By default, SMB 1.0 support is still enabled in Windows 10 and Windows Server 2016. In most cases, it is required to the legacy systems, such as no longer supported Windows XP, Windows Server 2003 and older OSs. In the event that there are no such clients left on your network, it’s better to disable SMB 1.x or remove the driver SMB1 completely. Thus, you will secure your network against a lot of vulnerabilities inherent in this outdated protocol (that was once again demonstrated in a recent attack of WannaCry and notPetya), and when accessing SMB shares all clients will use new, more efficient, secure and functional SMB versions.
In one of the previous articles, we showed the table of client- and server-side SMB version compatibility. According to the table, old client versions (XP, Server 2003 and some *nix clients) can access file resources only using SMB 1.0. If there are no such clients in the network, you can completely disable SMB 1.0 on the side of file servers (including AD domain controllers) and client stations.
Auditing Access to the File Server over SMB v1.0
Before disabling or completely removing SMB 1.0 driver on the side of the SMB file server, it’s worth making sure that there are no outdated clients that use it in your network. To do it, enable the audit of file server access over SMB v1.0 using the following PowerShell command:
Set-SmbServerConfiguration –AuditSmb1Access $true
In some time examine the events in the log Applications and Services -> Microsoft -> Windows -> SMBServer -> Audit and see if any clients accessed the file server over SMB1.
Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit
In our example, the log shows that the client 192.168.1.10 accessed the file server over SMB1. It is evidenced by the events with the EventID 3000 from SMBServer and the following description:
Client Address: 192.168.1.10
This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.
In our case we’ll ignore this information, but you should bear in mind that later this client won’t be able to connect to this SMB server.
Disabling SMB 1.0 on the Server Side
SMB 1.0 can be disabled both on the client-side and on the server-side. On the server side, SMB 1.0 provides access to SMB file shares over the network, and on the client side, it is needed to access these resources.
Using the following PowerShell command, check if SMB1 is enabled on the server side:
As you can see, the value of EnableSMB1Protocol parameter is to True.
So let’s disable the support of this protocol:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
And using Get-SmbServerConfiguration cmdlet, make sure that SMB1 is now disabled.
To completely remove the driver that processes client requests for SMB v1 access, run this command:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove
Just reboot your system to make sure that SMB1 support is completely disabled.
Get-WindowsOptionalFeature –Online -FeatureName SMB1Protocol
Disabling SMB 1.0 on the Client Side
Having disabled SMB 1.0 on the server side, you prevent clients to connect to the server over this protocol. However, they can use the outdated protocol to access third-party (including external) resources. To disable SMB v1 on the client side, run these commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
If you disable support for SMB 1.0, you will be able to protect your network from all known and still not found vulnerabilities in it. The last significant vulnerability in SMBv1, which allows an attacker to remotely execute any code, was fixed in March 2017.