How to disable SMBv1 in Windows 10 and Windows Server

The WannaCry/WanaCrypt0r worm exploits a vulnerability in Windows Server Message Block (SMB) version 1 (SMBv1), and it spreads like wildfire. It is urged to disable SMBv1 in your Windows variant (Windows 10, 8.1, Server 2016, 2012 R2), and here is how if you haven’t done so yet.

What is Server Message Block (SMB) in Windows?

The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems.

The technical reference to CIFS is available from Microsoft Corporation at Common Internet File System (CIFS) File Access Protocol.

SMB1 is used in Windows XP and earlier (it’s nearly 30 years old!). The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. To be blunt: SMB1 is old, not efficient, and now also vulnerable. Disable it now, stop using SMB1!

Windows 10 is not vulnerable to the WannaCry ransomware, but it’s still recommended to disable SMB1 if it’s enabled on your system.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

Disable SMBv1 using PowerShell

Remember, you have the SMB Server (or service), for creating a file share, and you have a SMB Client for accessing it. Here you’ll find more than one way to disable the services on both SMB server and SMB client.

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfigurationWindows PowerShell cmdlet.

The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

Note: When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack. Warning: Do not disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled, just SMBv1.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

To obtain the current state of the SMB server protocol configuration, run the following cmdlet in Windows Server 2012, 2012 R2 and Windows Server 2016 and up:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

2008 R2 and below:

Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

To disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

Windows PowerShell 2.0 or a later version of PowerShell:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

Or in the Registry Editor: set the following registry key SMB1 entry from 1 to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Set SMB1 to 0 (disabled, the default is 1 )

SMB client:
You can use the SC tool to disable the SMB v1 client:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

To disable, and gracefully remove, SMBv1 in Windows 8.1, Windows 10 (client), use the Disable-WindowsOptionalFeature cmdlet:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

SMB

More information can be found on Microsoft Support and The Deprecation of SMB1 – You should be planning to get rid of this old SMB dialect.

Advertisements
This entry was posted in WannaCry, Windows and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s