Skip to content

Disabling SMBv1 on Windows desktops

What is SMBv1 ?

SMBv1 (Server Message Block version 1) is a network file-sharing protocol used in Microsoft Windows systems for sharing files, printers, and other resources between computers on a local network. It was introduced in the 1980s and is a part of the Windows networking system, facilitating communication between clients and servers.

Since Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3), the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. It was superseded by SMBv2 and later protocols starting in 2007. Microsoft publicly deprecated the SMBv1 protocol in 2014.

References: https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows

Features of SMBv1:

  • File Sharing: It allows users to share files between devices on a network.
  • Printer Sharing: Users can share and access network printers.
  • Communication: It enables client-server communication, allowing a user to access files on a server as if they were local.

Replacement:

Due to its vulnerabilities, Microsoft has urged organizations to disable SMBv1 in favor of more secure versions like SMBv2 and SMBv3, which provide better encryption, authentication, and protection against attacks.

Exploitation

SMBv1 is considered outdated and insecure due to numerous vulnerabilities. Notably: - EternalBlue Exploit (CVE-2017-0144): A critical vulnerability in SMBv1 was exploited by the EternalBlue exploit, which was used in major ransomware attacks like WannaCry. This vulnerability allowed attackers to execute arbitrary code remotely, leading to the compromise of numerous systems worldwide.

References: - Microsoft: Deprecation of SMBv1 - CVE-2017-0144 (EternalBlue)

Mitigations

Disabling SMBv1 with a GPP

  • Open the Group Policy Management console (game.msc), create a new GPO (disableSMBv1), and link it to the OU containing the computers on which you want to disable SMB1; Switch to the policy editing mode. Expand the GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry

    • Create a new Registry Item with the following setting:

    Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value name: SMB1 Value type: REG_DWORD Value data: 0

Disabling SMBv1 by removing the feature

  • Create a powershell script with the following command: 
Disable-WindowsOptionalFeature -Online -FeatureName FS-SMB1