. I got a bit liberal with my acronyms, sorry
Jumpstart_55@reddit
AKA BOHICA
BespokeChaos@reddit
Do what we do. Tell them it’s not warranties for safety from cybersecurity threats and if they insist on using them, you cannot guarantee their safety and will not be held responsible and have them sign a contract stating such.
VirtualPlate8451@reddit
Once had an IT person at a co-managed MSP customer setup a time to go over her cyber insurance questionnaire. Under “Do you have a DR plan” she had answered Yes.
This was news to me so I ask her when she put that together. She chuckles and says “my DR plan is to call you”.
ZPrimed@reddit
That's when you casually mention that your fee to ignore insurance fraud is 10x your normal billable
mtgguy999@reddit
I mean the questionnaire didn’t ask if they had a good DR plan. It’s they ask such an open ended question and don’t ask any follow up on what the plan is it’s kinda on them.
ZPrimed@reddit
Usually when insurance talks about a "plan" they mean a formally documented thing. AFAIK lying to an insurance company by failing to tell them your "plan" is "call the MSP" could be interpreted as fraud
Fresh_Dog4602@reddit
Yup. A DR plan needs to - normally- be written into your company policies (assuming they have some kind of ISO certification). Just having your phone number doesn't absolve them of their responsabilities
bitslammer@reddit
Great way to lose coverage or get nailed for fraud.
theleviathan-x@reddit
This. What's your contract with them like? Start adding in costs for maintaining legacy systems. Like big costs, that either make it worth it to support or give them enough reason to move off it.
Fresh_Dog4602@reddit
i wouldn't even bother with working out something specific like that. The only support you should promise is the backup and restore service. Like what exactly are you going to "support" on a protocol that's full of holes? By promising actual support at a higher fee you're making yourself liable again :D
markth_wi@reddit
I find myself in a similar situation, document , provide a path towards a more secure operating situation and make sure the senior staff are aware when you leave you're doing so because there are good choices you felt were important enough to leave over.
Good manufacturing practices are important for some folks.
NoradIV@reddit
Why do they keep these systems around?
Your post feels like you want them to stop using these things and not providing them with realistic alternatives. I mean, a running business is more important than a business that is safe on paper.
It's as if I told you that all food you have is unhealthy and you should stop eating altogether.
Legacy stuff is part of the business and is unfortunately a real problem.
Creative-Dust5701@reddit
Because that’s what happens with multimillion dollar manufacturing and scientific systems because they are building only a few they base the system around windows and when the machines go out of production. support stops so the only upgrade to a better OS is by buying a new machine
Fresh_Dog4602@reddit
Yup
Vangoon79@reddit
Super Mario Bros #1 is super dangerous. You're going to die. A lot.
mtgguy999@reddit
We run out systems on Sonic #1 because speed of important to us
robotbeatrally@reddit
beat me to it
dns_hurts_my_pns@reddit
Gotta learn to use pipes. Who knew piping would benefit in both scripting and goomba stomping? Sysadmin double-edge sword right there
Mayki8513@reddit
Stop stressing yourself out, do your due diligence and present the information and let them make their own decision 🤷
DeadbeatHoneyBadger@reddit
Capture a ntlm hash using responder and then use Impacket to move laterally as any account you captured.
https://github.com/lgandx/Responder https://github.com/fortra/impacket
Classic-Shake6517@reddit
I would do what you are planning to. It's not that much effort. You could also just set up something simpler and enable SMBv1 vs trying to 1:1 their environment in such a short amount of time. A relay attack should be pretty easy to pull off and you can chain it to get execution on a remote endpoint via psexec or crackmapexec/netexec.
You can find the steps you need to do everything on hacktricks titled 139,445 - Pentesting SMB. I would focus less on the metasploit modules and more on the impacket/psexec/cme stuff. You may need to use the info in hacktricks as a jumping off point to find more detailed resources, there's no shortage especially for SMB.
It's important not to ignore controls you have in place for their protection/monitoring and how they apply to the scenario you are setting up. It's a good opportunity to discuss any other gaps in coverage or visibility related to the demonstration.
What they should do is get an actual pentest. If they are giving this much pushback on changing SMBv1 with how egregiously insecure it is, I doubt they are in the mindset to look at a pentest as a valuable investment. If you can demonstrate an account takeover you might have a better chance at getting buy-in for something like that.
hunterkll@reddit
Also, if all the patches have actually been applied, there really isn't any known SMB1 vulnerabilities currently in modern systems, at least. And by "Modern" I mean \~2008/R2 and up .... 2003 i'd have to research on.
