How to Disable/Enable SMB v 1.0 in Windows 10/Server 2016? | Windows OS Hub

In Windows Server 2016/2019 and Windows 10 ( starting with build up 1709 ), the Server Message Block 1.0 ( SMBv1 ) network protocol used to entree shared folders is disabled by default. In most cases, this protocol is required to access shared folders hosted on bequest systems, such as no longer supported Windows XP, Windows Server 2003 and older OSs. In this article, we ’ ll look on how to enable or disable SMBv1 client and server digest on Windows 10 and Windows Server 2016/2019 .

If there are no SMB 1.x clients left on your network, you must completely disable SMBv1 on all Windows devices. By disabling SMB 1.0, you can protect Windows computers from a wide range of vulnerabilities in this bequest protocol ( the most celebrated public feat for SMBv1 is EternalBlue ). As a leave, your devices will use newfangled, more efficient, fasten and functional versions of the SMB protocol when accessing network shares.

In one of the former articles, we showed the table of client- and server-side SMB adaptation compatibility. According to the postpone, old client versions ( XP, Server 2003 and some *nix clients ) can access network shared folders only using SMB v1.0 protocol. If there are no such clients in the network, you can completely disable SMB 1.0 on the side of file servers ( including AD domain controllers ) and customer desktops .
In Windows 10 and Windows Server 2016, the SMBv1 protocol is split into two classify components – SMB client and SMB server, which can be enabled/disabled independently .

Auditing Shared Folder Access via SMB v1.0

Before disabling or wholly removing SMB 1.0 driver on the english of the SMB file server, it ’ mho worth making surely that there are no bequest clients that use it in your net. To do this, enable the audited account of file server access over SMB v1.0 using the following PowerShell command :
Set-SmbServerConfiguration –AuditSmb1Access $true
After a match of days, open the Event Viewer on the server, check the log Applications and Services -> Microsoft -> Windows -> SMBServer -> Audi t and see if any clients accessed the file waiter over SMB1 .
Tip. You can display the list of events from this consequence log using the following PowerShell command :
Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit
In our exercise, an event with EventID 3000 from the SMBServer source was found in the log. The event indicates that the node 192.168.1.10 is trying to access the server using the SMB1 protocol .

SMB1 access
Client Address: 192.168.1.10
Guidance:
This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

Set-SmbServerConfiguration - enable audit access via smb1
You need to find this calculator or device on the network and update the OS or firmware to a version that supports newer SMB protocol versions : SMBv2 or SMBv3 .
In our font we ’ ll ignore this information, but you should bear in mind that later this client won ’ t be able to access shared folders on this SMB server .

Enable/Disable SMB 1.0 on Windows Server 2016/2019

In Windows Server 2016 starting with build 1709 and Windows Server 2019, SMBv1 is disabled by default. To enable patronize for the SMBv1 node protocol in newer versions of Windows Server, you need to install the separate SMB 1.0/CIFS File Sharing Support feature .
You can install the SMBv1 sport using Server Manager, or through PowerShell .
SMB 1.0 / CIFS File Sharing Support feature on windows server 2016
You can check that SMBv1 is enabled with the PowerShell dominate :
Get-WindowsFeature | Where-Object {$_.name -eq "FS-SMB1"} | ft Name,Installstate
To install the FS-SMB1 feature, run :
Install-WindowsFeature FS-SMB1
To uninstall the SMBv1 node feature ( requires a boot ), run the command :
Uninstall-WindowsFeature –Name FS-SMB1 –Remove
Another PowerShell command that besides removes the SMB1Protocol feature : Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove
In order for your server to handle SMBv1.0 node access, you need to enable SMBv1 support at the SMB file server flush in addition to the FS-SMB1 part. To check if SMBv1 access is enabled for network shares on your server, run :
Get-SmbServerConfiguration
Get-SmbServerConfiguration smb1protocol is enabled
The argumentation “ EnableSMB1Protocol: True ” means that you are allowed to access shared folders on this waiter using the SMBv1 protocol. To disable SMBv1 waiter patronize in Windows Server, run the PowerShell command :
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
now use the Get-SmbServerConfiguration cmdlet to make indisputable SMB1 server is disabled .
disable smb1 using cmdlet set-SmbServerConfiguration

To enable SMBv1 support on the waiter, run the control :
Set-SmbServerConfiguration -EnableSMB1Protocol $True -Force
On Windows 7/8 and Windows Server 2008 R2/2012, in rate to disable the SMB 1.0 client, you need to disable the avail and the SMBv1 access driver with the commands : sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

delete smb1 driver on client: sc.exe config mrxsmb10 start= disabled

How to Enable/Disable SMBv1 on Windows 10?

