How to disable server-side SMB1?

Permanent link:

https://auditsquare.com/advisory/windows/how-to-disable-smb1

What is “SMB1”?

SMB or CIFS is usually used to refer to Microsoft Windows networking protocol, used for sharing files and printers and for IPC in Windows networks.

SMB1 is the particular version of this protocol; there are also newer versions, namely SMB2 and SMB3, supported on Windows Vista/Windows Server 2008 and Windows 8/Windows Server 2012, respectively.

SMB1 is today generally considered insecure, and over the years quite a few very serious bugs and errors were reported for it. For this reason, it is advised to disable support for this SMB version whenever it is possible. Note however, that Microsoft Windows XP and Windows Server 2003 and older systems do not support newer SMB versions.

How to disable it?

Disabling server-side SMB1 via registry (Windows Vista, Windows Server 2008 and later)

  • Start regedit (as administrator)
  • Go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
  • Create a new DWORD value named SMB1 and set it to 0
  • Reboot for the change to take effect.
  • Note: changing value of SMB1 to 1 would re-enable the SMB1 support.

Disabling server-side SMB1 using powershell (Windows 8, Windows Server 2012 and later)

  • Run the command Set-SmbServerConfiguration -EnableSMB1Protocol $false in powershell prompt.
  • You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

Completely removing SMB1 support (incl. client-side) via GUI (Windows 8.1, Windows Server 2012R2 and later)

  • On server: in Server Manager, go to Remove features and in the list, uncheck SMB 1.0/CIFS File Sharing Support.
  • On client: go to Control Panel, Add or Remove Programs, Turn Windows features on or off, and uncheck SMB 1.0/CIFS File Sharing Support in the list
  • Note: this method disables also client support for SMB1; though it is highly advisable from the security point of view, it may lead to operational problems when client access to legacy systems is required.

Windows XP / 2000 / 2003

  • Unfortunately the only option here is to completely disable LanmanServer service (which disables sharing of files and printers).