Why and how to disable SMB1 on Windows 10/8/7
Though security concerns with systems are nowhere new, the mess caused by the Wannacrypt ransomware has prompted for immediate action among netizens. The Ransomware targets the vulnerabilities of the SMB service of the Windows operating system to propagate.
SMB or Server Message Block is a network file sharing protocol meant for sharing files, printers, etc, between computers. There are three versions – Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3). Microsoft recommends that you disable SMB1 for security reason – and it is not more important to do so in view of the WannaCrypt or WannaCry ransomware epidemic.
Disable SMB1 on Windows
To defend yourself against WannaCrypt ransomware it is imperative that you disable SMB1 as well as install the patches released by Microsoft. Let us take a look at some of the ways to disable SMB1.
Turn Off SMB1 via Control Panel
Open Control Panel > Programs & Features > Turn Windows features on or off.
In the list of options, one option would be SMB 1.0/CIFS File Sharing Support. Uncheck the checkbox associated with it and press OK.
- Restart your computer.
- Disable SMBv1 using Powershell
Open a PowerShell window in the administrator mode, type the following command and hit Enter to disable SMB1:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
If for some reason, you need to temporarily disable SMB version 2 & version 3 use this command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force
It is recommended to disable SMB version 1 since it is outdated and uses technology that is almost 30 years old.
Says Microsoft, when you use SMB1, you lose key protections offered by later SMB protocol versions like:
- Pre-authentication Integrity (SMB 3.1.1+) – Protects against security downgrade attacks.
- Insecure guest auth blocking (SMB 3.0+ on Windows 10+) – Protects against MiTM attacks.
- Secure Dialect Negotiation (SMB 3.0, 3.02) – Protects against security downgrade attacks.
- Better message signing (SMB 2.02+) – HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.
- Encryption (SMB 3.0+) – Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing.
In case you wish to enable them later (not recommended for SMB1), the commands would be as follows:
For enabling SMB1:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
For enabling SMB2 & SMB3:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force
Disable SMB1 using Windows registry
You can also tweak the Windows Registry to disable SMB1.
Run regedit and navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
In the right side, the DWORD SMB1 should not be present or should have a value of 0.
The values for enabling and disabling it are as follows:
- 0 = Disabled
- 1 = Enabled
0 comments:
Post a Comment