Disabling SMBv1 through Group Policy
Version 1 of the Server Message Block (SMB) protocol was developed in the early days of personal computer networking, and as Ned Pyle describes in his blog post, Stop using SMB1 there are many reasons to cease using it on your networks. We have added that recommendation to our baseline, and have exposed a way to do so through Group Policy editors for local or domain GPOs by adding to the custom “MS Security Guide” ADMX. That said, the settings that need to be manipulated are not a natural fit for GPO management, so you need to be careful while using it. Applying settings incorrectly can cause serious problems.
We wanted these custom settings to work for all supported versions of Windows and to be reversible so that SMBv1 could be re-enabled if necessary. Due to the limitations of the ADMX syntax, we ended up implementing it through three separate settings:
- Configure SMB v1 server, to disable or enable server-side processing of the SMBv1 protocol. This is a simple Enabled/Disabled/Not Configured setting that controls the “SMB1” registry value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
- Configure SMB v1 client driver, to configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb10. Note that choosing the “Disabled” radio button deletes the “Start” value, so don’t do that! See the explain text shown in the table below if you need to restore default behavior. Note that the “Disabled” radio button is not the same thing as the dropdown value, “Disable driver (recommended).”
- Configure SMB v1 client (extra setting…) , which is needed only for older Windows versions. This setting controls the “DependOnService” REG_MULTI_SZ value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation, which represents the service and driver dependencies of the Workstation service (internal name: LanmanWorkstation). Older versions of Windows configure LanmanWorkstation with a dependency on the SMBv1 client driver (MrxSmb10) running, which can be problematic if MrxSmb10 is disabled. So this setting enables you to configure the LanmanWorkstation service’s dependencies directly. The setting’s Explain text describes exactly what to enter into the text box. Unfortunately, there is no way for the ADMX to offer a choice of predefined REG_MULTI_SZ values. You have to type – or copy/paste – the text yourself. And here again, choosing the “Disabled” radio button deletes the DependOnService value, which would be very bad, so don’t do that!
This table lists the settings and corresponding explain text from the Group Policy editor:
|Setting name||Explain text|
|Configure SMB v1 server||Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.)Changes to this setting require a reboot to take effect.For more information, see https://support.microsoft.com/kb/2696547|
|Configure SMB v1 client driver||Configures the SMB v1 client driver's start type.To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown.WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!For Windows 7 and Servers 2008, 2008R2, and 2012, you must also configure the "Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)" setting.To restore default SMBv1 client-side behavior, select "Enabled" and choose the correct default from the dropdown:* "Manual start" for Windows 7 and Windows Servers 2008, 2008R2, and 2012;* "Automatic start" for Windows 8.1 and Windows Server 2012R2 and newer.Changes to this setting require a reboot to take effect.For more information, see https://support.microsoft.com/kb/2696547|
|Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)||APPLIES ONLY TO: Windows 7 and Windows Servers 2008, 2008R2 and 2012 (NOT 2012R2):To disable client-side processing of the SMBv1 protocol (recommended), do ALL of the following:* Set the SMBv1 client driver to "Disable driver" using the "Configure SMB v1 client driver" setting;* Enable this setting;* In the "Configure LanmanWorkstation dependencies" text box, enter the following three lines of text:BowserMRxSmb20NSITo restore the default behavior for client-side SMBv1 protocol processing, do ALL of the following:* Set the SMBv1 client driver to "Manual start" using the "Configure SMB v1 client driver" setting;* Enable this setting;* In the "Configure LanmanWorkstation dependencies" text box, enter the following four lines of text:BowserMRxSmb10MRxSmb20NSIWARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!Changes to this setting require a reboot to take effect.For more information, see https://support.microsoft.com/kb/2696547|
You can obtain the "MS Security Guide" ADMX template in the download associated with the draft baseline for Windows 10 v1703 here. Copy SecGuide.admx into your %windir%\PolicyDefinitions directory, and copy SecGuide.adml into the en-us subdirectory.