Partager via


Disabling SMBv1 through Group Policy

Version 1 of the Server Message Block (SMB) protocol was developed in the early days of personal computer networking, and as Ned Pyle describes in his blog post, Stop using SMB1 there are many reasons to cease using it on your networks. We have added that recommendation to our baseline, and have exposed a way to do so through Group Policy editors for local or domain GPOs by adding to the custom “MS Security Guide” ADMX. That said, the settings that need to be manipulated are not a natural fit for GPO management, so you need to be careful while using it. Applying settings incorrectly can cause serious problems.

We wanted these custom settings to work for all supported versions of Windows and to be reversible so that SMBv1 could be re-enabled if necessary. Due to the limitations of the ADMX syntax, we ended up implementing it through three separate settings:

  • Configure SMB v1 server, to disable or enable server-side processing of the SMBv1 protocol. This is a simple Enabled/Disabled/Not Configured setting that controls the “SMB1” registry value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
  • Configure SMB v1 client driver, to configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb10. Note that choosing the “Disabled” radio button deletes the “Start” value, so don’t do that! See the explain text shown in the table below if you need to restore default behavior. Note that the “Disabled” radio button is not the same thing as the dropdown value, “Disable driver (recommended).”
  • Configure SMB v1 client (extra setting…) , which is needed only for older Windows versions. This setting controls the “DependOnService” REG_MULTI_SZ value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation, which represents the service and driver dependencies of the Workstation service (internal name: LanmanWorkstation). Older versions of Windows configure LanmanWorkstation with a dependency on the SMBv1 client driver (MrxSmb10) running, which can be problematic if MrxSmb10 is disabled. So this setting enables you to configure the LanmanWorkstation service’s dependencies directly. The setting’s Explain text describes exactly what to enter into the text box. Unfortunately, there is no way for the ADMX to offer a choice of predefined REG_MULTI_SZ values. You have to type – or copy/paste – the text yourself. And here again, choosing the “Disabled” radio button deletes the DependOnService value, which would be very bad, so don’t do that!

This table lists the settings and corresponding explain text from the Group Policy editor:

Setting name Explain text
Configure SMB v1 server Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.)Changes to this setting require a reboot to take effect.For more information, see https://support.microsoft.com/kb/2696547
Configure SMB v1 client driver Configures the SMB v1 client driver's start type.To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown.WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!For Windows 7 and Servers 2008, 2008R2, and 2012, you must also configure the "Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)" setting.To restore default SMBv1 client-side behavior, select "Enabled" and choose the correct default from the dropdown:* "Manual start" for Windows 7 and Windows Servers 2008, 2008R2, and 2012;* "Automatic start" for Windows 8.1 and Windows Server 2012R2 and newer.Changes to this setting require a reboot to take effect.For more information, see https://support.microsoft.com/kb/2696547
Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2) APPLIES ONLY TO: Windows 7 and Windows Servers 2008, 2008R2 and 2012 (NOT 2012R2):To disable client-side processing of the SMBv1 protocol (recommended), do ALL of the following:* Set the SMBv1 client driver to "Disable driver" using the "Configure SMB v1 client driver" setting;* Enable this setting;* In the "Configure LanmanWorkstation dependencies" text box, enter the following three lines of text:BowserMRxSmb20NSITo restore the default behavior for client-side SMBv1 protocol processing, do ALL of the following:* Set the SMBv1 client driver to "Manual start" using the "Configure SMB v1 client driver" setting;* Enable this setting;* In the "Configure LanmanWorkstation dependencies" text box, enter the following four lines of text:BowserMRxSmb10MRxSmb20NSIWARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!Changes to this setting require a reboot to take effect.For more information, see https://support.microsoft.com/kb/2696547

You can obtain the "MS Security Guide" ADMX template in the download associated with the draft baseline for Windows 10 v1703 here. Copy SecGuide.admx into your %windir%\PolicyDefinitions directory, and copy SecGuide.adml into the en-us subdirectory.

Comments

  • Anonymous
    June 15, 2017
    It would be helpful to include a link to where you get the “MS Security Guide” ADMX.[Aaron Margosis] Thanks. I'll update the post with that information. In the meantime, it's in the download package with the draft baseline here.[Aaron Margosis] Updated.
    • Anonymous
      June 19, 2017
      I've opened the Windows-10-RS2-Security-Baseline package and while the Policy seems to contain some SMBv1 settings, the ADMX templates included in the package do not seem to contain some of the above definitions, such as "Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)"[Aaron Margosis] Copy the *.ADMX files to the %windir%\PolicyDefinitions directory, and the *.ADML files to the en-us subdirectory. If the Group Policy editor is open, close it and then re-open.
    • Anonymous
      June 23, 2017
      Thank-you!
  • Anonymous
    June 16, 2017
    The comment has been removed
  • Anonymous
    June 18, 2017
    Thank you, Group Policy for disabling SMBv1.I hope which ADMX file need to disable SMBv1.Is it SecGuide.admx ?[Aaron Margosis] Yes. Put SecGuide.admx in the %windir%\PolicyDefinitions directory and SecGuide.adml in the en-us subdirectory.
  • Anonymous
    June 20, 2017
    Can you confirm whether setting the "Configure LanmanWorkstation dependencies" as described above will NOT have any impact on Windows 8 (and server 2012R") and above. i.e. if the above settings are applied in a generic policy for all Windows OS client version or do they need to be specifically segregated.[Aaron Margosis] You should segregate them, and not apply the "extra setting needed for pre-Win8.1/2012R2" to Win8.1/2012R2 or newer.
  • Anonymous
    June 20, 2017
    For the two settings with "WARNING: DO NOT SELECT THE “DISABLED” RADIO BUTTON UNDER ANY CIRCUMSTANCES!" what is the behavior when going from 'Enabled' to 'Not Configured'?[Aaron Margosis] The last-applied settings should remain in place -- "tattooed."
  • Anonymous
    June 28, 2017
    The comment has been removed
  • Anonymous
    June 29, 2017
    I've applied a new GPO to my test ou.Can I confirm that once this Group Policy is applied the SMBv1 flag within "Turn on-turn Off Windows Features" will remain in place?Is there a way to confirm that the Policy has in fact disabled SMBv1 on the client.I was hoping to use this as opposed to the Powershell method.
  • Anonymous
    July 13, 2017
    The "Supported On" section of these settings says at least Windows 2008/7. Sounds like a mistake.[Aaron Margosis] You are correct. It should be all supported OSes, which is Win7 and newer, and Server 2008 and newer.
  • Anonymous
    August 30, 2017
    The comment has been removed
  • Anonymous
    October 13, 2017
    I have a GPO for Windows 2012 R2 and 2016 on which I configured the 2 respective settings to disable SMB1 Server and Client. Is it a problem if some of these servers also have SMB1 actually uninstalled as a Windows feature?[Aaron Margosis] Should not be a problem.
  • Anonymous
    November 29, 2017
    Hi - I've added in secguide.admx and secguide to the correct directories above ( %windir%\PolicyDefinitions and en-us subdirectory) and still do not see option to enable these features - have shutdown Group Policy Manager