Classic-Shake6517@reddit
Microsoft has taken steps to improve the protocol and newer versions are more secure. Even when someone is running SMBv2 with signing enabled (but not enforced), a hash can be obtained and then relayed or cracked. SMB traffic can be manipulated to remove the parts you don't in an SMBv1 handshake (more or less), which is why it's so dangerous. This article explains it pretty well:
https://www.calcomsoftware.com/why-ntlmv1-will-always-be-vulnerable-to-ntlm-relay-attacks/
One way to attack it works by running a server that will respond to broadcast traffic like LLMNR, NBT-NS, WPAD, etc. It responds to the request with a 401 or equivalent which coerces authentication, and then a tool like NTLMRelayx can relay the hash to another service. You can read more about it here:
https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022
There are other interesting attacks that use SMB over the QUIC to perform a similar attack on Windows 11, which is some pretty cool research.
https://trustedsec.com/blog/making-smb-accessible-with-ntlmquic
It's worth checking out if you are curious and interested in going down a rabbit hole.
Fresh_Dog4602@reddit
wrong approach as many others also have pointed out
CeeMX@reddit
Just expose it publicly to the internet, the 10min timeframe might be enough to get them convinced to implement that yesterday
slazer2au@reddit
This isn't a technical problem to fix, this is contractual one.
Chat with your legal team and the customers account manager and get a waver written up say "you have gone against our advice to disable insecure protocols in your environment. In the event of a incident containing this protocol support will be best effort and no SLA" and get the customer to sign it.
A smart customer will realise this is a bug problem that needs fixing otherwise they sign away and you wait for the fire to start.
elephantLYFE-games@reddit
LOL, we have a legacy software and it only works with SMB1.
FuriousRageSE@reddit
With industrial automations, there are many many systems still running windows 95 :D
Zyvok@reddit
Back in like 2013I did some work for a machining company where the system that ran the machine was a DOS system. It died and obviously we didn’t replace it with another DOS machine, but I was able to get the software running in DOSBox with the help of the retired developer, whose phone number actually still worked
bgatesIT@reddit
we have a tobacco maker thats kinda older, still runs XP, has its own internal network that links all the pieces, that shits never touching our network, or the internet. It used to be on the network i hear, until one day it took over DHCP for the entire place(probably 10 years ago)
ianpmurphy@reddit
This isn't a problem when you don't have a network. I still have stuff running NT4 in industrial machines. They're standalone and we have copies of the disks. If they fail, swap the disk for the backup and make another disk.
dukandricka@reddit
This story is awesome. I hope that tobacco maker turns out to be the true index case/patient zero for computers becoming sentient, just so in 50 years humans can be like "...that bloody tobacco maker started it all".
champion_of_cheddar@reddit
I'm actively trying to resurrect a PC running windows NT........some one kill me please.
Stonewalled9999@reddit
You need the NT w/sp3 cd I can send you an iso if you need I have one on my desk
elephantLYFE-games@reddit
Sure are!
ianpmurphy@reddit
I have the same. Firewall it off, remove the systems from the domains, restrict what it can communicate with to a minimum. No access from users desktops, use a dedicated terminal server on the same isolated vlan.
QuiteFatty@reddit
lol ditto. Just enabled it on a device 5 min ago
Helpjuice@reddit
Go the professional route isntead, as an MSP you should be showing them how out of compliance they are for the industry and how many regulations they are actively violating. You should have a dashbaord availabel to them in real-time providing the real life metrics on how many systems have critical, high, medium, and low vulnerabilities, show all the systems that are end of life, which systems map to KEV, and show them all hardware and software that is currently end of life and no longer supported or abandoned.
Along with this should be shown a compliance and regulatory dashbaord that maps regulations to their violations and SLAs breached. This way when something does happen they cannot say they did not know, they have real-time reporting on it, get emails about it, and your company breifs them about it and what they should be doing.
It might also be about that time to review their risk vs reward of keeping them on as an actual client and review if their contract should be terminated for non-compliance and failing to do their part to bring their organization up to compliance. As if your other customers find out this how your MSP does business you will more than likely have other issues to worry about.
ianpmurphy@reddit
Simple enough. Write a short note indicating that, while smb1 remains enabled, all security issues are the clients responsibility as their systems are wide open. Their systems are unsupportable. Get them to sign it.
DaNoahLP@reddit
Super Mario Bros 1 itself isnt really dangerous but the edges of this controller is. I recommend to play the All Stars version on SNES.
Cormacolinde@reddit
It’s not just SMB1, 2003 isn’t even supported as a domain client post-november 2022 kerberos changes.
