Removing SMB1 From Windows 10 Pro x64

ITSysTech
ITSysTech used Ask the Experts™
on
I have been researching removing SMB1 from our Windows 10 Pro x64 computers that still have it and I was wondering the side effects that you have experienced in doing this. I have read that some people have experienced missing drives and other issues doing this. Is it even worth doing as a security stand point? Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
You should audit what devices/services are using SMB1 (which usually doesn't take long with good network documentation) and then make decisions to disable and/or upgrade SMB1 equipment based on that audit.  When done properly, there are no side-effects. But if rushed, or if old equipment abounds, then yes you can lose connectivity to those old devices.

It is *absolutely* a good security practice to remove SMB1 as soon as feasible, including intentionally upgrading SMB1 equipment as soon as reasonable within any budget if you haven't already.  SMB1 is dead.
Hello ThereSystem Administrator
Distinguished Expert 2018

Commented:
With the increased ransomware attacks and due to most recent WannaCry ransomware hiccup, Microsoft has recommended users to disable the outdated SMBv1 protocol from their systems. As SMBv1 is much older technology so it is highly vulnerable and can be easily used by ransomware attackers to target the victim machines. However, Microsoft also recommends that you do not leave SMBv2, SMBv3 disabled, otherwise it will break functionality of your Windows.

HERE you can see thousands of reasons why it's not recommendet to use SMBv1 in Win10.
ITSysTechSenior Systems Administrator

Author

Commented:
Thanks Cliff. Could you recommend a good method when the time comes to remove SMB1? Would Powershell be the way to go?
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Hello ThereSystem Administrator
Distinguished Expert 2018

Commented:
You can disable SMBv1 using PS or via Turn Windows Features On or Off
System Administrator
Distinguished Expert 2018
Commented:
Run Powershell as admin:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

OR

Programs and Features -> Turn Windows Features On or Off -> locate SMB 1.0 and disable it.
Distinguished Expert 2018
Commented:
Why would you even worry, do your win10 machines share something via smb? If not, those ports should be closed in the first place and thus, and not vulnerable, no matter if smbv1 is active or not.

We have deactivated it, of course, but still, let's see your reasons why you utilize smb at the client side.
ITSysTechSenior Systems Administrator

Author

Commented:
Right on. I'll research which machines still have it and remove it.
Hello ThereSystem Administrator
Distinguished Expert 2018

Commented:
Among the new ports used by Windows 2000 is TCP port 445 which is used for SMB over TCP. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2000/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
Distinguished Expert 2018

Commented:
@McKnife: Given the OP asked about security though, I chose to answer that question in that context.  Even if *no* devices on the network use SMB1, as long as it is on the client and the client uses SMB2/3, it can be exploited with zero ports open.  The client can attempt to establish an SMB2/3 connection to a server/printer/whatever, and someone can easily exploit a MitM attack, causing the client to renegotiate down to SMB1, and then intercept/edit/sniff the payload because the original connection was outbound, bypassing any firewall blocked ports.

There are several demonstrated and known exploits that use such methodology, and the nature of SMB negotiation and the presence of SMB1 makes them impossible to stop/circumvent as long as SMB1 is present.  The mitigation for such attacks is the removal of SMB1.

-Cliff
Distinguished Expert 2018

Commented:
A worthwhile read (including auditing info if you want to be cautious)

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
Distinguished Expert 2018

Commented:
Cliff, please distinguish between incoming an outgoing connections. There is an SMB/CIFS client and SMB/CIFS server component.
I am not going on, I am tired of it. Writing what you wrote to me (to my mind) assumes that I am some kind of loser, IT security wise, which I am not, and you should really know that by now.

My comment was made to make the author aware how things work. "Who is being a server component", to start with?
Please don't reply, I am sick of it.
Distinguished Expert 2018

Commented:
I would write a PM, but I think saying this publicly is important for others as well, to avoid any misunderstanding in the future.

I wasn't assuming or even implying that you are an IT security loser, or any other kind of loser.   Your comment was very short, and could be easily misinterpreted. I know I had that thought when I read it, and I *know* what you meant, and your skillset.  For an OP, that could be even harder. "Did he just say it is no big deal?"  It's a fair think to wonder.  For the sake of the OP, I wanted to clarify. It was not a sleight against you *at all.*  

We've all been there. I know what I know, and sometimes I make assumptions when I write because I don't think someone may not have that knowledge.  But sometimes my assumptions are wrong and when someone points it out, it's that "Oh YEAAAHHHH" moment. I don't feel like a loser, or that my comment was even wrong. It was just incomplete because it skipped over some knowledge needed to make an informed decision.  Peer review in forums is not uncommon and helps get the OP the best answer possible. That was my intent. Nothing more.
btanExec Consultant
Distinguished Expert 2018

Commented:
Ideally SMBv1 is not used or necessary then disable it or remove it. Ransomware exploited that especially it startes off with WannaCry that mitigation taken is disable smbv1 when patch is rolling out. Risk assessment has to be done and if any case it is not disbale or remove, risk acceptance is required by owner. It is an informed decision.

Legacy system may need SMBv1
Be careful when making these changes on domain controllers where legacy Windows XP or older Linux and 3rd party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.
https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial