I don't know if Microsoft ever did anything about this one. https://medium.com/@ValdikSS/deanon...uring-microsoft-and-vpn-accounts-f7e53fe73834
Noteworthy is the author's recommendation to limit outbound SMB port traffic to the local network. Currently and as far as I am aware of, all AV firewalls including the Windows one allow unrestricted outbound access to those ports. Most importantly if such restriction was in widespread use, the current WannaCry worm propagation would have never occurred.
If it was limited to local network (as advised by author) it would still reach all computer on local network. On some networks, that could be thousands of machines.
Interesting, this is something I wondered about in the past. Thanks for the post. I'm going to read more into this as soon as I finish this database assignment i'm working on.
If you refer to the FireEye analysis of WannaCry here: https://www.wilderssecurity.com/thr...ut-of-date-systems.393974/page-6#post-2677761 , all the outbound traffic on port 445 was to external IP addresses. Internal inbound port 445 traffic within the local network has always been considered safe and is essential for local network sharing via SMB.
Yes, as long as there is no exploit against SMB (as in this case against SMB v.1). If malware gets into network and is exploiting unpatched SMB vulnerability, allowed inbound 445 (on individual system) will allow malware to spread inside that network.
Yes. And the only way to stop it within the network if you use Windows is by applying a patch against it. Or, disabled file and device sharing which is not an acceptable solution for most commercial concerns.
