Posted on October 4, 2017 · Posted in Windows 10, Windows Server 2016

How to Disable SMB 1.0 in Windows 10 / Server 2016

By default, SMB 1.0 support is still enabled in Windows 10 and Windows Server 2016. In most cases, it is required to the legacy systems, such as no longer supported Windows XP, Windows Server 2003 and older OSs. In the event that there are no such clients left on your network, it’s better to disable SMB 1.x or remove the driver SMB1 completely. Thus, you will secure your network against a lot of vulnerabilities inherent in this outdated protocol (that was once again demonstrated in a recent attack of WannaCry and notPetya), and when accessing SMB shares all clients will use new, more efficient, secure and functional SMB versions.

In one of the previous articles, we showed the table of client- and server-side SMB version compatibility. According to the table, old client versions (XP, Server 2003 and some *nix clients) can access file resources only using SMB 1.0. If there are no such clients in the network, you can completely disable SMB 1.0 on the side of file servers (including AD domain controllers) and client stations.

Auditing Access to the File Server over SMB v1.0

Before disabling or completely removing SMB 1.0 driver on the side of the SMB file server, it’s worth making sure that there are no outdated clients that use it in your network. To do it, enable the audit of file server access over SMB v1.0 using the following PowerShell command:

Set-SmbServerConfiguration –AuditSmb1Access $true

In some time examine the events in the log Applications and Services -> Microsoft -> Windows -> SMBServer -> Audit and see if any clients accessed the file server over SMB1.

Tip. You can display the list of events from this log using this command:

Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit

In our example, the log shows that the client 192.168.1.10 accessed the file server over SMB1. It is evidenced by the events with the EventID 3000 from SMBServer and the following description:

SMB1 access
Client Address: 192.168.1.10
Guidance:
This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

Set-SmbServerConfiguration - enable audit access via smb1

In our case we’ll ignore this information, but you should bear in mind that later this client won’t be able to connect to this SMB server.

Disabling SMB 1.0 on the Server Side

SMB 1.0 can be disabled both on the client-side and on the server-side. On the server side, SMB 1.0 provides access to SMB file shares over the network, and on the client side, it is needed to access these resources.

Using the following PowerShell command, check if SMB1 is enabled on the server side:

Get-SmbServerConfiguration

Get-SmbServerConfiguration smb1protocol is enabled

As you can see, the value of EnableSMB1Protocol parameter is to True.

So let’s disable the support of this protocol:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

And using Get-SmbServerConfiguration cmdlet, make sure that SMB1 is now disabled.

disable smb1 using cmdlet set-SmbServerConfiguration

To completely remove the driver that processes client requests for SMB v1 access, run this command:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove

Just reboot your system to make sure that SMB1 support is completely disabled.

Get-WindowsOptionalFeature –Online -FeatureName SMB1Protocol

Remove Feature SMB1Protocol

Disabling SMB 1.0 on the Client Side

Having disabled SMB 1.0 on the server side, you prevent clients to connect to the server over this protocol. However, they can use the outdated protocol to access third-party (including external) resources. To disable SMB v1 on the client side, run these commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

delete smb1 driver on client: sc.exe config mrxsmb10 start= disabled

If you disable support for SMB 1.0,  you will be able to protect your network from all known and still not found vulnerabilities in it. The last significant vulnerability in SMBv1, which allows an attacker to remotely execute any code, was fixed in March 2017.

Previous:
Next:
Related Articles