How to harden Windows 10 workstations and servers: Disable SMB v1

Early versions of Server Message Block are still present on many Windows networks and devices, leaving them open to attack. Here's how to detect and disable them.

Server Message Block (SMB) is a foundational service that has been used for many years. This internet standard protocol enables Windows to share files, printers and serial ports. SMB is used over the internet on top of the TCP/IP protocol.

SMB v1 has been in use since Windows 95, and in 2019, it’s still often found and abused in networks. If you have SMB v1 enabled in your network, it can be used in blended attacks that might include ransomware and other malware. In a 2016 blog post, Ned Pyle lists the protections you lose when using SMB v1:

As Pyle points out, “The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. “

How to detect and disable SMB v1

You can use various means to disable SMB v1 in your network. For example, you can use group policy to disable it with a registry key as noted in a 2017 blog post. In addition, you can follow the guidance in KB2696547 to detect if SMB v1 is still in use in your network and to gracefully disable it.

On Windows 10, you can use PowerShell to determine if SMB v1 is enabled on your computer. For example, the command Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol on my Windows 10 system provides the following information:

bradley smb 1 Microsoft

Determining support for SMB v1

You might find that older copiers and printers or older network-accessible storage still depends on SMB v1 to be functional. You need to determine if the risk of SMB v1 is acceptable, or you can contact the vendors on your impacting devices to determine if you can get a firmware update to support SMB v2 and SMB v3 on these older devices. There is even a list of products that demand SMB v1. If you are having issues disabling SMB v1 at home, check out the guidance on the Barbs Connected World blog.

Next, as recommended by the U.S. Cert, you can block SMB v1 at the firewall and internet. Most firewalls do this by default, but review if yours automatically blocks all SMB versions at the network boundary. It would do so by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139.

Take the time now to review your SMB v1 status and tighten up your Server Message Block.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!