none
Issue disabling SMBv1 and Windows Server 2016 RRS feed

  • Question

  • https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

    We have been disabling SMBv1 on all of our Windows boxes but have run into an issue on Windows Server 2016.  We were hopeful the issue would be resolved in the March 2017 Windows Updates given there were 2 patches addressing SMB specifically, but the issue still is present. 

    Prior to disabling SMBv1, we have been “hardening” SMB to prevent SMB relay attacks:
    Microsoft network server: Server SPN target name validation level
    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level

    We configured this group policy as ‘Required from client’ across all Windows boxes in our domain without issue.

    Group Policy:
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
    Microsoft network server: Server SPN target name validation level
    Off = 0
    Accept if provided by client = 1
    Required from client = 2

    Registry:
    HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\smbservernamehardeninglevel

    After adding the additional security step of disabling SMBv1, we had no issues on Windows 7 SP1, Windows 8.1, Windows 10, Server 2012, or Server 2012 R2.

    However, when we disabled SMBv1 on Server 2016 (Remove-WindowsFeature FS-SMB1), all SMB shares broke, no shares were accessible from any Windows clients, instead of connecting to the share, a credential pop-up box is presented and even valid credentials don’t work.  The error logged is:

    Log Name:      Microsoft-Windows-SMBServer/Security
    Event ID:      551
    Description:      SMB Session Authentication Failure
    A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
    SPN Validation Policy: SPN required / validate full

    On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.

    To recreate this:
    1) Test with a Domain-joined Windows Server 2016 box
    2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
    3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
    4) Reboot the Windows Server 2016

    Domain Admins are now unable to connect to the \\Server2016\C$ default share or any other shares from other domain-joined Windows computers.

    The “temporary” fix is to configure Server SPN target name validation level = Off (0) & Reboot on Server 2016 boxes.  SMBv1 is disabled but SMB relay attacks are possible again.  :/

    Has anyone else experienced this issue or is able to recreate it in their environment? 

    Wednesday, March 22, 2017 2:38 PM

All replies

  • Hi,

    >>The “temporary” fix is to configure Server SPN target name validation level = Off (0) & Reboot on Server 2016 boxes.  SMBv1 is disabled but SMB relay attacks are possible again.  :/

    Has anyone else experienced this issue or is able to recreate it in their environment? 

    I have reproduced this issue in my lab.Thanks for your workaround.But I couldn't find any official document talking about this behavior.Considering it is only showed in windows server 2016,you could go to  the Windows Server User Voice site to give feedback,thank you.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thursday, March 23, 2017 2:44 AM
    Moderator
  • Thank you for testing this and confirming the issue in your lab environment. I have posted on the Windows Server User Voice forum as you have suggested as well.
    Thursday, March 23, 2017 3:13 AM
  • Hi,

    You're welcome. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 28, 2017 3:32 AM
    Moderator
  • I believe this issue was reported as a Bug. there is another workaround I have found and used in my Labs,

    WORKAROUND
    =============
    setting the smbServerNameHardeningLevel to 2 (default is 0)

    disable SMBv1 via registry key instead of removing in MMC or by PowerShell command (Remove-WindowsFeature FS-SMB1 )

    Registry edit,

    PowerShell cmdlet:  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

     (the above script is not guaranteed and is offered as is)

    you can also manually create the registry key, I would advise you to back up the registry prior to making any changes to your registry settings.

    • Proposed as answer by Mel_t_pot Friday, June 16, 2017 6:05 PM
    Thursday, June 15, 2017 7:49 PM
  • This is a workaround yes, it only disables SMBv1 (server-side only) but doesn't remove SMBv1.
    Tuesday, June 20, 2017 4:42 PM