Need help to Enable/Disable SMB v 1.0 in Windows? We can help you.

As part of our Server Management Services, we help our customers with software installations regularly.

Today, let’s see how our Support Engineers Enable/Disable SMB v 1.0 in Windows.

 

Why is Server Message Block 1.0 (SMBv1) network protocol disabled by default?

The Server Message Block 1.0 (SMBv1) network protocol is disabled by default in Windows Server 2016/2019 and Windows 10.

• If there are no SMB 1.x clients left, we completely disable SMBv1 on all Windows devices.
• By disabling SMB 1.0, we protect Windows computers from a wide range of vulnerabilities in this legacy protocol.
• As a result, the devices will use new, more efficient, secure and functional versions of the SMB protocol when accessing network shares.

On the other hand, old client versions can access network shared folders only by using SMB v1.0 protocol. If there are no such clients in the network, we can completely disable SMB 1.0 on the side of file servers and client desktops.

 

Enable/Disable SMB v 1.0 in Windows

Before enabling or disabling the SMB 1.0 driver, we make sure that there are no legacy clients that uses it in the network.

Auditing Shared Folder Access via SMB v1.0

To do this, we enable the audit of file server access over SMB v1.0 using the following PowerShell command:

Set-SmbServerConfiguration –AuditSmb1Access $true

Also, after a couple of days, we open the Event Viewer on the server and check the log in Applications and Services -> Microsoft -> Windows -> SMBServer -> Audit. Check if any clients has access to the file server over SMB1.

To display the list of events from this event log we use the command:

Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit

Here, an event with EventID 3000 from the SMBServer source is seen in the log. The event indicates that the client 192.168.1.10 is trying to access the server using the SMB1 protocol

SMB1 access
Client Address: (IP address)
Guidance:
This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

We have to find this computer or device on the network and update the OS or firmware to a version that supports newer SMB protocol versions.

 

Enable/Disable SMB v 1.0 in Windows Server 2016/2019

To enable support for the SMBv1 client protocol in newer versions of Windows Server, we install separate SMB 1.0/CIFS File Sharing Support feature.

It is possible either by using Server Manager or through PowerShell.

Check if SMBv1 is enabled using the PowerShell command:

Get-WindowsFeature | Where-Object {$_.name -eq “FS-SMB1”} | ft Name,Installstate

To install the FS-SMB1 feature, run:

Install-WindowsFeature FS-SMB1

Similarly, to uninstall the SMBv1 client feature (requires a reboot), run:

Uninstall-WindowsFeature –Name FS-SMB1 –Remove

Another PowerShell command that removes the SMB1Protocol feature is:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove

For the server to handle SMBv1.0 client access, enable SMBv1 support at the SMB file server level in addition to the FS-SMB1 component.

Furthermore, to check, run:

Get-SmbServerConfiguration

“EnableSMB1Protocol: True” means we have access to shared folders on this server using the SMBv1 protocol.

To disable SMBv1 server support in Windows Server, we run the PowerShell command:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

We make sure using,

Get-SmbServerConfiguration cmdlet

In the same way, to enable SMBv1 support on the server, we run the command:

Set-SmbServerConfiguration -EnableSMB1Protocol $True -Force

On Windows 7/8 and Windows Server 2008 R2/2012, in order to disable the SMB 1.0 client, we need to disable the service and the SMBv1 access driver with the commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

 

Disabling SMBv1 Client and Server via Group Policy

In an Active Directory domain environment, we can disable SMBv1 on all servers and computers using Group Policies (GPOs).

Since there is no separate SMB configuration policy in the standard Windows Group Policies, we have to disable it through the registry policy.

1. Open the Group Policy Management console (gpmc.msc), create a new GPO (disableSMBv1) and link it to the OU containing the computers on which we want to disable SMB1
2. Switch to the policy editing mode. Expand the GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry
3. Create a new Registry Item with the following setting:

This policy will disable support for the SMBv1 server component through the registry on all computers.

Also, to disable the SMB client on domain computers via GPO, create two additional registry parameters:

• The Start parameter (REG_DWORD type) with value 4 in the registry key HKLM\SYSTEM\CurrentControlSet\services\mrxsmb10
• The DependOnService parameter (REG_MULTI_SZ type) with the value Bowser, MRxSmb20, NSI (each value on a new line) in the reg key HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation.

It remains to update the Group Policy settings on the clients (gpupdate /force). After the reboot make sure that the SMBv1 components are completely disabled.

The Security Baseline GPOs from the Microsoft Security Compliance Toolkit have a separate administrative template MS Security Guide (SecGuide.adml and SecGuide.admx files) that have separate options for disabling the SMB server and client:

• Configure SMB v1 server
• Configure SMB v1 client driver

[Get our 24/7 support. Our server specialists will keep your servers fast and secure.]

 

Conclusion

In short, webmasters can easily enable or disable SMB using powershell. Today, we’ve seen by example how Bobcares Support Techs go about to Enable/Disable SMB v 1.0 in Windows.