The following article shows steps to disable Server Message Block (SMB) Version 1 from server side and client side on Windows Servers.

Applies To

Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016.

History

Most of us know the SMBv1 vulerability especially after the WannaCry ransomware. Windows server 2016 still comes with SMBv1 enabled for backward compatability. If we do not use any SMB shares which still run on SMBv1 (Windows Server 2003) then it is recommended to disable SMBv1.

Monitor the current SMBv1 Traffic

We have an option to audit/monitor the SMBv1 connections coming to the server. This will help us identify the clients which are still using the SMBv1 protocol to connect to the SMB shares on the server. Run the below powershell command to enable the audit. When prompted enter y to confirm or n to cancel.

 Set-SmbServerConfiguration –AuditSmb1Access $true

Monitor smbv1 traffic

Whenever a client connects to the server with SMBv1 protocol an event is logged in the event viewer containing the client's ip address. This will help us know if there are any SMBv1 connections to the server. We can use the below command to check the audit logs 

 Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit

smbv1 access log

 Viewing the audit logs from Windows event viewer will provide the ipaddress of the client which is connecting to the server using SMBv1 protocol

smbv1 event log

Disable SMBv1 ON server side

The following command disables SMBv1 on the server but does not remove it completly. This does not need a restart of the server and hence can be used when we do not have an outage window for the server.  When prompted enter y to confirm or n to cancel.

 Set-SmbServerConfiguration -EnableSMB1Protocol $false

disable smbv1

To completly remove SMBv1 from the server run the below command. Please note this will require a restart of the server. 

 Remove-WindowsFeature FS-SMB1

Uninstall smbv1

Remove SMBv1 ON Client Side

By disabling the server configuration as shown above, our server will no longer offer SMB v1 shares. The SMB client however is still able to connect to an external SMB v1 share on another server, unless we also disable the SMB v1 client. This is done by running the following commands.

 sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

Disable smbv1 client

Add Comment

* Required information
1000
Enter the last letter of the word satellite.
Powered by Commentics

Comments (0)

No comments yet. Be the first!