A new version of SMB 3 protocol was introduced since Windows Server 2012 R2 (technically, it is SMB 3.02, since SMB 3.0 appeared in Windows Server 2012). Now you can disable the driver of the legacy SMB 1.0 protocol and block its components from loading. If you disable the SMB 1.0 protocol, the outdated OS versions (Windows XP, Server 2003) and compatible clients (Mac OSX 10.8 Mountain Lion, Snow Leopard, Mavericks, earlier Linux versions) won’t be able to access shared files located on the file servers running Windows 2012 R2 / 2016.
SMB versions in Windows
SMB (Server Message Block, sometimes called LAN-Manager) is a network protocol for remote access to files, printers and other network services. The connection uses the TCP port 445. Different versions of the SMB protocol appeared in the following Windows versions:
- CIFS – Windows NT 4.0
- SMB 1.0 – Windows 2000
- SMB 2.0 – Windows Server 2008 and Windows Vista SP1
- SMB 2.1 – Windows Server 2008 R2 and Windows 7
- SMB 3.0 – Windows Server 2012 and Windows 8 (added SMB encryption)
- SMB 3.02 – Windows Server 2012 R2 and Windows 8.1
- SMB 3.1.1 – Windows Server 2016 and Windows 10
In the network communication over SMB protocol, a client and a server use the maximum version of the SMB protocol supported both by the client and the server.
The summary table of SMB version compatibility looks like this. Using this table, you can determine the version of the SMB protocol that is selected when different versions of Windows interact:
| Operation System | Windows 10, Server 2016 | Windows 8.1, Server 2012 R2 |
Windows 8, Server 2012 |
Windows 7, Server 2008 R2 |
Windows Vista, Server 2008 |
Windows XP, Server 2003 and earlier |
| Windows 10 , Windows Server 2016 |
SMB 3.1.1 | SMB 3.02 | SMB 3.0 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
| Windows 8.1 , Server 2012 R2 |
SMB 3.02 | SMB 3.02 | SMB 3.0 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
| Windows 8 , Server 2012 |
SMB 3.0 | SMB 3.0 | SMB 3.0 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
| Windows 7, Server 2008 R2 |
SMB 2.1 | SMB 2.1 | SMB 2.1 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
| Windows Vista, Server 2008 |
SMB 2.0 | SMB 2.0 | SMB 2.0 | SMB 2.0 | SMB 2.0 | SMB 1.0 |
| Windows XP, 2003 and earlier | SMB 1.0 | SMB 1.0 | SMB 1.0 | SMB 1.0 | SMB 1.0 | SMB 1.0 |
For example, if a client computer running Windows 7 connects to a file server with Windows Server 2012 R2, the SMB 2.1 protocol will be used.
Get-SmbConnection
On the file server side, you can display a list of the versions of the SMB protocols that the clients are currently using. Run the command:
Get-SmbSession | Select-Object -ExpandProperty Dialect | Sort-Object -Unique
In this example, there are 898 clients connected to the server using SMB 2.1 (Windows 7/ 2008 R2) and 8 clients via SMB 3.02 (Windows 8.1 / 2012 R2).
According to the table, Windows XP and Windows Server 2003 can use only SMB 1.0 to access folders and files, that one can be disabled in new versions of Windows Server (2012 R2 / 2016). So, if your infrastructure uses computers running Windows XP ( no longer supported ), Windows Server 2003 / R2 and servers running Windows Server 2012 R2 / 2016, you should understand that the legacy clients will not be able to access files and folders on a file server running new OS. If Windows Server 2016 / 2012 R2 is used as a domain controller, it means that Windows XP / Server 2003 clients won’t be able to execute logon scripts (NETLOGON) and apply some of the group policies stored in the network folders on the domain controllers (for example, when using the Central Store for ADMX templates). If you try to connect to a shared folder on a file server with SMBv1 disabled, the old client will receive the following error message:
Stop Using SMBv1 Protocol
Today the SMB 1.0 protocol is obsolete and it has a large number of critical vulnerabilities (remember the last incidents with the ransomware attacks – WannaCry and NotPetya that exploited the vulnerability in SMBv1 protocol). Microsoft and other IT companies strongly recommend that you stop using SMBv1 in your network.
If there are clients in your network running Windows XP and Windows Server 2003 /R2, they should be migrated as soon as possible to newer versions of Microsoft’s OS or carefully isolated.
