Please set the record straight on correctly disabling SMBv1

Over the past 6 months - I have been making efforts to ensure that SMBv1 is not on our network machines in any capacity - and for the most part it has worked ok.

I use Windows 10 ENT on the workstations and Windows 2016 on the servers.

But I remain confused on the actual correct way to disable this ugly protocol.

If one believes what we see on the Internet - the most common advice is to roll over to:

Control Panel->Programs and Features->Turn Windows Features on or off - and uncheck the box indicated below.

Attachment 215718

This does in fact disable SMBv1 but also takes the Computer Browser service with it - which will begin to show it's weaknesses depending on your network devices (like routers) and even some apps - that still need the Computer Browser service to be available.

Then there is the PowerShell method. In my testing - I see that I can leave ALL the SMBv1 stuff enabled in Windows 10 (checkbox in the graphic above left on) and then run this command in an admin PS window:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Then run this to confirm

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

This does in fact kill the protocal - while seemingly leaving the Network Browsing capability - unbroken.

So - which is the right method?

Even more crazy - why when I run the Powershell command - does the WIndows SMBv1 feature set remain on? Clearly there is no connection between this command and the Add/Remove Features UI - but if the protocol is in fact off - this seems like a decent compromise - Network browsing still works and the nasty SMBv1 protocol is disabled (I hope).

Thoughts?

Sonic.

Brink said:

That PowerShell command is for Windows 8, and could be why it still allows Network Browsing for it in Windows 10.

Not quite sure I agree with this since most (3, 4 and 5) of these options focus specifically on only dealing with the concept of Add/Remove Windows Features - which is a brute force method to remove everything (UI bits, Services etc). Only Options 1 and 2 deal with the actual protocol itself (From a networking services (LanMan) standpoint)

So what if I do not want to remove "everything" - what if I just want to ensure the protocol itself is just disabled?

If I run this PowerShell command on Windows 10 ENT: (With the SMB options checked on in Add/Remove Win Features)

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Followed by this command:

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

I get the following display.

Attachment 215732

Telling me that the SMBv1 protocol (AND just the protocol) is now disabled. While the "features" remain untouched over in Windows Add/Remove Features.

I believe what Powershell is telling me is correct. And just because this command "appears" to be Windows 8 centric (actually many reputable sites out there indicate that this is THE true way to check if the SMB protocol is enabled OR disabled on Windows 8 and up) - does not necessarily mean the command does not work on Win 10.

Even more curious is that after I run that PS command on Windows 10 - the registry key discussed in your Option 1 (Seemingly for Win 7 only) - is now in fact set to DWORD 0.

Since Windows 10 ENT is not complaining about any of these changes - I am convinced the protocol is actually disabled BUT the feature bits AND the Computer Browser service remain untouched and functioning.

It is this "combo" state that needs some real investigation. While I certainly do not want to promote any sort of SMB attack vector on my network - I also do not want to lose Network Browsing and all the other stuff that comes with having the SMB "features" left on within Windows Add/Remove Features

Sonic.