Disabling SMBv1 through Group Policy


Version 1 of the Server Message Block (SMB) protocol was developed in the early days of personal computer networking, and as Ned Pyle describes in his blog post, Stop using SMB1 there are many reasons to cease using it on your networks. We have added that recommendation to our baseline, and have exposed a way to do so through Group Policy editors for local or domain GPOs by adding to the custom “MS Security Guide” ADMX. That said, the settings that need to be manipulated are not a natural fit for GPO management, so you need to be careful while using it. Applying settings incorrectly can cause serious problems.

We wanted these custom settings to work for all supported versions of Windows and to be reversible so that SMBv1 could be re-enabled if necessary. Due to the limitations of the ADMX syntax, we ended up implementing it through three separate settings:

  • Configure SMB v1 server, to disable or enable server-side processing of the SMBv1 protocol. This is a simple Enabled/Disabled/Not Configured setting that controls the “SMB1” registry value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
  • Configure SMB v1 client driver, to configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb10. Note that choosing the “Disabled” radio button deletes the “Start” value, so don’t do that! See the explain text shown in the table below if you need to restore default behavior. Note that the “Disabled” radio button is not the same thing as the dropdown value, “Disable driver (recommended).”
  • Configure SMB v1 client (extra setting…), which is needed only for older Windows versions. This setting controls the “DependOnService” REG_MULTI_SZ value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation, which represents the service and driver dependencies of the Workstation service (internal name: LanmanWorkstation). Older versions of Windows configure LanmanWorkstation with a dependency on the SMBv1 client driver (MrxSmb10) running, which can be problematic if MrxSmb10 is disabled. So this setting enables you to configure the LanmanWorkstation service’s dependencies directly. The setting’s Explain text describes exactly what to enter into the text box. Unfortunately, there is no way for the ADMX to offer a choice of predefined REG_MULTI_SZ values. You have to type – or copy/paste – the text yourself. And here again, choosing the “Disabled” radio button deletes the DependOnService value, which would be very bad, so don’t do that!

This table lists the settings and corresponding explain text from the Group Policy editor:

Setting name Explain text
Configure SMB v1 server Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)

Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.)

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547

Configure SMB v1 client driver Configures the SMB v1 client driver’s start type.

To disable client-side processing of the SMBv1 protocol, select the “Enabled” radio button, then select “Disable driver” from the dropdown.

WARNING: DO NOT SELECT THE “DISABLED” RADIO BUTTON UNDER ANY CIRCUMSTANCES!

For Windows 7 and Servers 2008, 2008R2, and 2012, you must also configure the “Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)” setting.

To restore default SMBv1 client-side behavior, select “Enabled” and choose the correct default from the dropdown:
* “Manual start” for Windows 7 and Windows Servers 2008, 2008R2, and 2012;
* “Automatic start” for Windows 8.1 and Windows Server 2012R2 and newer.

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547

Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2) APPLIES ONLY TO: Windows 7 and Windows Servers 2008, 2008R2 and 2012 (NOT 2012R2):

To disable client-side processing of the SMBv1 protocol (recommended), do ALL of the following:
* Set the SMBv1 client driver to “Disable driver” using the “Configure SMB v1 client driver” setting;
* Enable this setting;
* In the “Configure LanmanWorkstation dependencies” text box, enter the following three lines of text:
Bowser
MRxSmb20
NSI

To restore the default behavior for client-side SMBv1 protocol processing, do ALL of the following:
* Set the SMBv1 client driver to “Manual start” using the “Configure SMB v1 client driver” setting;
* Enable this setting;
* In the “Configure LanmanWorkstation dependencies” text box, enter the following four lines of text:
Bowser
MRxSmb10
MRxSmb20
NSI

WARNING: DO NOT SELECT THE “DISABLED” RADIO BUTTON UNDER ANY CIRCUMSTANCES!

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547

You can obtain the “MS Security Guide” ADMX template in the download associated with the draft baseline for Windows 10 v1703 here. Copy SecGuide.admx into your %windir%\PolicyDefinitions directory, and copy SecGuide.adml into the en-us subdirectory.


Comments (7)

  1. Eric says:

    It would be helpful to include a link to where you get the “MS Security Guide” ADMX.

    [Aaron Margosis] Thanks. I’ll update the post with that information. In the meantime, it’s in the download package with the draft baseline here.
    [Aaron Margosis] Updated.
    1. uflRob says:

      I’ve opened the Windows-10-RS2-Security-Baseline package and while the Policy seems to contain some SMBv1 settings, the ADMX templates included in the package do not seem to contain some of the above definitions, such as “Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)”

      [Aaron Margosis] Copy the *.ADMX files to the %windir%\PolicyDefinitions directory, and the *.ADML files to the en-us subdirectory. If the Group Policy editor is open, close it and then re-open.
    2. Eric says:

      Thank-you!

  2. Bjørn says:

    A couple of times in the last setting states that we should type “Bowser” in dependencies box. That should be “Browser” should it not?

    [Aaron Margosis] No, it’s actually exactly correct as it is. See hklm\system\currentcontrolset\services\bowser
  3. Yoshihiro Kawabata says:

    Thank you, Group Policy for disabling SMBv1.
    I hope which ADMX file need to disable SMBv1.
    Is it SecGuide.admx ?

    [Aaron Margosis] Yes. Put SecGuide.admx in the %windir%\PolicyDefinitions directory and SecGuide.adml in the en-us subdirectory.
  4. David says:

    Can you confirm whether setting the “Configure LanmanWorkstation dependencies” as described above will NOT have any impact on Windows 8 (and server 2012R”) and above. i.e. if the above settings are applied in a generic policy for all Windows OS client version or do they need to be specifically segregated.

    [Aaron Margosis] You should segregate them, and not apply the “extra setting needed for pre-Win8.1/2012R2” to Win8.1/2012R2 or newer.
  5. Nick says:

    For the two settings with “WARNING: DO NOT SELECT THE “DISABLED” RADIO BUTTON UNDER ANY CIRCUMSTANCES!” what is the behavior when going from ‘Enabled’ to ‘Not Configured’?

    [Aaron Margosis] The last-applied settings should remain in place — “tattooed.”
Skip to main content