Disable SMB v1 in Managed Environments with Group Policy


The following is a brief summary recent SMB v1 vulnerabilities, ransomware and an enterprise approach to disabling SMB v1 via Group Policy.

Why SMB v1 Isn’t Safe (September 16, 2016)

Ned Pyle wrote a blog post in September of 2016 on why SMBv1 isn’t safe where he stated that if your clients use SMB1, then a man-in-the-middle can tell your client to ignore security settings like:

“...If your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above” Please review Ned Pyle’s full blog article on Why SMB1 isn’t safe

TechNet Guidance on Enabling/Disabling SMBv1/2/3 (February 28, 2017)

Microsoft in February updated and published a TechNet article on how to enable or disable various versions of SMB using:

  • The Registry Editor for LanmanServer
  • PowerShell’s Set-SmbServerConfiguration for SMB server
  • sc.exe with config options for lanmanworkstation

Caution! While these tools can work for quick configuration changes, this combination approach is not very manageable in large-scale managed enterprise environments where consistent configuration is required.

Microsoft Published Security Bulletin MS17-010 (March 14, 2017)

Microsoft released a critical Security Update for Microsoft Windows SMB Server security bulletin and updates under KB 4013389 along with a host of security updates for all supported versions of Windows under MS17-010.

Enter Global Ransomware Attack (May 12, 2017)

The WannaCrypt ransomware attack began exploiting the SMB v1 server vulnerability and began spreading globally on May 12.

U.S. CERT Advisory (May 12, 2017)

CERT issued an advisor for Indicators Associated With WannaCry Ransomware  with the following recommendations:

Apply the patch (MS17-010). If the patch cannot be applied, consider:

  • Disabling SMBv1 and
  • blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

SMB Vulnerability Patch for Windows XP & Server 2003 (May 13, 2017)

Microsoft then released SMB security patches for Windows XP and Server 2003 on May 13, 2017.

Enterprise Approach to Disable SMB v1 using GPO

Certainly, it’s important to patch against the known SMB v1 vulnerabilities released in MS17-010 and subsequent KB 4013389 for Windows XP/2003.  However because of numerous variants of WannaCrypt and these other known security issues with SMB v1 (e.g. man-in the middle); many organizations have issued mandates to  completely disable SMBv1 as strategic security countermeasure against future threats.

An enterprise approach to disabling SMB v1 is to use Active Directory (AD) Group Policy preferences to configure and enforce the registry settings related to disabling SMBv1 client and server components for Windows Vista and Server 2008 and later.

Group Policy registry preference items allow you to create, update, replace, and delete keys and values in the Windows registry.  The following are the registry keys that need to be created or updated to disable SMB v1.


Disable SMBv1 Server with Group Policy:

This will configure the following new item in the registry


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 REG_DWORD: 0 = Disabled


To configure this using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.

smb3

In the New Registry Properties dialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0

smb2

This disables the SMBv1 Server components.  This Group Policy needs to be applied to all necessary workstations, servers, and domain controllers in the domain.

Note: WMI filters can also be set to exclude unsupported operating systems or selected exclusions such as Windows XP.

Caution! Be careful when making these changes on domain controllers where legacy Windows XP or older Linux and 3rd party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.


Disable SMBv1 Client with Group Policy:

To disable the SMBv1 client the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: 4 = Disabled

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser","MRxSmb20","NSI"


Note: The default included MRxSMB10 which is now removed as dependency

To configure this using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.

smb3

In the New Registry Properties dialog box, select the following:

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 4

smb4

Then remove the dependency on the MRxSMB10 that was just disabled

In the New Registry Properties dialog box, select the following:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  • Value name: DependOnService
  • Value type REG_MULTI_SZ
  • Value data:
    • Bowser
    • MRxSmb20
    • NSI

Note: These 3 strings will not have bullets (see below)

smb7

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note: When using Group Policy Management Console, there is no need to use quotation marks or commas.  Just type the each entry on individual lines as shown above:

Reboot Required

After the policy has applied and the registry settings are in place, the targeted systems must be rebooted before SMB v1 is disabled.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management will show the settings below.

smb6

Testing and Validation

Once these are configured, then allow the policy to replicate and update.  As necessary for testing, run gpupdate /force from a CMD.EXE prompt and then review the target machines to ensure the registry settings are getting applied correctly.  Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.

Caution! Don't forget to reboot the targeted systems.

Additional SMB v1 Resources

Comments (31)

  1. Thanks for this helpful post!

    Just a little mistake with the year: “Ned Pyle wrote a blog post in September of 2017”.
    This means Ned will write the post in a few months… 😉

    1. Troy Arwine says:

      Thanks, I corrected this typo

  2. Dmitry Chernov says:

    “Bowser”?

    1. Troy Arwine says:

      Yes. Notice the Support Article which also references “bowser” when using SC.EXE to remove the dependency

      sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
      sc.exe config mrxsmb10 start= disabled

      1. BK303 says:

        After changes to disable SMBv1 should be able verify new SMBv1 Client related service configuration settings from command line with

        sc.exe qc lanmanworkstation
        [should have no mrxsmb10 dependency]

        sc.exe qc mrxsmb10
        [should be “START: disabled” if service control registry changed, or “service does not exist” if FS-SMB1 feature removed (not possible via registry change only, requires cmdlet or GUI) ]

  3. APrassas says:

    Many thanks Troy, great article.

    Is this GPO going to disable SMBv1 for all Windows client and server versions?

    1. Troy Arwine says:

      It will disable SMBv1 on Windows Vista+ and Server 2008+ as per this Support Article which uses command line and PowerShell to configure the registry settings.