SMB 1.0 in Windows Server 2012 R2
If you open the list of Windows Server 2012 R2 components, you can see a feature with the name SMB 1.0/CIFS File Sharing Support, which is not installed. But the SMB 1.0 driver itself works. If you install this feature, the Computer Browser service appears in the system. This is an SMB 1.0 client, without which it will not be possible to connect from this server to other computers that support only smbv1 protocol.
Remove-WindowsFeature FS-SMB1
Then on the server side you need to completely disable SMB 1.0 with the command:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
By default, both drivers SMB 1 and SMB 2 are loaded in Windows Server 2012. To confirm this, open the properties of a system service Server (LanmanServer) and on the Dependencies tab you can see that Server SMB 1.xxx Driver and SMB 2.xxx Driver are running on the server at the same time.
If you open the properties of the LanmanServer service on Windows 2012 R2, you can see that the driver supporting SMB 1.0 is excluded from the dependencies.
However, this does not mean that the SMB 1.0 driver is not working. To check whether SMB 1.0 is enabled on the server side, you can use the command:
Get-SmbServerConfiguration | Select EnableSMB1Protocol
As you can see, the SMB1 protocol in Windows Server 2012 R2 is enabled despite the absence of the SMB 1.0/CIFS File Sharing Support feature and driver dependencies for the LanmanServer service.
To restore the access of XP/2003 (and other legacy) clients over SMB to the file servers/domain controllers on Windows Server 2012 R2, you can enable SMB 1 support as follows. First, enable the protocol in the server settings:
Set-SmbServerConfiguration -EnableSMB1Protocol $true
Then enable the dependencies of SMB 1.0 in Windows Server 2012 R2 through the registry. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer and change the value of DependOnService parameter from SamSS Srv2 to SamSS Srv.
After that you have to reboot the system and make sure that SMB 1.0 driver is working again.
These actions should be performed on all file servers and domain controllers to which legacy versions of clients are connected.
SMB 1.0 in Windows Server 2016
In Windows Server 2016, support for SMB 1.0 on the client side is also enabled as a separate feature, which can be found in the Add/Remove Features Wizard. This component is also called SMB 1.0 / CIFS File Sharing Support.
You can disable SMB v1 and completely remove the component with the commands:
Remove-WindowsFeature FS-SMB1
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Starting from Windows Server 2016 1709 (and Windows 10 Fall Creators), the SMBv1 component (both client and server) is disabled by default (guest access via SMBv2 is disabled as well). To access legacy systems using an outdated version of the protocol, it must be installed separately. You need to install the SMB 1.0/CIFS File Sharing Support feature and enable SMB 1.0 with the commands:
Add-WindowsFeature FS-SMB1
Set-SmbServerConfiguration -EnableSMB1Protocol $true
13 comments
[…] A new version of SMB 3 protocol was presented in Windows Server 2012 R2 (technically, it is SMB 3.02, since SMB 3.0 appeared in Windows Server 2012), the […]
your post save my day!!! thank u, i’m gonna reference it on my blog!!!
I have looked everywhere on the web to resolve this issue. THANK YOU!
Thank you! Got this issue after patching and it worked fine.
Thank you! Saved my day!
How come I have a windows server 2012 r2 with smb1 installed but not visible in dependencies and I can still access it from windows server 2003 ?
If SMB1 diver is running, you can access Windows 2012 R2 from 2003 client:
sc query mrxsmb10
E_NAME: mrxsmb10
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
2012 onwards;
Check it’s not disabled via Powershell too:
To Check:
Get-SmbServerConfiguration | Select EnableSMB1Protocol,
If it say ‘False ‘then Ennable:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Thank you for your comment. Indeed, SMB1 server protocol is available by default on Windows Server 2012 R2. I updated the article
Perfect, just what the doctor ordered. Saved my life and time.
If you are disabling/removing the SMB1 protocol then you need to make the necessary changes in the registry by enabling the dependencies of SMB 2.0 in Windows Server 2012 R2 through the registry otherwise your shares will stop working. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer and change the value of DependOnService parameter from SamSS Srv to SamSS Srv2. Need to restart the server after this change.
Thanks
Great articles, but you might want to include a reference to the following group policies:
– “Network security: LAN Manager authentication level” change to Send LM & NTLM responses
– “Network security: Minimum session security for NTLM SSP based (including secure RPC) servers “ – Disable Require 128-bit encryption option
– “Network security: Minimum session security for NTLM SSP based (including secure RPC) clients “ – Disable Require 128-bit encryption option
In my case crucial to make it work (win2012 r2)