Configuring SMB

    • 3 min read
    On this page

    Why turning off SMB1

    When you use SMB1, you lose key performance and productivity optimizations for end users.

    When you use SMB1, you lose key protections offered by later SMB protocol versions.

    Stop using SMB1. For your children. For your children’s children. Please. We are begging you.

    And if that is not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is coming, folks.

    —Microsoft

    What version of SMB you are using

    In Windows 8 or Windows Server 2012, there is a new PowerShell cmdlet that can easily tell you what version of SMB the client has negotiated with the file server:

    Get-SmbConnection -ServerName localhost

    Here is a table to help you understand what version you will end up using, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server:

    Operating system Windows 8.1 WS 2012 R2 Windows 8 WS 2012 Windows 7 WS 2008 R2 Windows Vista WS 2008 Previous versions
    Windows 8.1 WS 2012 R2 SMB 3.02 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
    Windows 8 WS 2012 SMB 3.0 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
    Windows 7 WS 2008 R2 SMB 2.1 SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0
    Windows Vista WS 2008 SMB 2.0 SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0
    Previous versions SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0

    Turning off SMB1

    Starting from Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.

    On the server version (Windows 2012 R2 and later), the PowerShell approach:

    Remove-WindowsFeature -Name FS-SMB1

    On the desktop version (Windows 8.1 and later), the PowerShell approach:

    Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

    On legacy (older than Windows 8.1 and Windows Server 2012 R2) operating systems you cannot remove SMB, but you can disable it.

    • On Server, the PowerShell approach:

      To disable SMB1 on the SMB server, run the following cmdlet:

      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

      To enable SMB2 and SMB3 on the SMB server, run the following cmdlet:

      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

    • On client, the CMD approach:

      To disable SMB1 on the SMB client, run the following commands:

      sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

      To enable SMB2 and SMB3 on the SMB client, run the following commands:

      sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto

      Run these commands as administrator. Restart the computer after you make these changes.

    Enabling SMB2 on appliance

    To enable SMB2 support on appliance (SMB2.02 is the latest version, which Samba 3.6.23 currently supports) you need to modify /etc/samba/smb.conf file by adding max protocol = SMB2 to global section of the configuration file:

    # Generated by com.rti.linuxconf.SambaConfigFile\$OurWriter on 1500989452602
[global]
...
max protocol = SMB2