Create a new domain running october 2022 patches on 2019 servers, and wall them off with the old servers.
Create a “buffer” server those old servers can talk to which can talk to your inside systems.
Slackeee_@reddit
Go to their legal department and let them sign a contract that sets you free from any and all potential repercussions that could follow them running a deprecated and insecure system. Then just do as they tell you.
ElevenNotes@reddit
Show them their passwords. That's what I do. Get the hashes, crack them, here are your passwords or redirect attack works too. After that they all change their mind. I did this once to a CIO, wrote half his password on a stickynote and put it on his screen. Sometimes you need to force people.
Fresh_Dog4602@reddit
you're still not solving the issue. you perhaps made more enemies by this.
ElevenNotes@reddit
That's not a bad thing you know?
Fresh_Dog4602@reddit
Sure, if you never want to have any OT/ ICS customer. Go ahead. More room for the other MSP's
ElevenNotes@reddit
I'm not an MSP, but thanks.
VA_Network_Nerd@reddit
Increase their prices by 10x while SMBv1 is still enabled in the environment and demand an addendum to the contract relieving your company of any liability in the event of a Crypto Locker attack, and the SLA for recovery from such an event is unlimited. If it takes you a year to recover their environment after the attack, it's penalty-free.
Essentially make it clear that you will drop them as a customer if they don't work with you to fix this.
Fresh_Dog4602@reddit
if you don't want industrial customers then this is the way forward indeed
reegz@reddit
At that point you can't push that it's a security issue. They're "accepting the risk". What you can do is make them aware of the availability issue of running those machines.
We're at the point where if they're relying on those machines parts and service for them will be difficult to find and expensive. You cannot guarantee any sort of restoration time. If it's part of a critical business process they need to be made aware of those availability issues.
Also, one day it could just stop working or you have to make decisions that hold everything else back. For example, you're limited in the domain functionality level and there will come a time where you can't do something because of this choice. You cannot tell them when or what it will be, but they're on borrowed time.
Update your contract with them accordingly, upcharge as necessary, many MSP's won't touch that because if it goes wrong you're to blame. So if they drop you because of price increase, boohoo.
Fresh_Dog4602@reddit
most MSP's just don't know how to handle this. This is not a technical issue. You can see that with all the people here in this thread getting their panties in a twist because "boohoo, smbv1, read this microsoft article" :p
NuAngel@reddit
Let Steve Gibson explain why it took all the way until \~2017 SMBv1 was disabled by default. Maybe they'll listen to someone their own age / someone with blinking lights behind them.
https://www.youtube.com/watch?v=DC3RsyrCYfw&t=4328s
But, as others have said, if you're just contracted help, you can put in there that any work relating to SMBv1 vulnerabilities are not covered as part of the contract.
Fresh_Dog4602@reddit
why do that? They're EOL and EOS. Why would you write something as specific as smbv1 into a contract.
NuAngel@reddit
Exactly because it's EOS/EOL.
If the customer is going to demand it despite you recommending against it, as this customer is (probably because of some unique requirement - as others have mentioned, they may have manufacturing equipment that still uses SMBv1 - hundreds of thousands of dollars for a machine that happen to use a PC, but they can't just upgrade windows because the software only runs on some random German build of Windows XP Embedded!)... Well, then, with a contract you did your part cautioning them against it! Then you can either decline the labor of bailing them out, or, if you want the work, you're still willing to save their butts for quadruple the rate when they get hit with ransomware!
Fresh_Dog4602@reddit
Sure. I'm defo not against that solution. A lot of people in this thread seem to not be able to grasp that sometimes customers can't upgrade... of course that comes at a cost.
stueh@reddit
I work at an MSP, and we have a general clause in our contracts that if something is past end of life, we won't touch it. We only enact that when they're taking the piss. Also there's a thing where, if we find something you want us to do/work on too risky, we just plain won't do it (yes , you can say it's the customer's choice and you can only inform them and it's their risk, but the reality is that sort if customer will still blame us when it goes wrong. Not worth it.)
So, it's really simple if the big bosses get on board with it. A big ol letter explaining why their decision is dangerous and fucked, stating if they don't commit to a project starting by X days to remediate the issue, you will never ever touch it or anything related to it. If the DCs have SMB1 enabled, you don't touch DCs. You'll still do all the other stuff, though.
Or, just accept it. They made their choice after being clearly informed of the risks. Keep all records of emails, phone calls, and meetings for when they inevitably get rolled and lawyers get involved.
