Time for a health check for IBM i users as vulnerabilities identified in Microsoft SMBv1
Managing IT security is a preoccupation for all of us. We employ all manner of techniques, software and monitoring to keep our companies’ IT infrastructure up and running, protecting business performance. But with malware instances on the rise and technology becoming ever more sophisticated, it’s imperative to keep ahead of the latest developments to keep your business security tightly under wraps.
One such instance this year has been the cryptovirus attacking a vulnerability in the Windows-managed Server Message Block version one (SMBv1), which made the headlines when the National Security Agency was affected, among other high profile organisations. As a result of that vulnerability, from today Microsoft will be providing updates to disable SMBv1, meaning that users will need to migrate to SMBv2 instead to ensure long-term system security and close down the vulnerability associated with version one.
So, why is that important for IBM i users? It’s because the SMB is the mechanism that enables users to map their network drive to a file share on the IBM i. Most organisations will have at least one Windows based system connected to their IBM i, meaning that their Netserver will be affected as SMBv1 is disabled. At this point, users will no longer be able to map a network drive to any file share on the IBM i, making contingency planning during the transition a must.
It’s not all bad news. Any organisations operating an IBM i 7.3 will be unaffected, as this was introduced with SMBv2 as standard. Equally, any companies using IBM i 7.2 that are fully up to date with their patches should be unaffected. The real action is for those companies running with 7.1 or earlier, who must make a decision as to their preferred route. It is possible to continue with an unsupported SMBv1, but from a security perspective it is risky.
In our view, turning off SMBv1 isn’t just recommended, it’s essential. Affected customers should start planning for upgrades to 7.2, or above, as well as considering their options for moving workload into the cloud.
We can work with IBM i users to help them disable SMBv1 and keep systems protected. The process itself is uncomplicated, being performed via a single powershell line. The complexity creeps in where the number of servers is large, because the update will need to be undertaken individually on every server. There are some intricacies that must be taken into account during any disablement process, which again we will work on directly with affected customers to avoid disruption. For instance, any companies using EMC storage devices that are more than four years old will find that they no longer work properly once SMBv1 is disabled, so it’s a process that must be managed carefully and expertly.
There is a simple check that can be performed to confirm whether or not your organisation will be affected. In a Windows 10 Control Panel, users can simply uncheck the “SMB/ CIFS V1” box to turn off SMBv1. Then try to use a network drive on the IBM i – if it works normally, you already have SMBv2 and there’s no problem.
To discuss your particular case in more detail, contact the Blue Chip Service Desk on 08444 825 400.