Detecting and remediating SMBv1

We have recently issued a Security Update (4013389) for Windows SMB. This does affect all supported versions of Windows at this time.

SMB isn't safe, and causes you to lose some key protections, among them:
Pre authentication integrity, which new in Windows 10/2016. It improved "man-in-the-middle" protection against attacks tampering with SMBv2's connections and authentication messages.
Secure Dialect Negotiation, which is also new to SMBv3 to protect against man-in-the middle attacks to downgrade the negotiated capabilities between client and server.
Encyption, which we all know what this is - in newer SMBv3.1.1, performance of encryption has continued to improve.
Insecure guest auth blocking, again preventing man-in-the-middle attacks.
Better message signing as SHA-256 replaces MD5 as the hashing algorythm.

It also provides significant improvements in performance to lose v1 for v3 such as larger reads/writes, peer caching / BranchCache capablities, and better handles (among other things).

First, allow me to deliver some bad news. SMBv1 is enabled by default and is still used in Server 2016, likely for compatibility reasons.

How do you detect or audit it? Very simple.

For Windows 10 and Server 2016:
You can do this in PowerShell:
Set-SmbServerConfiguration –AuditSmb1Access $true
...but we don't use 2016, we use an older OS on our servers...
Got you covered there too:

For Windows Vista/2008, Windows 7/2008 R2
You can check this registry key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 for value 0 (which will be disabled, 1 is enabled)
There is a Key for SMBv2 as well, if you want to check this while you're at it.

For Windows 8 and Server 2012
This is a bit easier, you can use this PowerShell to detect it, maybe even put it into SCCM to see which systems may have SMBv1 enabled:

if ([bool](Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol))
Write-Host "SMBv1 is Enabled"
write-host "SMBv1 is Disabled"

Remediating the problem
Unless you still have a need for XP/2003 (or even older), and is no longer supported, you should turn off SMBv1. There are a few ways to do it, and honestly isn't difficult:

  • Server 2012 R2 and Server 2016
    • Server Manager: Disable SMB 1.0/CIFS File Sharing Support (Feature)
    • PowerShell: Remove-WindowsFeature FS-SMB1
  • Windows Client (8.1 and 10)
    • Remove the Windows Feature SMB 1.0/CIFS File Sharing Support
    • PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
  • Windows Vista/7/2008/2008 R2
    • You can use the registry and set this value to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMBv1 (1 is enabled)

I hope you found this article on how to detect and remediate SMBv1 to be informative and effective. Don't forget you can use things such as SCCM Compliance Settings to detect and remediate these items as well.

-- If you like my blogs, please share it on social media, rate it, and/or leave a comment. --

Comments (11)
  1. Daniel Glomb says:

    Great overview Lee! There is a typo in how to remove SMBv1 from Server 2012 R2 and Server 2016: PowerShell: Remove-WindowsFeature FS-SMB1 (not FS-DMB1).

    1. leecstevens says:

      Thank you for the kind words, Daniel, always appreciated. I will certainly fix the typo, thanks for bringing it to my attention, guess you caught me not using copy/paste. 🙂

  2. CloudNovum says:

    Note that the SMB auditing command and functionality has been backported to 2012R2 with the June 2017 monthly rollup:

    Added SMB1 access auditing on Windows Server 2012 R2. The auditing will be disabled by default. When it is enabled, an auditing event will be logged with the client address when an SMB1 client tries to connect to the server. This is to allow customers to make an informed decision on SMB1 usage before disabling or removing SMB1 on Windows Server 2012 R2.

    To enable SMB1 access auditing, run the following powershell cmdlet with the option below with elevated privileges:
    Set-SmbServerConfiguration -AuditSmb1Access $true

    To disable SMB1 access auditing, run the followingpowershell cmdlet with the option below with elevated privileges:
    Set-SmbServerConfiguration -AuditSmb1Access $false


    1. leecstevens says:

      Thanks for this. I did some checking, and looks like Windows 7 is still without auditing. I know a lot of folks have moved towards Windows 10, but still a lot on 7 these days. Brace yourselves, January 14, 2020 will be here before you know it.

    2. Chris says:

      These added comments are very helpful. Where in the Event Viewer are these audit entries collected? Thanks

      1. leecstevens says:

        After running the Set-SmbServerConfiguration cmdlet, go to the Event Viewer and Applications and Services. You’ll find it in Windows \ SMBServer \ Audit. Hope this helps.

  3. MrWyss says:

    The Logic check does not work

    if ([bool](Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol))
    this always returns False

    it should be
    if (((Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol)).EnableSMB1Protocol)

    1. leecstevens says:

      Thanks for the comment. I’ll look into this and update the blog as needed.

  4. Naveen says:

    For Windows Vista/2008, Windows 7/2008 R2 – how do we enable SMB1 auditing? Is network captures the only option?

    1. leecstevens says:

      It looks like there is no way to backport the PowerShell cmdlet to enable SMB auditing at this point. Unless someone else has another idea, I see captures as being the option to trace (short of turning it off and see who complains).

Comments are closed.

Skip to main content