Can't save everyone, man, and sandboxing to prove how insecure it is is just over the top. Give them the documentation, articles from MS, whatever, and dotpoint it to make it simple to understand. "You will get hit by ransomware with this, and how much will X days of downtime cost you? Add that to $X for us to restore your entire environment from backups and sweep it." etc.
LuffyReborn@reddit
Ok lets go with some unconventional approach.
Make him pick one of the episodes of these tv shows and tell them.
If you want ransomware but without the happy ending then keep smb v1 alive. There is also an episode of the good doctor that goes about the same.
1. Mr. Robot (Season 1, Episode 2 - "eps1.1_ones-and-zer0es.mpeg")
2. CSI: Cyber (Season 1, Episode 1 - "Kidnapping 2.0")
3. The Blacklist (Season 8, Episode 15 - "The Russian Knot")
4. Hawaii Five-0 (Season 7, Episode 21 - "Ua Malo’o Ka Wai")
5. Grey’s Anatomy (Season 14, Episode 8 - "Out of Nowhere")
6. NCIS: Los Angeles (Season 10, Episode 3 - "The Prince")
7. Scorpion (Season 4, Episode 13 - "The Bunker Games")
8. FBI (Season 1, Episode 14 - "Exposed")
APIPAMinusOneHundred@reddit
At every MSP where I've worked, support for anything past its EOL is considered 'best effort' only and is 100% billable. I'd also add a rider to their contract stating that you bear zero responsibility for incidents arising from those systems, and point it out clearly to them.
Lowley_Worm@reddit
Just wait, their insurance company may convince them for you.
mahsab@reddit
What insurance lol
Fresh_Dog4602@reddit
exactly what i was thinking
hunterkll@reddit
OP - You aren't going to pop the DCs, not if they're current on patches.
Same with the 2008/R2 and 2012/R2 systems.
2003's where you *might* have your only luck.
There aren't any current open SMBv1 vulnerabilities.
It's just considered a legacy and insecure/weak protocol at an intrinsic level, but there's no easy-pop stuff like eternal blue/wannacry
LForbesIam@reddit
Sounds familiar. Ironically Microsoft “disabled” SMB v1 mapped drive support with a KB. Now they have to be a DFS share otherwise it won’t map.
bbqwatermelon@reddit
You don't have to convince anybody, you just have to document that it was brought to their attention. The buck stops with them.
andyinoc@reddit
If I were the MSP I would make them sign a waiver and have them acknowledge the risks of smbv1. If anything happens/will happen just bill the hell out of them - it’s inevitable. You can’t fix stupid.
Soccerlous@reddit
I’m surprised as an MSP you are still supporting this stuff. 2003 server? Get the fuck out.
Should be written into the contract when Microsoft stop support so does the MSP. Still want to run it after that date? Fine but MSP staff don’t touch it. They should be on their own.
YellowOnline@reddit
Well, if I would disable SMB1, my customer's NT4 server won't work properly anymore
Jumpstart_55@reddit
🔥🚩💪
grouchy-woodcock@reddit
You have 2 options:
Due-Log8609@reddit
Bro i've given up trying to convince my BOSS to care about this shit.
Yoyomark2@reddit
Found this 2 part video the other day about Wannacry and SMB1 goes into detail: https://youtu.be/9KfY1hlibZ0?si=WJLOzkj7wV0fMICq
Fresh_Dog4602@reddit
management doesn't care :p
noncon21@reddit
Spin up a kali vm after you get their permission of course, use responder to collect some creds, crack then offline or relay the hashes and login to a few devices and give them a reality check
Fresh_Dog4602@reddit
wrong approach. This is not something that is just by flipping some switch.
Fresh_Dog4602@reddit
Seems like half the comments in this thread don't understand the customer though. Yes everyone with half a brain working in IT knows smbv1 is bad. Your customer probably also knows that.
Did you ask the customer why - with all the information presented to them - they still insist on using smbv1?
All these fancy explanations of how smbv1 is bad aren't going to work if that smbv1 is needed to keep the company selling their... whatever it is they're selling and keep on yapping about it, is not helping them either :) .
UMustBeNooHere@reddit
Make it a requirement of their support contract. Don’t fix it, we drop you.
Fresh_Dog4602@reddit
maybe it's a factory and their million dollar infra is worth more than 20 times your company and they'll just find another mssp
UMustBeNooHere@reddit
And that's..... fine? From a security standpoint, MSPs can be held responsible for breaches. I work for an MSP and we have dropped a few clients for things like this.
Fresh_Dog4602@reddit
Sounds like a missed opportunity for you guys in dealing with this :)
unccvince@reddit
Dejoin the hosts from the DC, set up local admin accounts, vlan the things, set up a one-way smb share for them, you should be fine.
