Thursday, 8 May 2014

Disabling SMB 1.0

So some of you might be curious about SMB 1.0 and weather you can turn off the protocol. The bad news is that if you are still running Windows XP or Windows Server 2003 there is a need to still run that protocol. If you are running filers it would be important to double check the support and configuration of these devices. In some cases Unix devices using Samba may require this protocol as well.

Ideally from a security perspective this protocol is dated and on its death bed so it should be disabled. The performance and security is better with the newer implementations and this should be an incentive to make sure your environment is specifically configured to use SMB 2.0 or better. I've been surprised at how many environments still run SMB 1.0 on their filers just because they never got around to applying updates or changing the infrastructure configuration.

To perform a quick test you can use the following Powershell 3.0+ command line to disable SMB 1.0.
Set-SmbServerConfiguration –EnableSMB1Protocol $false 

If you are running Powershell 2.0 you can achieve the same result with the following Powershell command line.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

For more guidance you should also reference the following Microsoft KB for disabling SMB protocols.
http://support.microsoft.com/kb/2696547

And if you are up for some reading Microsoft has a wonderful 394 page document on the V2 and V3 specifications.
http://download.microsoft.com/download%2F9%2F5%2FE%2F95EF66AF-9026-4BB0-A41D-A4F81802D92C%2F%5BMS-SMB2%5D.pdf