Why and how to disable SMB1 on Windows 10/8/7

Though security concerns with systems are nowhere new, the mess caused by the Wannacrypt ransomware has prompted for immediate action among netizens. The Ransomware targets the vulnerabilities of the SMB service of the Windows operating system to propagate.

SMB or Server Message Block is a network file sharing protocol meant for sharing files, printers, etc, between computers. There are three versions – Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3). Microsoft recommends that you disable SMB1 for security reason – and it is not more important to do so in view of the WannaCrypt or NotPetya ransomware epidemic.

Disable SMB1 on Windows

To defend yourself against WannaCrypt ransomware it is imperative that you disable SMB1 as well as install the patches released by Microsoft. Let us take a look at some of the ways to disable SMB1.

Turn Off SMB1 via Control Panel

Open Control Panel > Programs & Features > Turn Windows features on or off.

In the list of options, one option would be SMB 1.0/CIFS File Sharing Support. Uncheck the checkbox associated with it and press OK.Disable SMB1 on Windows

Restart your computer.

Disable SMBv1 using Powershell

Open a PowerShell window in the administrator mode, type the following command and hit Enter to disable SMB1:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

Powershell Script
If for some reason, you need to temporarily disable SMB version 2 & version 3 use this command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

It is recommended to disable SMB version 1 since it is outdated and uses technology that is almost 30 years old.

Says Microsoft, when you use SMB1, you lose key protections offered by later SMB protocol versions like:

  1. Pre-authentication Integrity (SMB 3.1.1+) – Protects against security downgrade attacks.
  2. Insecure guest auth blocking (SMB 3.0+ on Windows 10+) – Protects against MiTM attacks.
  3. Secure Dialect Negotiation (SMB 3.0, 3.02) – Protects against security downgrade attacks.
  4. Better message signing (SMB 2.02+) – HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.
  5. Encryption (SMB 3.0+) – Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing.

In case you wish to enable them later (not recommended for SMB1), the commands would be as follows:

For enabling SMB1:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

For enabling SMB2 & SMB3:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

Disable SMB1 using Windows registry

You can also tweak the Windows Registry to disable SMB1.

Run regedit and navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

In the right side, the DWORD SMB1 should not be present or should have a value of 0.

The values for enabling and disabling it are as follows:

  • 0 = Disabled
  • 1 = Enabled

For more options and ways to disable SMB protocols on the SMB server and the SMB client visit Microsoft.

Download this VPN to secure all your Windows devices and browse anonymously
Posted by on , in Category Windows with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

11 Comments

  1. Stan Scanlon

    What is the downside / feature loss / performance cost when disabling SMB1?

  2. Andrew

    SMBv1 is technology that is almost 30 years old. If you have a Windows 10 machine, then you are using SMBv3. Although SMBv3 is much better and is primarily used by Windows over SMBv1, they are both on your system. Therefore, disabling SMBv1 should have absolutely no impact on the computer, other than making it more secure.

  3. Andrew

    SMBv1 is technology that is almost 30 years old. If you have a Windows 10 machine, then you are using SMBv3. Although SMBv3 is much better and is primarily used by Windows over SMBv1, they are both on your system. Therefore, disabling SMBv1 should have absolutely no impact on the computer, other than making it more secure

  4. Baba

    Given that this is an old technology, causing security flaws with absolutely no advantage in return, why do they keep it enabled by default? There must be a reason…

  5. ?????? ???????

    when you use SMB1, you lose key protections offered by later SMB protocol versions like:
    1. Pre-authentication Integrity (SMB 3.1.1+)
    2. Insecure guest auth blocking (SMB 3.0+ on Windows 10+)
    3. Secure Dialect Negotiation (SMB 3.0, 3.02)
    4. Better message signing (SMB 2.02+)
    5. Encryption (SMB 3.0+)

    Brilliant!
    4 of 5 reasons Microsoft has provided to switch off the SMB v1 (and leave a shipload of old devices out of order) are dealing with SMB v2 too. But SMB v2 is a taboo yet cause Win 7 is still supported. So yeah, we will beat that old bad ugly Win XP with its SMB v1 and will be silent about SMB v2.
    Pah!
    :-

  6. ?????? ???????

    Cause a huge variety of devices uses “classical” realization of SMB v1 client (MFU’s, different set-top-boxes, etc.).

  7. ?????? ???????

    P.S. And, by the way, besides all this hysteria there is some alternative assessments like that:
    «The Verge: Windows XP computers were mostly immune to WannaCry.»

  8. thomas solido

    Good day,
    Is this the same SMB protocol used in the share and storage management in the server manager under file services? Won’t this be affected?

  9. Beep

    Winreducer does wonders!

  10. David DuBuque

    Easier way to disable SMBv1 via powershell
    Set-SmbServerConfiguration
    -EnableSMB1Protocol $false
    Then Run
    Get-SmbServerConfiguration
    You’ll see EnableSMB1Protocol set to False
    You can enable SMB 2 ina similar way.

  11. Chris Augustine

    The manufacturing shop floor just got to XP. It was a struggle at Cummins. We just pulled LU6.2’s 10 years ago, AIX and Tru64 5 years ago. All the PLCs and such run XP; almost every PC on that shop floor runs XP. They have all just come over from serial. Everything is one-off because that’s the shop floor. The manufacturers of shop floor software had to be brought kicking and screaming after the deadline for 2000 and Win95 (and DOS, yes DOS networked). I’m glad I don’t work there because they were replacing terminal servers back to a redundant as heck proprietary UNIX system. Would you want to be 1 of the 5 people supporting 1000 PCs on a shop floor where one PC can bring the entire line to a stop? They wanted to allow India’s HCL to do it with a 96 hour support window. Windows, oh Windows, boy I do not miss you!

Leave a Reply

Your email address will not be published. Required fields are marked *


9 + 4 =