Attempting to Disable SMBv1 on DC

Question

I enabled SMB1 auditing on my DCs to see if anything is using SMB1 to connect, and I'm seeing a strange client address in the log. It looks like it may be a JCIFS client, which I'd never heard of before. How do a track down where that is coming from?

SMB1 access

Client Address: JCIFS3_15_D7

Guidance:

This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

Answer 1

Simplest solution may be a wireshark (or similar) capture.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

Hi there,

To detect status, enable, and disable SMB protocols on the SMB Server you can use the below PowerShell commands.

Detect:
Get-SmbServerConfiguration | Select EnableSMB1Protocol

Disable:
Set-SmbServerConfiguration -EnableSMB1Protocol $false

Enable:
Set-SmbServerConfiguration -EnableSMB1Protocol $true

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

You can also use process monitor to detect this . Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

-----------------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--