locked
Disabling SMB1 RRS feed

  • Question

  • Hi

    Despite i just patched my windows 2012 servers the SMB1 appears still enabled.

    Is it ok or should i also disable the SMB1 also?

    Thanks in advance

    Thursday, May 18, 2017 1:25 PM

All replies

  • Hello,

    Based on the security bulletin MS17-010, the security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests. 

    Therefore, the SMBv1 won't be disabled after you apply the security update.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 25, 2017 2:37 AM
  • Huain,

    Is it ok or should i also disable the SMB1 also?

    You should also disable SMBv1. While the MS17-010 patch addresses one SMBv1 vulnerability, there are potentially many more. It has been Microsoft's recommendation to get away from SMBv1 since 2015. To quote the Microsoft product manager that owns SMB:

    "Stop using SMB1. Stop using SMB1STOP USING SMB1!"

    https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

     

    I hope that helps!

      

    Nash


    Nash Pherson, Senior Systems Consultant
    Microsoft MVP in Enterprise Mobility (ConfigMgr/Intune)
    Now Micro - MyITForum Blog Posts - Now Micro Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.

    Thursday, May 25, 2017 2:48 AM
  • Rather than creating a new post I am going to ask on this one.

    I am starting the process of disabling SMB1 across my network 

    I will be using Group Policy to disable and my question is can I add the Disable SMBv1 Server and Workstation keys to the same GPO and apply to all my clients ?  Is this the best way to approach ?

    From my servers I will logon and run the powershell cmds and test afterwards.


    Tuesday, July 11, 2017 10:12 AM
  • Hello,

    The following article should be helpful.

    https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 12, 2017 12:46 AM
  • thanks for this link - great read.

    are Admins adding the server reg entry and the workstation reg entry in the same GPO and pushing this to all user workstations ? or is it a case of the workstation reg key is enough for your user workstations !

    Wednesday, July 12, 2017 7:50 AM
  • Hello,

    In my opinion, you can create the same GPO for both servers and workstations.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 17, 2017 8:08 AM
  • Does anyone know a way of seeing if SMBv1 is disabled on server & workstations.

    some sort of report ! 

    regards

    Wednesday, July 26, 2017 8:43 AM
  • Hi Andy,

    Will the workstation entries in the text below be enough for my users PC's ?

    To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

    Wednesday, July 26, 2017 9:02 AM
  • Hello,

    Based on the blog article, it should work for workstations.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by onthejobagain Friday, July 28, 2017 9:21 AM
    Friday, July 28, 2017 9:20 AM