What is the impact of disabling SMB1?
MrBrian AskWoody_MVP June 30, 2017 at 6:33 pm #122763
MrBrian AskWoody_MVP June 30, 2017 at 6:35 pm #122765
anonymous Guest June 30, 2017 at 7:29 pm #122777 is it the same if i disable lanmanworkstation service ?
PatC AskWoody Lounger June 30, 2017 at 8:30 pm #122792 I disabled SMBv1 on Windows 10 Pro 1607 per instructions and after a restart it could no longer see other computers on my LAN, a mix of Windows 7, Mac, Linux. Re-enabling it restored normality. Elderly hardware/router? 1 user thanked author for this post.
fp AskWoody Lounger July 3, 2017 at 12:48 pm #123082 Which is why I pay little attention to sw vendors who keep pushing updates and upgrades as a way to prevent attacks. The reality is that hacking is way ahead of vendors and those upgrades/updates are locking the barn after the horses got out. It is true that systems should be patched to prevent later attacks of already detected hacks, but it’s much more marketing than substance. MS does this a lot to push Win10 and I have seen no convincing evidence. anonymous Guest July 1, 2017 at 10:31 am #122878 PatC, please see post number 122876 below from MrBrian. Basically, in your situation you might want to avoid this fall’s upcoming Win10 update because it could very well put you back into the situation you just found yourself in, thanks to having machines with different OS’s networked.
MrBrian AskWoody_MVP July 1, 2017 at 5:02 pm #122910 I am curious if you’d have the same problems if you disabled SMB1 using the script in post #122763. It does some things not done in KB2696547 that might make a positive difference.
Geo AskWoody Plus June 30, 2017 at 8:44 pm #122795 For Win 7 x64 apply security patch KB4012212 MrBrian AskWoody_MVP July 1, 2017 at 8:40 am #122876 From Stop using SMB1: “Update June 30, 2017 – You have probably seen me announce this on twitter and in other public venues: Windows 10 RS3 (Fall Creators Update) and Windows Server 2016 RS3 have SMB1 uninstalled by default under most circumstances.” 2 users thanked author for this post.
JohnW AskWoody Plus July 1, 2017 at 1:15 pm #122888 Letting all devices share data over my home LAN makes me nervous. So I use two wifi SSIDs on my home network router. I use a separate secured guest network for all of my mobile devices, including my Androids, and my Windows laptop. I use wireless isolation on this hotspot, so that the devices can only see the internet, and not each other, or my desktops on the main network. My stay at home devices are either hard wired ethernet to the router, or use the main wifi SSID. I allow this network to be trusted, since the individual devices are reasonably secured, and never leave home. I figure this is another layer of security against any creepy crawlies that might compromise my mobile devices while I am out and about. That way any damage is confined to only one device. 2 users thanked author for this post. Snowflake Theory AskWoody Lounger July 1, 2017 at 3:38 pm #122900 Why does Chicken Little come to mind so often these days? BrianL AskWoody Lounger July 1, 2017 at 3:57 pm #122902 Can a 1,2,3 be found to disable or delete SMB1 on single home computers?
MrBrian AskWoody_MVP July 1, 2017 at 4:54 pm #122908 Post #122763 has a script that is a superset of the instructions in KB2696547. anonymous Guest July 1, 2017 at 10:14 pm #122921 Brian, which version of Windows? For Win 7, you can either follow ch200’s advice above for creating the registry edit file, run it and reboot the computer or run a couple of commands at an elevated command prompt and reboot the computer. The commands to run (directly from Microsoft’s page about this) are: To disable SMBv1 on the SMB client, run the following commands: sc.exe config lanmanworkstation depend=
bowser/mrxsmb20/nsi For Win 8.1 and Win10, it’s just a point and click operation within the Add/Remove Programs menu. Click on Windows Features and scroll down to the box that says “SMB 1.0/CIFS File Sharing Support” and clear the check box, then reboot the computer. Most of the advice in this post is directly from the page referenced by PKCano in post #122903. Edit ti remove HTML
MrBrian AskWoody_MVP July 2, 2017 at 7:46 am #122966 @anonymous: Also do the SMB Server part of KB2696547.
