Removing SMB1 From Windows 10 Pro x64

I have been researching removing SMB1 from our Windows 10 Pro x64 computers that still have it and I was wondering the side effects that you have experienced in doing this. I have read that some people have experienced missing drives and other issues doing this. Is it even worth doing as a security stand point? Thanks
LVL 8
ITSysTechSenior Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You should audit what devices/services are using SMB1 (which usually doesn't take long with good network documentation) and then make decisions to disable and/or upgrade SMB1 equipment based on that audit.  When done properly, there are no side-effects. But if rushed, or if old equipment abounds, then yes you can lose connectivity to those old devices.

It is *absolutely* a good security practice to remove SMB1 as soon as feasible, including intentionally upgrading SMB1 equipment as soon as reasonable within any budget if you haven't already.  SMB1 is dead.
0
Hello ThereSystem AdministratorCommented:
With the increased ransomware attacks and due to most recent WannaCry ransomware hiccup, Microsoft has recommended users to disable the outdated SMBv1 protocol from their systems. As SMBv1 is much older technology so it is highly vulnerable and can be easily used by ransomware attackers to target the victim machines. However, Microsoft also recommends that you do not leave SMBv2, SMBv3 disabled, otherwise it will break functionality of your Windows.

HERE you can see thousands of reasons why it's not recommendet to use SMBv1 in Win10.
0
ITSysTechSenior Systems AdministratorAuthor Commented:
Thanks Cliff. Could you recommend a good method when the time comes to remove SMB1? Would Powershell be the way to go?
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

Hello ThereSystem AdministratorCommented:
You can disable SMBv1 using PS or via Turn Windows Features On or Off
0
Hello ThereSystem AdministratorCommented:
Run Powershell as admin:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

OR

Programs and Features -> Turn Windows Features On or Off -> locate SMB 1.0 and disable it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Why would you even worry, do your win10 machines share something via smb? If not, those ports should be closed in the first place and thus, and not vulnerable, no matter if smbv1 is active or not.

We have deactivated it, of course, but still, let's see your reasons why you utilize smb at the client side.
0
ITSysTechSenior Systems AdministratorAuthor Commented:
Right on. I'll research which machines still have it and remove it.
0
Hello ThereSystem AdministratorCommented:
Among the new ports used by Windows 2000 is TCP port 445 which is used for SMB over TCP. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2000/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
0
Cliff GaliherCommented:
@McKnife: Given the OP asked about security though, I chose to answer that question in that context.  Even if *no* devices on the network use SMB1, as long as it is on the client and the client uses SMB2/3, it can be exploited with zero ports open.  The client can attempt to establish an SMB2/3 connection to a server/printer/whatever, and someone can easily exploit a MitM attack, causing the client to renegotiate down to SMB1, and then intercept/edit/sniff the payload because the original connection was outbound, bypassing any firewall blocked ports.

There are several demonstrated and known exploits that use such methodology, and the nature of SMB negotiation and the presence of SMB1 makes them impossible to stop/circumvent as long as SMB1 is present.  The mitigation for such attacks is the removal of SMB1.

-Cliff
1
Cliff GaliherCommented:
A worthwhile read (including auditing info if you want to be cautious)

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
1
McKnifeCommented:
Cliff, please distinguish between incoming an outgoing connections. There is an SMB/CIFS client and SMB/CIFS server component.
I am not going on, I am tired of it. Writing what you wrote to me (to my mind) assumes that I am some kind of loser, IT security wise, which I am not, and you should really know that by now.

My comment was made to make the author aware how things work. "Who is being a server component", to start with?
Please don't reply, I am sick of it.
0
Cliff GaliherCommented:
I would write a PM, but I think saying this publicly is important for others as well, to avoid any misunderstanding in the future.

I wasn't assuming or even implying that you are an IT security loser, or any other kind of loser.   Your comment was very short, and could be easily misinterpreted. I know I had that thought when I read it, and I *know* what you meant, and your skillset.  For an OP, that could be even harder. "Did he just say it is no big deal?"  It's a fair think to wonder.  For the sake of the OP, I wanted to clarify. It was not a sleight against you *at all.*  

We've all been there. I know what I know, and sometimes I make assumptions when I write because I don't think someone may not have that knowledge.  But sometimes my assumptions are wrong and when someone points it out, it's that "Oh YEAAAHHHH" moment. I don't feel like a loser, or that my comment was even wrong. It was just incomplete because it skipped over some knowledge needed to make an informed decision.  Peer review in forums is not uncommon and helps get the OP the best answer possible. That was my intent. Nothing more.
0
btanExec ConsultantCommented:
Ideally SMBv1 is not used or necessary then disable it or remove it. Ransomware exploited that especially it startes off with WannaCry that mitigation taken is disable smbv1 when patch is rolling out. Risk assessment has to be done and if any case it is not disbale or remove, risk acceptance is required by owner. It is an informed decision.

Legacy system may need SMBv1
Be careful when making these changes on domain controllers where legacy Windows XP or older Linux and 3rd party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.
https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.