Forum Discussion
Migrate a production environment from SMBv1 to SMBv2/v3
Hi everyone, I would like to get your help and advice in order to migrate successfully my production environment from SMBv1 to SMBv2/v3. In test, I'm able to implement this change but in production ...
Hello,
Keep in mind recent releases of Windows clients/servers do not have SMB1 enabled by default (and I hope you didn't enable it). Thus you do not need this kind of Group Policy parameters (which may really messed up OSes and are quite difficult to rollback).
What you need to look out for is :
- Very old Windows OS (Windows XP/2003) : those are a security nightmare. Get rid of them.
- Very old Unix/Linux OS : see above
- Printers and scanners still relying on SMBv1 : this is quite painful to check. You must inventory everything, then check compatibility per model and per firmware. You may need to update (or even replace entirely) printers before moving your file servers away from SMBv1.
- Apps. Test, test, test. Hope you still have editor's support for them.
Best tip : browse SMB Product Team here : https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
You'll get detailed how-to and ton of tips directly from Microsoft.
Keep in mind recent releases of Windows clients/servers do not have SMB1 enabled by default (and I hope you didn't enable it). Thus you do not need this kind of Group Policy parameters (which may really messed up OSes and are quite difficult to rollback).
What you need to look out for is :
- Very old Windows OS (Windows XP/2003) : those are a security nightmare. Get rid of them.
- Very old Unix/Linux OS : see above
- Printers and scanners still relying on SMBv1 : this is quite painful to check. You must inventory everything, then check compatibility per model and per firmware. You may need to update (or even replace entirely) printers before moving your file servers away from SMBv1.
- Apps. Test, test, test. Hope you still have editor's support for them.
Best tip : browse SMB Product Team here : https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
You'll get detailed how-to and ton of tips directly from Microsoft.
- Hello Alban,
Thanks for your reply, I use Windows Server 2016 and I've never enabled the SMBv1 on them. This is odd, when checking via powershell SMBv1 seems enabled on my servers, I will continue to find why...
My goal was initialy to remediate a vulnerability founded which told me that smb signing wasn't enabled. But SMBv2/v3 don't use "enablesiging" registry keys, they use "RequireSecuritySignature" key instead. My main issue is to find the way to enable it without get impact on all my domain controller and member servers... If my DC require siging but my member servers don't have this setting set yet, what is the result ? network issue ? Hard to deploy it smoothly, I'm going to listen your link too. Thanks, your help is appreciated 😉
