cargex
asked on
How to disable SMB 1.0 in Windows 10 using a Group Policy Object
Hi Guys,
I have been reading some of the articles regarding this process and all of them seem to be focused on Windows 7, but it so happens that all my client computers are Windows 10.
I just checked and this is what I see in the Windows features of Windows 10, the following option is checked/selected:
“SMB 1.O/CIFS Files Sharing Support”
Now I don’t see any SMB 3.0 options there, and I wonder if I disable this, am I’m forcing the disconnection of all my users from the File Server and NAS devices?
Because as much as I want the computers to be secure, I also want my users to be able to work.
Ok now to the main question:
How can I disable this option via GPO in all my Windows 10 client computers?
Thanking you in advance,
Cargex
I have been reading some of the articles regarding this process and all of them seem to be focused on Windows 7, but it so happens that all my client computers are Windows 10.
I just checked and this is what I see in the Windows features of Windows 10, the following option is checked/selected:
“SMB 1.O/CIFS Files Sharing Support”
Now I don’t see any SMB 3.0 options there, and I wonder if I disable this, am I’m forcing the disconnection of all my users from the File Server and NAS devices?
Because as much as I want the computers to be secure, I also want my users to be able to work.
Ok now to the main question:
How can I disable this option via GPO in all my Windows 10 client computers?
Thanking you in advance,
Cargex
John
If your Windows 10 patches are up to date, there should be no need to remove it because Microsoft secured it (even though only there for backward compatibility reasons).
You would need to deploy a domain startup powershell script that goes like mine in https://www.experts-exchange.com/questions/29023135/how-to-tell-if-SMBv1-is-enabled-on-a-server-or-workstation.html (my 2nd comment over there).
Please note that my code was only for finding workstations or servers with smbv1 enabled. To uninstall it, rather use the code
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentContr
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
Ref - How to deploy a Registry Key via Group Policy
http://thesolving.com/server-room/how-to-deploy-a-registry-key-via-group-policy/
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentContr
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
Ref - How to deploy a Registry Key via Group Policy
http://thesolving.com/server-room/how-to-deploy-a-registry-key-via-group-policy/
That's just another way. btan's way disables it, my way removes it altogether.
ASKER
I have one specific question. Would the Windows 10 clients still be able to access FileServers and NAS partitions if I disable SMB1.0?
Also for the Servers I have some Mac clients and whenever I create an access to a Windows Shared folder for them it goes like this "smb://SERVER_NAME"
I'm really worried that this is going to cause more problems than solutions.
Also for the Servers I have some Mac clients and whenever I create an access to a Windows Shared folder for them it goes like this "smb://SERVER_NAME"
I'm really worried that this is going to cause more problems than solutions.
If you are fully up to date, Microsoft has secured SMBv1 in Windows 10 and no real need to remove it unless you feel you must.
True. As for compatibility, you would need to check which smb versions your devices use. Old NAS' (really old, never updated) might use SMBv1. xp clients do as well, but anything vista/2008 and newer is at least smbv2.
PS: the removal/deactivation is easily reversed.
PS: the removal/deactivation is easily reversed.
removing the feature with
Still unsure if removing the feature completely disables smbv1 or if its also necessary to disable via powershell.
The steps above only disable the server side of smbv1. To disable the client use:
Both client and server should be disabled to avoid the ransomware in case if the workstation isnt fully patched, or if you want to disable a 30 year old protocol that is almost obsolete
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocolget-smbserverconfigurationStill unsure if removing the feature completely disables smbv1 or if its also necessary to disable via powershell.
The steps above only disable the server side of smbv1. To disable the client use:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled Both client and server should be disabled to avoid the ransomware in case if the workstation isnt fully patched, or if you want to disable a 30 year old protocol that is almost obsolete
In any case use smb v2 and above as v1 is insecure https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
Windows 10 does not use SMBv1 unless you are using legacy software that requires it. Otherwise, secured (March patches) and not used.
@John Win10 will use SMBv1 when it connects to shares that require SMBv1 like on old OS' or on modern OS' with SMBv2 turned off for whatever reason - it has nothing to do with software.
@Carlos: the powershell command is misleading. The service mrxsmb10 is not even installed anymore, after you run my feature-uninstall-command,
@Carlos: the powershell command is misleading. The service mrxsmb10 is not even installed anymore, after you run my feature-uninstall-command,
@mcknife sorry for the confusion. When removing the feature from win 10, the clientside is also removed. If the feature is enabled, then my powershell command disables the client side of smbv1
@John Win10 will use SMBv1 when it connects to shares that require SMBv1 like on old OS'
Sorry for the way I phrased it. SMBv1 (so far as I know) is only used when connecting to legacy systems.
So if needed for this, you cannot uninstall it, but for sure it was secured (as much as feasible) in the March updates.
Sorry for the way I phrased it. SMBv1 (so far as I know) is only used when connecting to legacy systems.
So if needed for this, you cannot uninstall it, but for sure it was secured (as much as feasible) in the March updates.
ASKER
@ Carlos Soto
I tried running all the options you provided to disable SMBv1 in Windows 10 but, none of them did the trick.
Or at least when I look in "Windows Features" the SMBv1.0/CIFS option is still checked.
Is this for old versions of Windows only?
I tried running all the options you provided to disable SMBv1 in Windows 10 but, none of them did the trick.
Or at least when I look in "Windows Features" the SMBv1.0/CIFS option is still checked.
Is this for old versions of Windows only?
Yes old versions only. Windows 7 up does not use SMBv1
The SMB client however is still able to attempt to connect to an external SMB v1 share on another server, unless we also disable the SMB v1 client. This is done by running the following commands in either PowerShell or Command Prompt with administrative privileges. Do also restart machine.
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
@cargex, im running the command on win 10. If you have a win 7 or lower you need to make registry changes
disable smb
the link show the different ways of disabling both the smbv1 server and client. As @btan stated, even i you disable smbv1 server, the client can still connect with smbv1 to other resourses and potentially spread the ransomware to computers with smbv1 server enabled
disable smb
the link show the different ways of disabling both the smbv1 server and client. As @btan stated, even i you disable smbv1 server, the client can still connect with smbv1 to other resourses and potentially spread the ransomware to computers with smbv1 server enabled
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.