Disable SMBv1 client driver

Disable SMBv1 client driver

The original SMBv1 protocol is nearly 30 years old. SMBv1 is now considered insecure and poses several risks. It contains several vulnerabilities, including remote code execution, privilege escalation, and DoS. SMBv1 is also a common vector for spreading malware like ransomware. Furthermore, it uses weak authentication mechanisms and is therefore vulnerable to credential theft. In short, there are a ton of reasons to disable SMBv1 and use newer implementations of SMB, like SMBv2 and SMBv3.

Audit

To determine which clients are attempting to connect to an SMB server with SMBv1, you can enable auditing on Windows Server 2016, Windows 10, and Windows Server 2019.

Set-SmbServerConfiguration -AuditSmb1Access $true

When SMBv1 auditing is enabled, event 3000 appears in the Microsoft-Windows-SMBServer\Audit event log, identifying each client that attempts to connect with SMBv1.

If you are using a SIEM solution, like Microsoft Sentinel, you can send the Event Viewer data to your SIEM solution and make there the analysis of which server is still using SMBv1.

Configuration (PowerShell)

Disable SMBv1 through PowerShell with the following command in an elevated PowerShell session.

Set-SmbServerConfiguration -EnableSMB2Protocol $false

It's also possible to disable SNBv1 through PowerShell

Configuration (Windows Register)

Note

Always create a backup of the Windows Register before making any changes in the registry.

Disable SMBv1 through the Windows Register with Windows PowerShell.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

Configuration (Group Policy)

In a large Windows Environment, it's recommended to disable SMBv1 through GPO. When someone, by mistaken, enables SMBv1 on a machine, SMBv1 will be automatically disabled by the GPO.

1. Download the SecGuide.admx and SecGuide.adml.
2. Place these files in your Central Store (ex: \\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions).
3. Open the Group Policy Management Console (gpmc.msc).
4. Navigate to Computer Configuration\Administrative Templates\MS Security Guide.
5. Configure the policy Configure SMB v1 server to Disabled.
6. Configure the policy Configure SMB v1 client to Enabled: Disable driver (recommended).

Configuration (Microsoft Intune)

Disable SMBv1 through Microsoft Intune.

1. Login into Microsoft Endpoint Manager (https://endpoint.microsoft.com).
2. Navigate to Devices --> Configuration Profile.
3. Select the profile on which you want to disable SMBv1 (or create a new Configuration Profile, choose profile type Setting catalog).
4. In the profile, navigate to Administrative Templates\MS Security Guide\Configure SMBv1 client driver.
5. Set this policy to Enabled: Disable driver (recommended).

User Impact

Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1.

References

• https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
• https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server