The following article shows steps to disable Server Message Block (SMB) Version 1 from server side and client side on Windows Servers.
Applies To
Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016.
History
Most of us know the SMBv1 vulerability especially after the WannaCry ransomware. Windows server 2016 still comes with SMBv1 enabled for backward compatability. If we do not use any SMB shares which still run on SMBv1 (Windows Server 2003) then it is recommended to disable SMBv1.
Monitor the current SMBv1 Traffic
We have an option to audit/monitor the SMBv1 connections coming to the server. This will help us identify the clients which are still using the SMBv1 protocol to connect to the SMB shares on the server. Run the below powershell command to enable the audit. When prompted enter y to confirm or n to cancel.
Set-SmbServerConfiguration –AuditSmb1Access $true
Whenever a client connects to the server with SMBv1 protocol an event is logged in the event viewer containing the client's ip address. This will help us know if there are any SMBv1 connections to the server. We can use the below command to check the audit logs
Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit
Viewing the audit logs from Windows event viewer will provide the ipaddress of the client which is connecting to the server using SMBv1 protocol
Disable SMBv1 ON server side
The following command disables SMBv1 on the server but does not remove it completly. This does not need a restart of the server and hence can be used when we do not have an outage window for the server. When prompted enter y to confirm or n to cancel.
Set-SmbServerConfiguration -EnableSMB1Protocol $false
To completly remove SMBv1 from the server run the below command. Please note this will require a restart of the server.
Remove-WindowsFeature FS-SMB1
Remove SMBv1 ON Client Side
By disabling the server configuration as shown above, our server will no longer offer SMB v1 shares. The SMB client however is still able to connect to an external SMB v1 share on another server, unless we also disable the SMB v1 client. This is done by running the following commands.
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Add Comment
This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
- Your name, rating, website address, town, country, state and comment will be publicly displayed if entered.
- Aside from the data entered into these form fields, other stored data about your comment will include:
- Your IP address (not displayed)
- The time/date of your submission (displayed)
- Your email address will not be shared. It is collected for only two reasons:
- Administrative purposes, should a need to contact you arise.
- To inform you of new comments, should you subscribe to receive notifications.
- A cookie may be set on your computer. This is used to remember your inputs. It will expire by itself.
This policy is subject to change at any time and without notice.
These terms and conditions contain rules about posting comments. By submitting a comment, you are declaring that you agree with these rules:
- Although the administrator will attempt to moderate comments, it is impossible for every comment to have been moderated at any given time.
- You acknowledge that all comments express the views and opinions of the original author and not those of the administrator.
- You agree not to post any material which is knowingly false, obscene, hateful, threatening, harassing or invasive of a person's privacy.
- The administrator has the right to edit, move or remove any comment for any reason and without notice.
Failure to comply with these rules may result in being banned from further commenting.
These terms and conditions are subject to change at any time and without notice.
Comments (0)