20,213 questions
You can follow along here. (towards end of doc)
https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
--please don't forget to Accept as answer if the reply is helpful--
Auditing SMB1 for Windows Server 2008 R2
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 45%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Kamran Ahmed
271
Reputation points
Hi,
Before disabling SMB1 i need confirm if there are any applications and devices trying to connect on this protocol. I'm trying to find a way to enable SMB1 auditing on Windows Server 2008 R2, there are plenty of articles for 2012 but nothing for 2008. The commands for 2012 do not work in 2008. I have tried googling but can't seem to find anything.
Thanks
Windows for business | Windows Server | User experience | Other
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2020-10-28T12:45:25.077+00:00 -
Kamran Ahmed 271 Reputation points
2020-10-28T13:32:36.683+00:00 Thank you for the article, will try adding the following and testing.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" AuditSmb1Access -Type DWORD -Value 1 –Force
-
Anonymous
2020-10-28T13:34:13.59+00:00 You're welcome.
--please don't forget to Accept as answer if the reply is helpful--
Sign in to comment -
2 additional answers
Sort by: Most helpful
-
Gloria Gu 3,941 Reputation points2020-10-29T06:32:33.35+00:00 @Kamran Ahmed Hi,
Thank you for posting in Q&A!
After my research for relate information, there're two ways to enable SMB audit:
1.Add registry Key
Path "HKLM Local Machine:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
AuditSmb1Access -Type DWORD -Value 1 –Force2.Or you can use the PowerShell command:
Set-SmbServerConfiguration –AuditSmb1Access $trueAccording to the offical document, if you want to run this command on Windows Server 2008 R2 , they must installed the May 2018 monthly update. But please understand that since On January 14, 2020, support for Windows Server 2008 and 2008 R2 ended. So unfortunately, we don't have the environment for test.
For more details about this command, please refer to:
detect-enable-and-disable-smbv1-v2-v3Hope you have a nice day!
Gloria============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.-
Kamran Ahmed 271 Reputation points
2020-10-29T07:50:52.053+00:00 Thank you for the details info, i have tried the 2nd command and this does not work, we have over 200 server 2008 R2 servers. The first option should work.
-
Gloria Gu 3,941 Reputation points
2020-10-29T08:24:55.477+00:00 You're welcome. Happy to see that you solved your problem~
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 36%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMZ%3C/text%3E%3C/svg%3E)
Marco Zoppi 1 Reputation point2022-06-09T15:02:17.427+00:00 Hi, I tried to add the registry key on my Fileserver cluster with 2 host windows server 2008 R2. I need to restart to see this logs?
I tried to searching on my event viewer but I not found smb eventcan you explain details please? what event I need su searching?
I tried to use a filter also on system and smbServer event but nothing.thanks