BigBobFro@reddit
Create a segregated domain forest with a uni-directional trust (it trusts us, but we dont trust it). Migrate all these trash systems there and let them die there.
stromm@reddit
At some point, the MSP just has to tell them “while we have enjoyed you as a client, the reputation and safety of our company is more important to than continuation of this contract unless you upgrade critically vulnerable software and hardware within the next six months”.
thortgot@reddit
Server 2003 is a much bigger problem than SMB1. They likely have dependencies on completely incompatible applications (which is why they haven't moved).
Have you given them a reasonable approach to migrating?
Fresh_Dog4602@reddit
do they have a cyber insurance with some insurance company? Sometimes it's nice to point out those requirements in case something goes wrong
softwaremaniac@reddit
I learned a long time ago that stressing over clients is not something that should be done. If they want to comply good, if not, give them a waiver and call it day. If something happens, point them to the clause that absolves you of any responsibility. There are much better clients you could focus on then talking to a brick wall client like this.
systonia_@reddit
You dont convince people with tech talk. They dont understand and they do not care.
What they care about is when you tell them that in case of a hack, they will see 0 Cents of their (Cyber)Insurance, as running this old stuff is negligent.
countsachot@reddit
Usually for a system that antiquated, we ask to have disclaimer signed waiving liability. That might wake them up.
patmorgan235@reddit
Fire them. If they're not willing to do the basics for security you don't want to be called in the weekend to rebuild because they got ransomwared.
Master-IT-All@reddit
You should bill additional for supporting out of date products. Your problem is that you're doing Apple and Orange compares right now. You see security, they see money. Once you make that security problem a money problem, you can approach them with, "Hey if you upgrade this system it will cost X, over this period Y it works out to Z per month, that's a lot less than $$$ which I am charging you per month to support this product."
Money is the only universal business metric.
stuartsmiles01@reddit
Should it be on domain. ?
What does it take to remove it?
When will these activities be complete?
Can we get this resolved today?
Let's block logins till it's fixed?
That's so much better now.
Mogster2K@reddit
Isn't this the exact reason hospitals got hit with WannaCry ransomware?
Mister_Brevity@reddit
You don’t need to convince them of shit. Write out a proposal to get rid of smb1, list out the potential repercussions and if they deny the proposal, tell them they need to sign a different document absolving your MSP of responsibility for the consequences if they wish to remain a customer.
illicITparameters@reddit
Force them to sign a waiver acknowledging the massive security hole SMBv1 and that your company will not be held responsible if those vulnerabilities are exploited (obviously have a lawyer draft it) and then stop giving a shit.
justmirsk@reddit
For customers like this, we run our pentesting platform and typically compromise the entire domain within a few hours when SMBv1 is enabled. As others have said, you can't force them to do anything, it is up to them as a business if they want to accept this risk or not. Having the data from something like a pentest showing how quickly the entire environment can be compromised would likely get them to rethink their stance.
Security-Ninja@reddit
Dear customer: Here’s the risk register. Please sign and accept all liability.
Job done.
UntrustedProcess@reddit
Does the org have a risk register? Add it there as a critical risk along with explanations on what impacts are possible in their environment, and have senior management sign off on the residual risk after any possible compensating controls are put into place. The register can be as simple as a spreadsheet, but start tracking all these things there. There are some places with A LOT of risk tolerance. But that's usually because they practice "Risk Ignorance" versus "Risk Acceptance". Get it documented in a register and make that front and center. And perception of what is acceptable will start to change.
Mehere_64@reddit
Speak with the customer explaining the security risks. Explain that you will not be responsible for those risks and in the event something happens you get paid time and material to fix the problem. Get this in writing and signed.
BornAgainSysadmin@reddit
Either suck it up and deal with the fact they won't pay to change out legacy systems or fire them as a client.
Oh! Or charge them more for extended security support or whatever buzzwords you want to use. Call it an old shit service fee. Still using old, outdated insecure shit, there's a tax for that.
Affectionate-Cat-975@reddit
You keep enabling them by putting in security measures. If they really understood/cared then they would either Trust you and accept your proposal or invest in understanding. They don't care nor do they want to care. So the real question is, how do you make it important to them......from the sounds of it, the only way to really make them care is to cost justify it.
Chipperchoi@reddit
What can you do other than provide info in writing and document that you informed them?
Had a client in manufacturing that was in the same boat. Some of the machinery on the factory floor ran ancient OSes that they can't upgrade. Could cost million plus to replace so they were not replacing until the machinery died. Nothing we can do.