Detecting and remediating SMBv1


We have recently issued a Security Update (4013389) for Windows SMB. This does affect all supported versions of Windows at this time.

SMB isn't safe, and causes you to lose some key protections, among them:
Pre authentication integrity, which new in Windows 10/2016. It improved "man-in-the-middle" protection against attacks tampering with SMBv2's connections and authentication messages.
Secure Dialect Negotiation, which is also new to SMBv3 to protect against man-in-the middle attacks to downgrade the negotiated capabilities between client and server.
Encyption, which we all know what this is - in newer SMBv3.1.1, performance of encryption has continued to improve.
Insecure guest auth blocking, again preventing man-in-the-middle attacks.
Better message signing as SHA-256 replaces MD5 as the hashing algorythm.

It also provides significant improvements in performance to lose v1 for v3 such as larger reads/writes, peer caching / BranchCache capablities, and better handles (among other things).

First, allow me to deliver some bad news. SMBv1 is enabled by default and is still used in Server 2016, likely for compatibility reasons.

How do you detect or audit it? Very simple.

For Windows 10 and Server 2016:
You can do this in PowerShell:
Set-SmbServerConfiguration –AuditSmb1Access $true
...but we don't use 2016, we use an older OS on our servers...
Got you covered there too:

For Windows Vista/2008, Windows 7/2008 R2
You can check this registry key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 for value 0 (which will be disabled, 1 is enabled)
There is a Key for SMBv2 as well, if you want to check this while you're at it.

For Windows 8 and Server 2012
This is a bit easier, you can use this PowerShell to detect it, maybe even put it into SCCM to see which systems may have SMBv1 enabled:

if ([bool](Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol))
{
Write-Host "SMBv1 is Enabled"
}
else
{
write-host "SMBv1 is Disabled"
}

Remediating the problem
Unless you still have a need for XP/2003 (or even older), and is no longer supported, you should turn off SMBv1. There are a few ways to do it, and honestly isn't difficult:

  • Server 2012 R2 and Server 2016
    • Server Manager: Disable SMB 1.0/CIFS File Sharing Support (Feature)
    • PowerShell: Remove-WindowsFeature FS-SMB1
  • Windows Client (8.1 and 10)
    • Remove the Windows Feature SMB 1.0/CIFS File Sharing Support
    • PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
  • Windows Vista/7/2008/2008 R2
    • You can use the registry and set this value to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMBv1 (1 is enabled)

I hope you found this article on how to detect and remediate SMBv1 to be informative and effective. Don't forget you can use things such as SCCM Compliance Settings to detect and remediate these items as well.

-- If you like my blogs, please share it on social media, rate it, and/or leave a comment. --

Comments (2)

  1. Daniel Glomb says:

    Great overview Lee! There is a typo in how to remove SMBv1 from Server 2012 R2 and Server 2016: PowerShell: Remove-WindowsFeature FS-SMB1 (not FS-DMB1).

    1. leecstevens says:

      Thank you for the kind words, Daniel, always appreciated. I will certainly fix the typo, thanks for bringing it to my attention, guess you caught me not using copy/paste. 🙂

Skip to main content