ch200 AskWoody_MVP July 1, 2017 at 6:40 pm #122916 @brianl Copy the following in a text file named DisableSMB1.reg Note that I provide this for your convenience and I am against disabling SMB1 which does not provide any benefit. Patching correctly and in full provides all the benefits instead. ************************************************************************************* [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters] ************************************************************************************* EDIT: This is a repost of a previous post which was not showing the full text due to limitations of the forum software 4 users thanked author for this post. Kirsty Manager July 2, 2017 at 12:57 am #122938 Microsoft to Disable SMBv1 in Windows Starting This Fall Despite these high-profile incidents, the decision to disable SMBv1 was made long before that. “It started 5 years ago,” Pyle said. “We made the decision public in 2014, without setting specific dates and OSes until later.” That date is now the release of Windows 10 Redstone 3, also referenced as the Fall Creators Update, scheduled for launch in October/November 2017. After that day, every new Windows 10 or Windows Server 2016 OS you install will not have some or all of SMBv1 turned on, which is the norm right now. 1 user thanked author for this post. MrBrian AskWoody_MVP July 2, 2017 at 8:04 am #122968 You can go even further and disable all SMB traffic (not just SMBv1 traffic) between computers on your local network. I have done this for years for Windows 7 as a security measure for protection against malware spreading between computers on the home network. See Turn Off Network Discovery, File/Printer Sharing and Public Folder Sharing In Windows 7 for details. 2 users thanked author for this post.
MrBrian AskWoody_MVP July 3, 2017 at 12:42 am #123009 (I believe that this post is relevant only if you use Windows Firewall as your firewall.) I just checked my Windows 7 settings. I use the Public network profile for my network connections. Also make sure the settings for the Public network profile are set to those at Turn Off Network Discovery, File/Printer Sharing and Public Folder Sharing In Windows 7. I just (re)tested if this is effective using SuperScan 4.1 with these settings from another computer. Scanning ports 1-1023 for both UDP and TCP, the difference between the Public network profile (with default settings) and the Home network profile (with default settings) is that these ports are not open with the Public network profile: TCP 135, TCP 139, TCP 445, and UDP 137. None of the 5 ports listed at https://en.wikipedia.org/wiki/Server_Message_Block (TCP 137, TCP 139, TCP 445, UDP 137, UDP 138) were open with the Public network profile. I believe that using this method is sufficient to protect against malware on your local devices from using SMB exploits on your other local Windows computers. In summary, if you use Windows Firewall on a given Windows computer, setting its network connections to use the Public network profile (with default settings) should protect the given Windows computer from other devices on your local network using SMB exploits against it. 3 users thanked author for this post.
MrBrian AskWoody_MVP July 2, 2017 at 9:50 am #122974 MrBrian AskWoody_MVP July 2, 2017 at 3:16 pm #122988 anonymous Guest July 4, 2017 at 5:32 pm #123282 I turned off SMB1, restarted my computer, tried to print something, printer would not print (printer is not wireless). Bluetooth keyboard acted like it had been turned off after 30 minutes even though it had only been a minute or so. Had to turn SMB1 back on, and restart computer. Printer went back to working and bluetooth keyboard started working again. I am not tech savy enough to do work arounds. I have Win 8.1 64 bit.
anonymous Guest July 4, 2017 at 8:02 pm #123302 @PKCano: Printer is old, but computer was bought with 8.1 already on it back in 2014, I think). I will try your suggestions. May be awhile before I get back to you. Thank you. anonymous Guest July 21, 2017 at 10:54 am #125904 hello is it safe to disable lanmanworkstation service ?
MrBrian AskWoody_MVP July 27, 2017 at 11:23 am #126658 MrBrian AskWoody_MVP August 5, 2017 at 7:47 am #128059 1 user thanked author for this post.
What is the impact of disabling SMBv1?While disabling or removing SMBv1 might cause some compatibility issues with old computers or software, SMBv1 has significant security vulnerabilities, and we strongly encourage you not to use it.
Does disabling SMB1 require a reboot?This behavior occurs because these protocols share the same stack. You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.
What is SMB1 used for?SMB 1.0 was created by IBM for file sharing in DOS. It introduced opportunistic locking (OpLock) as a client-side caching mechanism designed to reduce network traffic. Microsoft would later include the SMB protocol in its LAN Manager product.
Is SMBv1 needed?The Computer Browser service relies on the SMBv1 protocol to populate the Windows Explorer Network node (also known as "Network Neighborhood"). This legacy protocol is long deprecated, doesn't route, and has limited security. Because the service can't function without SMBv1, it's removed at the same time.
|
