Jan 25 2022 07:02 AM - edited Jan 26 2022 05:32 AM
Hi everyone,
I would like to get your help and advice in order to migrate successfully my production environment from SMBv1 to SMBv2/v3. In test, I'm able to implement this change but in production this change is more tricky...
Let me describes what I've done and what my production looks like:
In test:
- Implementing a GPO with the following registry changes on a test server and on the unique test domain controller I have
- Restart these servers
- Wireshark shows that SMBv1 is well disabled and that all SMB communications are in SMBv2 between my test server and my test DC.
- I’m still working on the SMBv3 implementation or switch from SMBv2 to SMBv3 (not done yet).
- I need to configure a Linux server in SMBv2/v3 and test too (not done yet).
GPO details:
1°) Disable SMBv1 in LanmanServer:
Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value name: SMB1
Value type: REG_DWORD
Value data: 0
2°) Disable SMBv1 in LanmanWorkstation:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
Value name: Start
Value type: REG_DWORD
Value data: 4 (=disable)
3°) Delete SMBv1 dependancy of the LanmanWorkstation service:
Action: Replace
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
Value name: DependOnService
Value type REG_MULTI_SZ
Value data:
Bowser
MRxSmb20
NSI
4°) Require signing SMBv2/v3 for LanmanServer service:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value name: RequireSecuritySignature
Value type: REG_DWORD
Value data: 1
5°) Require signing SMBv2/v3 for LanmanWorkstation server:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
Value name: RequireSecuritySignature
Value type: REG_DWORD
Value data: 1
In production, I have a lot of servers in different AWS regions with different DC, a mix of linux servers and Windows servers.
My challenge is to migrate without production impact.
- Does someone has already performed this kind of migration ?
- Modifications are at the packet level, do you already experienced issue when migrating from SMBv1 to SMBv2/v3 ?
All advices are welcome!
Regards,
Bernard.
Jan 27 2022 07:05 AM
Feb 02 2022 08:17 AM
Feb 02 2022 08:07 PM
Feb 14 2022 08:43 AM