Why turn off SMB1?
When you use SMB1, you lose key performance and productivity optimizations for end users.
When you use SMB1, you lose key protections offered by later SMB protocol versions.
Stop using SMB1. For your children. For your children’s children. Please. We’re begging you.
And if that’s not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is coming, folks.
Which version of the SMB protocol are you using?
In Windows 8 or Windows Server 2012, there is a new PowerShell cmdlet that can easily tell you what version of SMB the client has negotiated with the file server:
PS C:\ > Get-SmbConnection -ServerName localhost
Here’s a table to help you understand what version you will end up using, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server:
|Operating system||Windows 8.1 WS 2012 R2||Windows 8 WS 2012||Windows 7 WS 2008 R2||Windows Vista WS 2008||Previous versions|
|Windows 8.1 WS 2012 R2||SMB 3.02||SMB 3.0||SMB 2.1||SMB 2.0||SMB 1.0|
|Windows 8 WS 2012||SMB 3.0||SMB 3.0||SMB 2.1||SMB 2.0||SMB 1.0|
|Windows 7 WS 2008 R2||SMB 2.1||SMB 2.1||SMB 2.1||SMB 2.0||SMB 1.0|
|Windows Vista WS 2008||SMB 2.0||SMB 2.0||SMB 2.0||SMB 2.0||SMB 1.0|
|Previous versions||SMB 1.0||SMB 1.0||SMB 1.0||SMB 1.0||SMB 1.0|
How to turn off SMB1?
Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.
On Server (Win 2012 R2 and greater), the PowerShell approach:
PS C: > Remove-WindowsFeature -Name FS-SMB1
On Client (Win 8.1 and greater), the PowerShell approach:
PS C: > Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
On legacy (older than Windows 8.1 and Windows Server 2012 R2) operating systems you cant remove SMB, but you can disable it.
On Server, the PowerShell approach:
To disable SMBv1 on the SMB server, run the following cmdlet:
PS C: > Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
PS C: > Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
On Client, the CMD approach:
To disable SMBv1 on the SMB client, run the following commands:
CMD> sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi CMD> sc.exe config mrxsmb10 start= disabled
To enable SMBv2 and SMBv3 on the SMB client, run the following commands:
CMD> sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi CMD> sc.exe config mrxsmb20 start= autoYou must run these commands at an elevated Command Prompt.
You must restart the computer after you make these changes.
How to enable SMB2 on CFA?
To enable SMB2 support on CFA (SMB2.02 is the latest version, which Samba 3.6.23 currently supports) you need to modify
/etc/samba/smb.conf file by adding
max protocol = SMB2 to global section of the configuration file:
# Generated by com.rti.linuxconf.SambaConfigFile\$OurWriter on 1500989452602 [global] ... max protocol = SMB2