• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 403
  • Last Modified:

Trouble disabling SMB1 and SMB2 on Windows Server 2008 and 2016

Hello,

For testing the performance of a legacy database application (.DBF files) I need to temporarily disabe SMB2 and 3 on WS 2008 R2 and WS 2016 (standard editions) and turn off opportunistic locking (Oplocks.)

I have researched it a but can’t seem to get it to work – links to some related articles below.

On the servers I think I just need to disable SMB2 since MS states SMB3 is automatically disabled when SMB2 is because they share the same stack.

What I’ve found is that the following procedure done on the server should work but it does not seem to.

1.      Reboot

2.      Show SMB1 running:
C:\ >sc query mrxsmb10
SERVICE_NAME: mrxsmb10
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                        (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

3.      Show SMB2 running
C:\ >sc query mrxsmb20
SERVICE_NAME: mrxsmb20
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                         (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

4.      Update the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled

5.      Reboot

6.      Show that SMB2 is still running
C:\ >sc query mrxsmb20
SERVICE_NAME: mrxsmb20
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                        (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

For disabling Oplocks (which seems to be forced to enabled in SMB2) I made the following registry changes:

HKLM\SYSTEM\CurrentControlSet\services\mrxsmb\Parameters\OplocksDisabled REG_DWORD 0x1

HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters\EnableOplocks REG_DWORD 0x0

I do not know how to test if these settings are effective.

Thanks,
Tim

Links:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows

https://support.microsoft.com/en-us/help/296264/configuring-opportunistic-locking-in-windows

https://www.experts-exchange.com/questions/28100582/Issues-disabling-SMB-2-0-on-Windows-Server-2008.html
0
Tim Callahan
Asked:
Tim Callahan
  • 2
  • 2
1 Solution
 
pcelbaCommented:
The first link is descriptive enough and it seems you are mixing server and workstation, ie. Registry entry change disabled the SMB on the server but the sc query displays status of the workstation...

To stop SMB2/3 on workstation you have to disable the appropriate windows service and restart.

To stop SMB2/3 on the server update registry (or use PowerShell commands) and restart.

SMB1 and oplocks are slightly different but again they are described sufficiently.

BTW, I would guess no disk mapping will be available when you disable both SMB1 and SMB2
0
 
Tim CallahanPrincipalAuthor Commented:
Thanks. I was able to do this on Windows Server 2016 using Powershell:

Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable: Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB2Protocol $true

However these are not available for Windows Server 2008.

If I understand you correctly for Windows Server 2008 I should just make the above three registry changes.

Is there a way to detect that SMB2 is disabled on the 2008 server once these changes are made? That would help to know for sure.
0
 
pcelbaCommented:
Yes, Get-SmbServerConfiguration Cmdlet is available in Server 2012, 2016, Win 8, Win 10 (https://technet.microsoft.com/en-us/library/jj635723.aspx)

What I would guess:
Powershell commands should update the registry as if you were updated it directly in Regedit. And the way how to detect it is to read the registry after restart.

Of course, you may use PowerShell to update the registry as described e.g. here: http://www.dataease.com/test_article_view/?ArticleID=00128&field1=00128
0
 
Tim CallahanPrincipalAuthor Commented:
In reading more carefully, I see that the powershell commands I need are in the docs as you first indicated and that they are registry edit commands as you say (which I list here for completeness.)

Detect: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
Disable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force
Enable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

Thanks, Tim
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now