Informing the IBM Community

0
(0)

If you need NetServer you need the last from IBM i.

Netserver (the IBM i Service that allows you to map a network drive) and QNTC (the ability to read and write to a Windows Share directly from your IBM i) have been around so long now it’s hard to imagine life without them. Many of you will use them as part of your normal daily business processes, it’s a fabulously convenient way to get data on and off your IBM i.

Those of you running older versions of IBM i (anything less than v7.2) will soon be reminded of those bad old Pre-Netserver days; as starting from the end of the year Microsoft will start to role out updates that disable them.

In fact some of you may have already lost access to it by order of the security teams at your work place. If you were unsure as to why and perhaps thought there was nothing you could do about it, then read on, there is hope.

SMBv1 is dead, long live SMBv2
What am a prattling on about? (Generally, this is the question I get asked the most in my life). Well, unless you have been hiding under a rock for most of this year, you will of heard of the Cryptovirus’s from the “Wanna” and “Petya” strains, they use a known vulnerability in the Server Message Block (SMB) version 1 protocol.

This vulnerability was made famous or perhaps even infamous by America’s most prolific “online backup service” the NSA (National Security Agency), who are generally believed to have created EternalBlue SMB exploit, which plays a big part in the way these nasty crypto virus’ manage to propagate.

The bottom line is, to avoid this family of exploits, we need to stop using SMBv1 and switch to SMBv2 instead. I sure some of you will have already had conversations with your Network SysAdmins about disabling SMBv1 for exactly this reason.

Your IBM i is immune. So, what’s all the fuss about?
Many of you would be forgiven for thinking, my IBM i server “is as hard as nails” and laughs in the face of such virus’ and yes of course you would be right but that is not the point.

The point is that almost of you will have at least one Windows based operating system to connecting to your IBM i and these little suckers are SMBv1 Crypto Magnets. What is making this more urgent is that from the end of this year Microsoft are going to start disabling the SMBv1 protocol by default, this will start with an update to Window10 and it would not be a surprise if the same were to happen to Windows 8.x and 7 and then the Server versions.

ProSarcasticTip: Those of you running older Windows operating systems like XP or 2003 need not worry, as you clearly gave up worrying about security a long time ago 😉

Has the penny dropped?
Has the penny dropped yet? If the Windows Clients don’t support SMBv1, it does not matter if your IBM i is immune, unless your IBM i server support SMBv2 then your NetServer can not serve any nets as their will not be any clients that it can serve them too!

What do you need to do about it?
Well if you are running IBM i 7.3, the answer is of course nothing, SMBv2 support has been in 7.3 from the get go. If you are running 7.2 and you are up to date with your patches, then again there is nothing for you to do as IBM released PTFs SI64984, MF63692, MF63693, and MF63694 a couple of months ago to give you SMBv2 support for both Netserver and QNTC.

However, if you are running IBM i 7.1 or older, then you need to start planning. You could plan to force your networks to carry on supporting SMBv1, this is technically possible using Group Policies but this really is a bad idea.

If you have some spare resource, you could spin up another IBM i partition at 7.2 or 7.3 to act as a proxy and have this talk to your network via SMBv2 and then on a separate private connection pass the files on to your older IBM i server.

Or, you can do the best thing, that is get yourself upgraded to IBM i 7.3, there are so many other benefits, you will be glad you did.

How can you test if the lack SMBv1 is going to be a problem?
This is not too hard, you can go to any Windows 10 PC today and turn off SMBv1 support surprisingly easily. Simply go the “Turn Windows Features on or off” in the Control Panel and uncheck the SMB/CIFS V1 entry.

The sample below shows a typical Windows10 screen shot of this.

Once you have disabled SMBv1 support (note you will probably need a reboot of the PC in question to complete this) then try to use a network drive on your IBM i server, if you can still connect, then you are using SMBv2 and you do not have a problem.

ProTip: if you do not have a Mapped Network drive setup, just try running the follow command on your PC \\YourServersIPaddress (e.g. \\10.1.1.1) and this will trigger an SMBv2 connection.

ProTip2: Reversing the process is just as simple, so do not worry about this being a one-way process.

Nice to see you
Please come and join us at our next event back in my home town of Wolverhampton on Thursday 2nd November. We have the latest news on how the GDPR regulations will start affecting you next year as well as news on Open Source and RPG development.

More details and a booking form are available at our website www.i-ug.co.uk

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.


Comments

One response to “Wanna Use SMB v2”

  1. On 7.2 if you have applied PTF’s and it still is not working look here https://www-01.ibm.com/support/docview.wss?uid=nas8N1022198 to understand what is going on.