As we already said, in all new builds of Windows10 ( starting from 1709 ) support for the SMB1 protocol is disabled ( guest access via the SMBv2 protocol is besides disabled ) .
In Windows 10, you can check the status of the SMBv1 protocol components with the DISM instruction :
Dism /online /Get-Features /format:table | find "SMB1Protocol"
smb1protocol disabled in windows10
In our example, you can see that all SMBv1 features are disabled :

SMB1Protocol                                | Disabled
SMB1Protocol-Client                         | Disabled
SMB1Protocol-Server                         | Disabled
SMB1Protocol-Deprecation                    | Disabled

In Windows 10, you can besides manage SMB 1 features from the Control Panel ( optionalfeatures.exe ). Expand the SMB 1.0 /CIFS File Sharing Support choice. As you can see, 3 SMBv1 components are besides available here :

  • SMB 1.0/CIFS Automatic Removal
  • SMB 1.0/CIFS Client
  • SMB 1.0/CIFS Server

Windows10 feature SMB 1.0/CIFS File Sharing Support
You can enable SMBv1 client and waiter on Windows 10 from the feature management window or using the commands :
Dism /online /Enable-Feature /FeatureName:"SMB1Protocol"
Dism /online /Enable-Feature /FeatureName:"SMB1Protocol-Client"
Dism /online /Enable-Feature /FeatureName:"SMB1Protocol-Server"

You can besides enable SMBv1 server and node in Windows 10 using PowerShell : Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Server
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client

If after enabling SMBv1 customer, it is not used for more than 15 days, it is automatically disabled .
Automatic removal of SMBv1 customer is a erstwhile operation. If the administrator manually enables SMBv1 again, it won ’ t be disabled automatically .
To disable SMB1 client and server support in Windows 10, run the keep up DISM commands :
Dism /online /Disable-Feature /FeatureName:"SMB1Protocol"
Dism /online /Disable-Feature /FeatureName:"SMB1Protocol-Client"
Dism /online /Disable-Feature /FeatureName:"SMB1Protocol-Server"

If you disabled the SMBv1 node in Windows 10, then when you access a trap folder on a file server that alone supports SMBv1 ( the SMBv2 and v3 protocols are disable or not supported ), you may receive the following errors :

  • 0x80070035 The network path was not found;
  • Unable to connect to file shares because it is not secure. This share requires the obsolete SMB1 protocol, which is not secure and could expose your system to attacks;
  • You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack. Your system requires SMB2 or higher.

    windows10 smb 1.0 access error Read more about it in the article unable to access shared folder on Windows 10

additionally, if you disable the SMBv1 node, the Computer Browser military service, which is used by the bequest NetBIOS protocol to discover devices on the network, stops working on the computer. To correctly display neighboring computers on the Windows 10 network, you must configure the Feature Discovery Provider Host service ( check this article ) .

Disabling SMBv1 Client and Server via Group Policy

In an active directory domain environment, you can disable SMBv1 on all servers and computers using Group Policies ( GPOs ). Since there is no separate SMB shape policy in the standard Windows Group Policies, you will have to disable it through the register policy .

  1. Open the Group Policy Management console (gpmc.msc), create a new GPO (disableSMBv1) and link it to the OU containing the computers on which you want to disable SMB1;
  2. Switch to the policy editing mode. Expand the GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry;
  3. Create a new Registry Item with the following setting:
    Action: Update
    Hive: HKEY_LOCAL_MACHINE
    Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    Value name: SMB1
    Value type: REG_DWORD
    Value data: 0
    smb1 server disable via gpo
    This policy will disable support for the SMBv1 server component through the registry on all computers. You can exclude some adaptation of Windows from this policy using the WMI filter

If you want to disable the SMB node on sphere computers via GPO, create two extra register parameters :

  • The Start parameter (REG_DWORD type) with value 4 in the registry key HKLM\SYSTEM\CurrentControlSet\services\mrxsmb10;
  • The DependOnService parameter (REG_MULTI_SZ type) with the value Bowser, MRxSmb20, NSI (each value on a new line) in the reg key HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation.

disable smb v1.0 client driver group policy
It remains to update the Group Policy settings on the clients ( gpupdate /force ) after the boot make certain that the SMBv1 components are completely disable .
MS Security Guide (SecGuide.adml and SecGuide.admx files) that have separate options for disabling the SMB server and client:

  • Configure SMB v1 server;
  • Configure SMB v1 client driver.

The Security Baseline GPOs from the Microsoft Security Compliance Toolkit have a separate administrative templateandfiles ) that have separate options for disabling the SMB server and customer : ms security guide gpo: disable smbv1 client driver and server

source : https://thefartiste.com
Category : Tech

About admin

I am the owner of the website thefartiste.com, my purpose is to bring all the most useful information to users.

Check Also

articlewriting1

Manage participants in a zoom meeting webinar

Call the people who attend the meet as follows Alternate host host Who scheduled the …

Leave a Reply

Your email address will not be published.