This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Log File Archives broken after SMBv1 disabled

After disabling SMB version 1 on our Windows servers per US-CERT best practices, UTM log file archiving is broken.
Anyone have a workaround or extra information about this?

SMBv1 disabled on Windows 2008R2 and Windows 2012R2 servers via;
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled



This thread was automatically locked due to age.
Parents
  • The last I know, SMBv1 has to be enabled.  Please let us know what Sophos Support has to say about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Internal testing indicates SMBv1 has to be enabled for the remote log archiving process to work. We're not going to pursue this with Sophos support as the SMBv1 risk appears to have been a bit overblown. We've re-enabled SMBv1 server services on the file server handling our archived logs.

    Regards,
    Thomas

  • We're looking at disabling SMB1 on our DCs but when we tested this it broke our UTM AD SSO.  We're still running UTM v 9.4 at the moment.  Can anyone confirm that UTM still needs SMB1 for it's authentication?

    Obviously we need to take this seriously because of the "wanna..." ransomware attacks

  • I can confirm both issues, based on my testings :

    1. Disabling SMB1 on the file server broke the remote log archiving (UTM 9.413-4).
    2. Disabling SMB1 on DCs (2008 R2) broke SSO AD authentication in FireFox (curiously, no problem with IE for the moment, only Firefox).
  • thanks.  Yeah we're also running UTM 9.413-4 but it broke for us in IE.  Think we're running 2012 DCs though

Reply Children
No Data