Why turn off SMB1?

When you use SMB1, you lose key performance and productivity optimizations for end users.

When you use SMB1, you lose key protections offered by later SMB protocol versions.

Stop using SMB1. For your children. For your children’s children. Please. We’re begging you.

And if that’s not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is coming, folks.

Microsoft

Which version of the SMB protocol are you using?

In Windows 8 or Windows Server 2012, there is a new PowerShell cmdlet that can easily tell you what version of SMB the client has negotiated with the file server:

PS C:\ > Get-SmbConnection -ServerName localhost

Here’s a table to help you understand what version you will end up using, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server:

Operating system Windows 8.1 WS 2012 R2 Windows 8 WS 2012 Windows 7 WS 2008 R2 Windows Vista WS 2008 Previous versions
Windows 8.1 WS 2012 R2 SMB 3.02 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 8 WS 2012 SMB 3.0 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 7 WS 2008 R2 SMB 2.1 SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0
Windows Vista WS 2008 SMB 2.0 SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0
Previous versions SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0

How to turn off SMB1?

Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.

On Server (Win 2012 R2 and greater), the PowerShell approach:

PS C: > Remove-WindowsFeature -Name FS-SMB1

On Client (Win 8.1 and greater), the PowerShell approach:

PS C: > Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

On legacy (older than Windows 8.1 and Windows Server 2012 R2) operating systems you cant remove SMB, but you can disable it.

  • On Server, the PowerShell approach:

    To disable SMBv1 on the SMB server, run the following cmdlet:

    PS C: > Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
    

    To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

    PS C: > Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
    
  • On Client, the CMD approach:

    To disable SMBv1 on the SMB client, run the following commands:

    CMD> sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    CMD> sc.exe config mrxsmb10 start= disabled
    

    To enable SMBv2 and SMBv3 on the SMB client, run the following commands:

    CMD> sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    CMD> sc.exe config mrxsmb20 start= auto
    
    You must run these commands at an elevated Command Prompt.
    You must restart the computer after you make these changes.

How to enable SMB2 on CFA?

To enable SMB2 support on CFA (SMB2.02 is the latest version, which Samba 3.6.23 currently supports) you need to modify /etc/samba/smb.conf file by adding max protocol = SMB2 to global section of the configuration file:

# Generated by com.rti.linuxconf.SambaConfigFile\$OurWriter on 1500989452602
[global]
...
max protocol = SMB2