How to disable SMBv1 in Windows 10 and Windows Server

Disable SMBv1 to prevent prevent Petya / NotPetya, WannaCry / WanaCrypt0r ransomware spreading through your network. These worm viruses exploit a vulnerability in Windows Server Message Block (SMB) version 1 (SMBv1), and spread like wildfire. It is urged you disable SMBv1 in your Windows variant (Windows 10, 8.1, Server 2016, 2012 R2), and here is how if you haven't done so yet.

Table of Contents show

The WannaCry ransomware spread across the globe in May 2017. Learn how this ransomware attack spread and how to protect your network from similar attacks like Petya/NotPetya.

What is Server Message Block (SMB) in Windows?

Windows Server

The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems.

The technical reference to CIFS is available from Microsoft Corporation at Common Internet File System (CIFS) File Access Protocol.

SMB1 is used in Windows XP and earlier (it's nearly 30 years old!). The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. To be blunt: SMB1 is old, not efficient, and now also vulnerable. Disable it now, stop using SMB1!

Windows 10 is not vulnerable to the WannaCry ransomware, but it's still recommended to disable SMB1 if it's enabled on your system.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
WannaCrypt ransomware worm targets out-of-date systems - Microsoft Technet

Disable SMB1 using Group Policy Administrative Templates

Protip: while you're at it read my important 4 security measurements for Windows Server & IIS. Also, verify you've disabled SSLv3, TLS 1.0, and TLS 1.1. Acunetix provides you with 8 tips to secure your IIS installation!

Group Policy Central writes about how to disable SMB1 using Group Policy Administrative Templates. This makes it easier for you to disable Server Message Block protocol version 1 to prevent WannaCry throughout your entire Active Directory domain(s).

And here's how:

To make it easier to disable SMB1 in your environment Microsoft has now release an ADMX/ADML file that adds defines the required registry keys so they can be configured as Administrative Template setting.
To get the SMB1 policy setting visit https://blogs.technet.microsoft.com/secguide/2017/06/15/security-baseline-for-windows-10-creators-update-v1703-draft/ and download the Windows-10-RS2-Security-Baseline ZIP file.
Open the ZIP file and navigate to the "Templates" folder where you then need to extract the SecGuide.adml and SecGuide.ADMX files.
Group Policy Central - How to Disable SMB1 using Group Policy Administrative Templates

Using a Group Policy Object (GPO) to disable SMBv1 will prevent a WannaCry spread throughout your entire Active Directory domain(s)!

Disable SMBv1 using PowerShell

Remember, you have the SMB Server (or service), for creating a file share, and you have a SMB Client for accessing it. Here you'll find more than one way to disable the services on both SMB server and SMB client.

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

Note: When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack. Warning: Do not disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled, just SMBv1.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

To obtain the current state of the SMB server protocol configuration, run the following cmdlet in Windows Server 2012, 2012 R2 and Windows Server 2016 and up:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

For Windows Server 2008 R2 and below, use:

Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

To disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you can use Windows PowerShell, the Registry Editor or a GPO.

If you're using Windows PowerShell version 2.0 or higher:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

In the Registry Editor, change the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1

entry from 1 to 0 to disable the LanmanServer service (0 is disabled, the default is 1 which means enabled).

SMB client
You can use the SC tool to disable the SMB v1 client:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsisc.exe config mrxsmb10 start= disabled

To disable, and gracefully remove, SMBv1 in Windows 8.1, Windows 10 (client), use the Disable-WindowsOptionalFeature cmdlet:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

You can find more information at Microsoft Support and The Deprecation of SMB1 - You should be planning to get rid of this old SMB dialect.

How to verify SMBv1 is disabled in Windows and Windows Server

Sometimes you want the reassurance you did something right in the past. Suppose you want to want to test if Windows versions older than Windows 10 and Windows Server 2016 have SMBv1 disabled, then you use PowerShell to verify the following registry value is not present or set to 0:

HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1

In PowerShell, you can get all your computers and servers in your Active Directory Domain using Get-ADComputer, and you can query that list with Invoke-Command to verify SMBv1 is disabled.