      The full list of supported O/S for this is: Windows 10 Pro released in July 2015, Windows 10 Enterprise released in July 2015, Windows Vista Enterprise, Windows Vista Business, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Ultimate, Windows 7 Enterprise, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows 8, Windows 8 Enterprise, Windows 8 Pro, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2016

  4. Hamid says:

    Just want to confirm that in the “DependOnService” you create value data with the name of “bowser” is it a typo, shouldn’t it be browser ?

    1. Troy Arwine says:

      “Bowser” without an “r” is the name of the registry entry in HKLM\SYSTEM\CurrentControlSet\Services\

  5. BwM says:

    Won’t this need a reboot to effect these changes – or at least a restart of the services mentioned – and stopping of MRxSMB10? Checking the registry entries are present will not remove the vulnerability until the services are restarted.

    1. Troy Arwine says:

      Yes, this will require a reboot

  6. Marc says:

    I would suggest you change the Value Data of the dependency registry entry so that the values aren’t commented. If somebody just copy paste the values just as they are shit will happen. As in if you enter “Bowser”,”MRxSmb20″,”NSI” on your GPO instead of Bowser MRxSmb20 NSI.
    Your clients will end up not being able to start up the lanman service due to not finding the dependency services (eventvwr entry: “The Workstation service depends on the following service: “Bowser”,”MRxSmb20″,”NSI”. This service might not be installed.”) due to the commented “” typos being pushes on the registry.
    I would suggest you remove the “” from your article.
    /Marc

    1. Troy Arwine says:

      I removed the quotes on the strings and put them on 3 separate lines with a note for clarification to look at the image.
      Thanks

  7. Tommy C says:

    Thanks.

    The option is ticked and (installed) but greyed out on my 2012r2 dcs?

  8. Ryan Subt says:

    Your Summary screenshot shows the “DependOnService” registry setting is under SYSTEM\ControlSet001\Services….

    But, the information before that has the Registry setting SYSTEM\CurrentControlSet\Services…

    1. Troy Arwine says:

      Yes, thanks for finding this…I have corrected the image.

  9. jc says:

    Does anyone have a registry edit for server 2012 r12

  10. Paulo says:

    In case of server active direct AD disable smb gives problem?

  11. BK303 says:

    Tony, Thank you for this excellent and long awaited GPO deployment advice for SMBv1 disable! I think you hit all the important highlights/links and filled a big hole by providing domain deployment advice. I’m hopefully that this “registry changes only via GPO” approach is solid.  

    Still looking for someone at Microsoft to fill another gap for smaller deployments (not using GPO) by providing a single PowerShell script to quickly disable SMBv1 across ALL supported OS versions and another script to re-enable. This script must detect Windows OS version and accomplish the KB2696547 recommendations (and Ned’s stated preference in his blog comments) of uninstalling the “SMB 1.0/CIFS File Sharing Support” (FS-SMB1) feature for late model Windows OSes using the Server Manager cmdlet Uninstall-WindowsFeature for Server 2012 R2 and later, and using the DISM cmdlet Disable-WindowsOptionalFeature -Online cmdlet for (non-Server) Windows 8.1 and later. Stretch goal, “self-elevate” by prompting for administrative privileges upon launch if required (should be easier in PowerShell than batch command line script). Any takers??

    1. BK303 says:

      Please vote up my Script Center request for a comprehensive PowerShell script to “Disable SMBv1 client and server protocols across ALL supported Windows OSes”, which should uninstall the FS-SMB1 Windows feature in new OSes and complete the multiple steps to disable client and server v1 protocol on older OSes.
      https://gallery.technet.microsoft.com/scriptcenter/site/requests/Disable-SMBv1-client-and-server-protocols-across-ALL-supported-Windows-OSes-80d26f6f

  12. ITGrouch says:

    Excellent GPO step by step.

  13. Hamid says:

    Yesterday, I rolled out these configurations and users are reporting today that they are not able to scan documents from printers in to the folders. any idea ?

    1. Hamid says:

      Any help, as users are not able to scan to folders via printer, also users are not able to access shared folders created on Linux samba server. I have deleted GPO, reboot the workstations, GPO is not showing when I ran “GPresult /R” but configurations are still showing in registry, urgent help to revert it back will be highly appreciated.
      Regards,

      1. Hamid says:

        Can anybody tell me how to revert these GPO settings, which are not applied on all machines ?

        1. Troy Arwine says:

          Change the settings back to Start=2 and SMB1=1. For the DependOnService value, add Mrxsmb10 back into the list as a fourth value for LanmanWorkstation. Then reboot again.

  14. Dave321 says:

    Thanks for this useful information.

    One thing I noticed – after implementing the changes, and checking a W10 domain client has the registry changes then rebooting, the “SMB 1.0/CIFS File Sharing Support” still remains ticked in Windows Features.

    1. Troy Arwine says:

      On Windows 10 and Server 2012 R2 and later the SMB1 feature will still be installed on the system. You can uninstall them using Programs and Features.

      1. Dave321 says:

        Thanks.
        So it’s safely disabled but just left installed, and uninstallation via programs and features should not be necessary, is this correct?

  15. AbidHassan says:

    Very helpful post. Detailed but to the point.

  16. Daniel Rojas says:

    Does the order of the changes matter? (1 Create, 2 Replace, and 3 Update)?

    1. Troy Arwine says:

      As long as you make all changes to GPO/registry first and then reboot it will not matter as the changes will not take place until after the reboot. Remember the 2 client settings are independent of the SMB server settings.

Skip to main content