Salesforce

How Unitrends supports SMBv2

Information
000005920
There is a security_option for SMB2 available.
Unitrends Backup; Recovery Series; Unitrends Free
RS/UB 10.3; RS/UB 10.2; RS/UB 10.1; RS/UB 10.0; RS/UB 9.2; RS/UB 9.1; RS/UEB 9.0
Details
Unitrends provides regular security patches to address vulnerabilities as discussed in Unitrends Response to certain security vulnerabilities (CVEs) - Reference Article.

As part of these security patches, the Unitrends system can be configured to only allow SMB2 access to its samba shares, however certain applications may not be fully functional when using SMB2.

Mounting external CIFS shares with SMB2-only access from the Unitrends system is not yet supported via CentOS6 on the Unitrends system.
To enforce SMB2 only, follow the steps below.
If you have unitrends-security-10.2.0 or later, the smb2 option is already available.
rpm -q unitrends-security
If prior to release 10.2, apply the security updates, via these commands from PuTTy or ssh:
wget ftp://ftp.unitrends.com/utilities/security_get.sh
sh security_get.sh apply

Then set the SMB2 security option:
security_option smb2
This smb2 option also sets the Unitrends samba shares to user security with a default user 'root' and default password 'unitrends1'.  To change the samba user and/or password, use this command:
security_option smbuser <username> <password>

To revert from SMB2-only, run the following commands:
security_option smborig
security_chk
security_option dbhost


Notes about certain application features with SMB2 restrictions.

SharePoint 
SharePoint 2007 with Windows 2003 and prior cannot support SMBv2.
Any later versions of SharePoint on a later Windows release may support SMBv2, but may need custom client configurations in order for Unitrends Backups to be performed.  See https://blogs.msdn.microsoft.com/uksharepoint/2009/01/05/sharepoint-ports-proxies-and-protocols-an-overview-of-farm-communications/
Otherwise SharePoint backups to Unitrends will not be successful when the UB appliance is configured for SMBv2. 

Solaris / Oracle
The Solaris network/smb/client works with the Unitrends SMBv2 configuration on Solaris 11.1 or later.  The additional step needed to make this transparent is:    

smbadm add-key -u root@192.168.111.22

where 192.168.111.22 is the UB IP address.  Enter the default password of unitrends1 unless modified.

Hyper-V Instant Recovery

As noted in our article SMBv1 environment vulnerabilities in response to ransomware reports and also by the security_options script when running `security_option smb2`, Hyper-V Instant Recovery is NOT compatible with SMB2.  This feature will not work when SMB2 is enabled.  This is a Microsoft Limitation we cannot at this time work around.  

The same limitation applies to Windows Replicas created on a Hyper-V host server as the Hyper-V host must use SMBv1 to connect to the Unitrends Appliance to acquire boot media used to create the replica.  

Agent Push
If Windows client is later than 2003 and supports SMBv2, then Agent Push for SMBv2 support will be included as part of Release 10.2.

Windows 2019 - Windows 2019 ships with SMBv1 disabled by default. It is recommended to enable SMBv2 mode on Unitrends appliances to support Agent Push with 2019.  If this is not possible due to legacy systems in your environment, SMBv1 can be re-enabled by following the instructions here.

The introduction of WannaCry illuminated a security flaw in the SMB1 protocol.  While Microsoft security patches have been made available to Windows systems, many have chosen to upgrade their environment to use only the SMB2 protocol.

Furthermore, Microsoft is increasingly requiring their customers to configure environments with SMB1 disabled in favor of SMB2. 

While Unitrends is not directly at risk, Unitrends supports both SMB1 and SMB2 environments.

Many customers will have already configured their Windows environment for SMB2-only before contacting Unitrends, but below is an article from Microsoft describing methods to disable SMB1 and enable SMB2 on various Windows systems.  Usually the registry entries are the key component.
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
 
Meta
Luke Stokes
Michael Ciraco

Powered by