For example:

Get-ADComputer -Filter {(enabled -eq $True) -and (OperatingSystem -Like "Windows Server*")} | % {	invoke-command -ComputerName $_.DNSHostName -scriptblock {		If ( (Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters").SMB1 -eq 1 ) {			Write-Output "SMBv1 is enabled on ${env:computername}"		}	}}

This is one of those ways to increase Windows Server security in your environment. You may find more information in Microsoft's Support article "How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server".

Thank you very much! <3 ❤️

Jan Reilink

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace – The Human Cloud. In the past I worked at CLDIN (CLouDINfra) and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.

Post Views: 614

sc query bowser SERVICE_NAME: bowser TYPE : 2 FILE_SYSTEM_DRIVER STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0

Get-Service -Name Bowser |select * Name : Bowser RequiredServices : {} CanPauseAndContinue : False CanShutdown : False CanStop : True DisplayName : Browser DependentServices : {SessionEnv, Netlogon, LanmanWorkstation} MachineName : . ServiceName : Bowser ServicesDependedOn : {} ServiceHandle : Status : Running ServiceType : FileSystemDriver StartType : Manual Site : Container :

8 Comments

TheKinki1

19/06/2019, 09:59

DONT DO THIS
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

1.) its BROWSER, not Bowser

2.) if you get pass the typo, setting lanmanworkstation to depend on browser means lanmanworkstaion will not start. Disable SMB1 removes the browser service. If the browser server can’t start, mrxsmb20 will not start, workstation will not start, netlogon will not start and remote desktop configuration will not start.

3.) You owe me 3 hours of going around and around with a broken network.

4.) Grab a copy of advanced network scanner, or angryipscanner and have your way with seeing all the computers on the network.

K1
- Jan Reilink
  
  20/06/2019, 14:18
  Hi,
  
  I’m sorry you think I made a typo and that it cost you three hours of going around and around with a broken network. But hé, the information is for free.
  
  For as far as I can tell, there is NO typo. Just look it up in Microsoft’s own documentation on https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server. You can verify with PowerShell or cmd.exe:
```
sc query bowser

SERVICE_NAME: bowser
        TYPE               : 2  FILE_SYSTEM_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
```
```
Get-Service -Name Bowser |select *


Name                : Bowser
RequiredServices    : {}
CanPauseAndContinue : False
CanShutdown         : False
CanStop             : True
DisplayName         : Browser
DependentServices   : {SessionEnv, Netlogon, LanmanWorkstation}
MachineName         : .
ServiceName         : Bowser
ServicesDependedOn  : {}
ServiceHandle       :
Status              : Running
ServiceType         : FileSystemDriver
StartType           : Manual
Site                :
Container           :
```
Site Engelleme

26/03/2019, 10:26

Thank you very much. It is Very useful post.
Melis Dost

03/08/2017, 10:06

I found a very usefull small vbs script. one click solution to disable SMB1 completely (use smb1_disabler_en.vbe in the “en” folder)
https://goo.gl/UQwLk6
- Jan Reilink
  
  03/08/2017, 12:00
  
  Hi Melis, thank you for this!
  
  Seems like overkill to me to use an *encoded* VBS file for the job. It really triggered my spidey senses :) I used this VB script to decode it: https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c (haven’t tried a Python version https://blog.didierstevens.com/2016/03/29/decoding-vbe/).
  
  To me, a PowerShell script is easier to read and you’ll find all the necessary examples in this blog post here, or on Reddit: https://www.reddit.com/r/sysadmin/comments/6b3bmw/is_there_a_fast_way_to_verify_that_smbv1_is/.
joheben

17/05/2017, 17:02

So how do I “elevate” to be able to run this command on Windows10 ?! It seems easier to be hit by this worm than to figure out the black magic needed to protect against it.
- Jan Reilink
  
  18/05/2017, 09:33
  
  Hi Johan, thank you for your comment! Windows 10 is not vulnerable. However, if you want to disable SMB1 and need an elevated command prompt, search for “cmd”, right click and choose “run as administrator”. This is a Windows 8.1 screenshot: https://www.itfaq.nl/wp-content/uploads/sites/3/2015/11/Windows-CMD_as_Administrator.jpg.
mlazzarotto91

17/05/2017, 09:30

Thank you very much. Very useful post.
Be aware that if you disable SMB1 client you might get into problems accessing shared folders on older QNAP.

Comments are closed