Why turning off SMB1
When you use SMB1, you lose key performance and productivity optimizations for end users.
When you use SMB1, you lose key protections offered by later SMB protocol versions.
Stop using SMB1. For your children. For your children’s children. Please. We are begging you.
And if that is not enough: SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is coming, folks.
—Microsoft
What version of SMB you are using
In Windows 8 or Windows Server 2012, there is a new PowerShell cmdlet that can easily tell you what version of SMB the client has negotiated with the file server:
Get-SmbConnection -ServerName localhost
Here is a table to help you understand what version you will end up using, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server:
Operating system | Windows 8.1 WS 2012 R2 | Windows 8 WS 2012 | Windows 7 WS 2008 R2 | Windows Vista WS 2008 | Previous versions |
---|---|---|---|---|---|
Windows 8.1 WS 2012 R2 | SMB 3.02 | SMB 3.0 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
Windows 8 WS 2012 | SMB 3.0 | SMB 3.0 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
Windows 7 WS 2008 R2 | SMB 2.1 | SMB 2.1 | SMB 2.1 | SMB 2.0 | SMB 1.0 |
Windows Vista WS 2008 | SMB 2.0 | SMB 2.0 | SMB 2.0 | SMB 2.0 | SMB 1.0 |
Previous versions | SMB 1.0 | SMB 1.0 | SMB 1.0 | SMB 1.0 | SMB 1.0 |
Turning off SMB1
Starting from Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.
On the server version (Windows 2012 R2 and later), the PowerShell approach:
Remove-WindowsFeature -Name FS-SMB1
On the desktop version (Windows 8.1 and later), the PowerShell approach:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
On legacy (older than Windows 8.1 and Windows Server 2012 R2) operating systems you cannot remove SMB, but you can disable it.
-
On Server, the PowerShell approach:
To disable SMB1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
To enable SMB2 and SMB3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
-
On client, the CMD approach:
To disable SMB1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled
To enable SMB2 and SMB3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb20 start= auto
Run these commands as administrator. Restart the computer after you make these changes.
Enabling SMB2 on appliance
To enable SMB2 support on appliance (SMB2.02 is the latest version, which Samba 3.6.23 currently supports) you need to modify /etc/samba/smb.conf
file by adding max protocol = SMB2
to global section of the configuration file:
# Generated by com.rti.linuxconf.SambaConfigFile\$OurWriter on 1500989452602
[global]
...
max protocol = SMB2