Bobcares

How to Enable/Disable SMB v 1.0 in Windows

by | Nov 25, 2020

Need help to Enable/Disable SMB v 1.0 in Windows? We can help you.

As part of our Server Management Services, we help our customers with software installations regularly.

Today, let’s see how our Support Engineers Enable/Disable SMB v 1.0 in Windows.

 

Why is Server Message Block 1.0 (SMBv1) network protocol disabled by default?

The Server Message Block 1.0 (SMBv1) network protocol is disabled by default in Windows Server 2016/2019 and Windows 10.

  • If there are no SMB 1.x clients left, we completely disable SMBv1 on all Windows devices.
  • By disabling SMB 1.0, we protect Windows computers from a wide range of vulnerabilities in this legacy protocol.
  • As a result, the devices will use new, more efficient, secure and functional versions of the SMB protocol when accessing network shares.

On the other hand, old client versions can access network shared folders only by using SMB v1.0 protocol. If there are no such clients in the network, we can completely disable SMB 1.0 on the side of file servers and client desktops.

 

Enable/Disable SMB v 1.0 in Windows

Before enabling or disabling the SMB 1.0 driver, we make sure that there are no legacy clients that uses it in the network.

Auditing Shared Folder Access via SMB v1.0

To do this, we enable the audit of file server access over SMB v1.0 using the following PowerShell command:

Set-SmbServerConfiguration –AuditSmb1Access $true

Also, after a couple of days, we open the Event Viewer on the server and check the log in Applications and Services -> Microsoft -> Windows -> SMBServer -> Audit. Check if any clients has access to the file server over SMB1.

To display the list of events from this event log we use the command:

Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit

Here, an event with EventID 3000 from the SMBServer source is seen in the log. The event indicates that the client 192.168.1.10 is trying to access the server using the SMB1 protocol

SMB1 access
Client Address: (IP address)
Guidance:
This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

We have to find this computer or device on the network and update the OS or firmware to a version that supports newer SMB protocol versions.

 

Enable/Disable SMB v 1.0 in Windows Server 2016/2019

To enable support for the SMBv1 client protocol in newer versions of Windows Server, we install separate SMB 1.0/CIFS File Sharing Support feature.

It is possible either by using Server Manager or through PowerShell.

Check if SMBv1 is enabled using the PowerShell command:

Get-WindowsFeature | Where-Object {$_.name -eq “FS-SMB1”} | ft Name,Installstate

To install the FS-SMB1 feature, run:

Install-WindowsFeature FS-SMB1

Similarly, to uninstall the SMBv1 client feature (requires a reboot), run:

Uninstall-WindowsFeature –Name FS-SMB1 –Remove

Another PowerShell command that removes the SMB1Protocol feature is:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove

For the server to handle SMBv1.0 client access, enable SMBv1 support at the SMB file server level in addition to the FS-SMB1 component.

Furthermore, to check, run:

Get-SmbServerConfiguration

“EnableSMB1Protocol: True” means we have access to shared folders on this server using the SMBv1 protocol.

To disable SMBv1 server support in Windows Server, we run the PowerShell command:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

We make sure using,

Get-SmbServerConfiguration cmdlet

In the same way, to enable SMBv1 support on the server, we run the command:

Set-SmbServerConfiguration -EnableSMB1Protocol $True -Force

On Windows 7/8 and Windows Server 2008 R2/2012, in order to disable the SMB 1.0 client, we need to disable the service and the SMBv1 access driver with the commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

 

Disabling SMBv1 Client and Server via Group Policy

In an Active Directory domain environment, we can disable SMBv1 on all servers and computers using Group Policies (GPOs).

Since there is no separate SMB configuration policy in the standard Windows Group Policies, we have to disable it through the registry policy.

  1. Open the Group Policy Management console (gpmc.msc), create a new GPO (disableSMBv1) and link it to the OU containing the computers on which we want to disable SMB1
  2. Switch to the policy editing mode. Expand the GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry
  3. Create a new Registry Item with the following setting:

Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value name: SMB1 Value type: REG_DWORD Value data: 0

This policy will disable support for the SMBv1 server component through the registry on all computers.

Also, to disable the SMB client on domain computers via GPO, create two additional registry parameters:

  • The Start parameter (REG_DWORD type) with value 4 in the registry key HKLM\SYSTEM\CurrentControlSet\services\mrxsmb10
  • The DependOnService parameter (REG_MULTI_SZ type) with the value Bowser, MRxSmb20, NSI (each value on a new line) in the reg key HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation.

It remains to update the Group Policy settings on the clients (gpupdate /force). After the reboot make sure that the SMBv1 components are completely disabled.

The Security Baseline GPOs from the Microsoft Security Compliance Toolkit have a separate administrative template MS Security Guide (SecGuide.adml and SecGuide.admx files) that have separate options for disabling the SMB server and client:

  • Configure SMB v1 server
  • Configure SMB v1 client driver

[Get our 24/7 support. Our server specialists will keep your servers fast and secure.]

 

Conclusion

In short, webmasters can easily enable or disable SMB using powershell. Today, we’ve seen by example how Bobcares Support Techs go about to Enable/Disable SMB v 1.0 in Windows.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF