Disable SMBv1

Question

Hello,I'm in the process of disabling SMBv1 for large scale servers. I made a script for this, and this results that SMBv1 on registry and feature level is almost disabled or does not exist everywhere.However, when I run the following command "Get-SmbServerConfiguration | Select EnableSMB1Protocol", this results that SMBv1 is set to True. I can't really gauge if everything is really off now.&nbsp;Because when I run the commands below, it's off.Get-WindowsOptionalFeature -Online -FeatureName SMB1ProtocolGet-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}But when I run this command it result that its on.Get-SmbServerConfiguration | Select EnableSMB1Protocol&nbsp;I know how to disable this, but what exactly is the difference?And is it really still on?Hopefully someone can enlighten me on this?&nbsp;Thanks in advance

alban1999 · Answer

Hello,It would depends on what you did through your script. Did you disable SMB1 server side first then uninstall the feature after that ? Something else ? Did you restart target computers ?On a brand new WS 2019/2022, EnableSMB1Protocol is set to "$false" and Windows Optional feature is set to "Disabled".

alban1999 · Answer

If I'm right the last step disable SMB1 protocol on the server side - without uninstalling the feature entirely (checked by the first step).

Unless I'm mistalen uninstalling the feature should be enough in theory. However, you should keep such critical security settings consistent between servers as much as possible. Thus I recommend to both configure "EnableSMB1Protocol" to "$false" AND uninstall the feature.

alban1999 · Answer

In that case, I would only disable SMB1 protocol (third step) first - a rollback will only require to turn it on again.Uninstalling the Windows feature means uninstall binaries - a rollback will require more work.You may wish to audit your server for SMB1 usage before any change. A Powershell one-liner is enough to do that : Set-SmbServerConfiguration -AuditSmb1Access $trueCheck this for more info : https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

alban1999 · Answer

If you removed SMB1 binaries, my guess is the server is already unable to respond using the corresponding protocol - I'm pretty sure you are safe if you disable SMB1 protocol.From my link : "When SMBv1 auditing is enabled, event 3000 appears in the "Microsoft-Windows-SMBServer\Audit" event log, identifying each client that attempts to connect with SMBv1."

svallas225 · Answer

Thanks for your reply.No, I haven't done anything yet. I have been asked to investigate where SMBv1 is still enabled.And my script only checked where SMBv1 is still enabled on server level.The check actually does 3 steps:1. Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol2. Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}3. Get-SmbServerConfiguration | Select EnableSMB1ProtocolThis showed that based on the last step, SMBv1 is still set to True.Based on the first 2 steps, SMBv1 is disabled.So my question is, are the first 2 steps sufficient to disable SMBv1, apart from the fact that I can disable it with the command below. Or should the latter also be set to false, and is SMBv1 still in use if the first 2 steps are off except for the last 1?Set-SmbServerConfiguration -EnableSMB1Protocol $falseI don't understand what the difference is between the first 2 steps and the last step?

Forum Discussion

Disable SMBv1

Resources