Removing SMB1 From Windows 10 Pro x64

I have been researching removing SMB1 from our Windows 10 Pro x64 computers that still have it and I was wondering the side effects that you have experienced in doing this. I have read that some people have experienced missing drives and other issues doing this. Is it even worth doing as a security stand point? Thanks
LVL 8
ITSysTechSenior Systems AdministratorAsked:
Who is Participating?
 
Hello ThereSystem AdministratorCommented:
Run Powershell as admin:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

OR

Programs and Features -> Turn Windows Features On or Off -> locate SMB 1.0 and disable it.
0
 
Cliff GaliherCommented:
You should audit what devices/services are using SMB1 (which usually doesn't take long with good network documentation) and then make decisions to disable and/or upgrade SMB1 equipment based on that audit.  When done properly, there are no side-effects. But if rushed, or if old equipment abounds, then yes you can lose connectivity to those old devices.

It is *absolutely* a good security practice to remove SMB1 as soon as feasible, including intentionally upgrading SMB1 equipment as soon as reasonable within any budget if you haven't already.  SMB1 is dead.
0
 
Hello ThereSystem AdministratorCommented:
With the increased ransomware attacks and due to most recent WannaCry ransomware hiccup, Microsoft has recommended users to disable the outdated SMBv1 protocol from their systems. As SMBv1 is much older technology so it is highly vulnerable and can be easily used by ransomware attackers to target the victim machines. However, Microsoft also recommends that you do not leave SMBv2, SMBv3 disabled, otherwise it will break functionality of your Windows.

HERE you can see thousands of reasons why it's not recommendet to use SMBv1 in Win10.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
ITSysTechSenior Systems AdministratorAuthor Commented:
Thanks Cliff. Could you recommend a good method when the time comes to remove SMB1? Would Powershell be the way to go?
0
 
Hello ThereSystem AdministratorCommented:
You can disable SMBv1 using PS or via Turn Windows Features On or Off
0
 
McKnifeCommented:
Why would you even worry, do your win10 machines share something via smb? If not, those ports should be closed in the first place and thus, and not vulnerable, no matter if smbv1 is active or not.

We have deactivated it, of course, but still, let's see your reasons why you utilize smb at the client side.
0
 
ITSysTechSenior Systems AdministratorAuthor Commented:
Right on. I'll research which machines still have it and remove it.
0
 
Hello ThereSystem AdministratorCommented:
Among the new ports used by Windows 2000 is TCP port 445 which is used for SMB over TCP. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2000/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
0
 
Cliff GaliherCommented:
@McKnife: Given the OP asked about security though, I chose to answer that question in that context.  Even if *no* devices on the network use SMB1, as long as it is on the client and the client uses SMB2/3, it can be exploited with zero ports open.  The client can attempt to establish an SMB2/3 connection to a server/printer/whatever, and someone can easily exploit a MitM attack, causing the client to renegotiate down to SMB1, and then intercept/edit/sniff the payload because the original connection was outbound, bypassing any firewall blocked ports.

There are several demonstrated and known exploits that use such methodology, and the nature of SMB negotiation and the presence of SMB1 makes them impossible to stop/circumvent as long as SMB1 is present.  The mitigation for such attacks is the removal of SMB1.

-Cliff
1
 
Cliff GaliherCommented:
A worthwhile read (including auditing info if you want to be cautious)

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
1
 
McKnifeCommented:
Cliff, please distinguish between incoming an outgoing connections. There is an SMB/CIFS client and SMB/CIFS server component.
I am not going on, I am tired of it. Writing what you wrote to me (to my mind) assumes that I am some kind of loser, IT security wise, which I am not, and you should really know that by now.

My comment was made to make the author aware how things work. "Who is being a server component", to start with?
Please don't reply, I am sick of it.
0
 
Cliff GaliherCommented:
I would write a PM, but I think saying this publicly is important for others as well, to avoid any misunderstanding in the future.

I wasn't assuming or even implying that you are an IT security loser, or any other kind of loser.   Your comment was very short, and could be easily misinterpreted. I know I had that thought when I read it, and I *know* what you meant, and your skillset.  For an OP, that could be even harder. "Did he just say it is no big deal?"  It's a fair think to wonder.  For the sake of the OP, I wanted to clarify. It was not a sleight against you *at all.*  

We've all been there. I know what I know, and sometimes I make assumptions when I write because I don't think someone may not have that knowledge.  But sometimes my assumptions are wrong and when someone points it out, it's that "Oh YEAAAHHHH" moment. I don't feel like a loser, or that my comment was even wrong. It was just incomplete because it skipped over some knowledge needed to make an informed decision.  Peer review in forums is not uncommon and helps get the OP the best answer possible. That was my intent. Nothing more.
0
 
btanExec ConsultantCommented:
Ideally SMBv1 is not used or necessary then disable it or remove it. Ransomware exploited that especially it startes off with WannaCry that mitigation taken is disable smbv1 when patch is rolling out. Risk assessment has to be done and if any case it is not disbale or remove, risk acceptance is required by owner. It is an informed decision.

Legacy system may need SMBv1
Be careful when making these changes on domain controllers where legacy Windows XP or older Linux and 3rd party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.
https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.