Shulou(Shulou.com)06/02 Report--

This article describes how to enable / disable server message blocks SMBv1, SMBv2, and SMBv3 on SMB client and server components.

Note: it is recommended that the following operations be done by a professional technical engineer.

Disable the effects of SMBv2 and SMBv3

We recommend that you do not disable SMBv2 or SMBv3. Disabling SMBv2 or SMBv3 can only be used as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

Disable the impact of SMBv2

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 disables the following features:

Request composition-allows multiple SMB 2 requests to be sent as a single network request for large reads and writes-makes better use of faster network folder and file attribute caches-clients retain local copy persistence handles for folders and files-if temporarily disconnected Allows the connection to reconnect transparently to the server improved message signature-HMAC SHA-256 replaces MD5 as the file sharing scalability improved by the hash algorithm-the number of users, shares, and open files per server greatly increases the support for symbolic link client oplock rental mode-limits the data transferred between the client and the server Thus improving high latency network performance and enhancing the scalability of SMB servers large MTU support-can take full advantage of the improved energy efficiency of 10 Gigabit Ethernet (GB) Ethernet-clients that open files to the server can sleep

Disable the impact of SMBv3

In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 disables the following features (and the SMBv2 features described in the above list):

Transparent failover-clients reconnect during maintenance or failover without interfering with cluster node expansion-concurrent access to shared data multichannel on all file cluster nodes-aggregate network bandwidth and fault tolerant SMB pass-through if multiple paths are available between client and server-add RDMA network support Achieve extremely high performance, low latency, and low CPU utilization encryption-provide end-to-end encryption and prevent eavesdropping directory leasing on unreliable networks-improve response time performance optimization of applications in branch offices through caching-optimization of small random read / write Imax O

Enable / disable the SMB protocol on the SMB server

Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduced the new Set-SMBServerConfiguration Windows PowerShell cmdlet. With this cmdlet, you can enable or disable SMBv1, SMBv2, and SMBv3 protocols on the server component.

Note: because SMBv2 and SMBv3 share the same stack, SMBv3 is also enabled or disabled when SMBv2 is enabled or disabled in Windows 8 or Windows Server 2012.

Use PowerShell cmdlet

After running Set-SMBServerConfiguration cmdlet, there is no need to restart the computer.

To get the current state of the SMB server protocol configuration, run the following cmdlet:

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration-EnableSMB1Protocol $false

To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration-EnableSMB2Protocol $false

To enable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration-EnableSMB1Protocol $true

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration-EnableSMB2Protocol $true

Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008

To enable or disable the SMB protocol on a SMB server running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

Use Windows PowerShell 2.0 or later PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" SMB1-Type DWORD-Value 0-Force

To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" SMB2-Type DWORD-Value 0-Force

To enable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" SMB1-Type DWORD-Value 1-Force

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" SMB2-Type DWORD-Value 1-Force

Note: after making these changes, you must restart your computer.

Use the Registry Editor

Note: the following contains information about how to modify the registry. Be sure to back up the registry before you modify it. And be sure to know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see how to back up and restore the registry in Windows.

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters registry key: SMB1

REG_DWORD: 0 = disabled

REG_DWORD: 1 = enabled

Default: 1 = enabled

To enable or disable SMBv2 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters registry key: SMB2

REG_DWORD: 0 = disabled

REG_DWORD: 1 = enabled

Default: 1 = enabled

Enable / disable the SMB protocol on the SMB client

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 and Windows Server 2012

Note: because SMBv2 and SMBv3 share the same stack, SMBv3 is also enabled or disabled when SMBv2 is enabled or disabled in Windows 8 or Windows Server 2012.

To disable SMBv1 on the SMB client, run the following command:

Sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

Sc.exe config mrxsmb10 start= disabled

To enable SMBv1 on the SMB client, run the following command:

Sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

Sc.exe config mrxsmb10 start= auto

To disable SMBv2 and SMBv3 on the SMB client, run the following command:

Sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi

Sc.exe config mrxsmb20 start= disabled

To enable SMBv2 and SMBv3 on the SMB client, run the following command:

Sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

Sc.exe config mrxsmb20 start= auto

Note:

You must run these commands from the elevated command prompt.

After making these changes, you must restart your computer.

Disable the SMBv1 server using Group Policy

This will configure the following new entries in the registry:

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters registry key: SMB1 REG_DWORD: 0 = Disabled

Configure the process using Group Policy

1. Open the Group Policy Management console. Right-click the Group Policy object (GPO) that should contain the new preferences, and then click Edit.

2. In the console tree under computer configuration, expand the preferences folder, and then expand the Windows Settings folder.

Right-click the registry node, point to New, and then select the registry key.

4. In the New Registry Properties dialog box, select the following:

Actions: creatin

Hive: HKEY_LOCAL_MACHINE

Registry key path: SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters

Value name: SMB1

Value type: REG_DWORD

Value data: 0

Apply this group policy to all necessary workstations, servers, and domain controllers in the domain to disable the SMBv1 server component. You can also set the WMI filter to not contain unsupported operating systems or selected exclusions, such as Windows XP.

Note: caution should be taken when making these changes on domain controllers in older versions of Windows XP or earlier versions of Linux and third-party systems (which do not support SMBv2 or SMBv3) that require access to SYSVOL or other file shares (SMB v1 is enabled).

Disable SMBv1 clients using Group Policy

To disable the SMBv1 client, you need to update the service registry key to disable MRxSMB10 startup, and then remove the dependency of MRxSMB10 from the LanmanWorkstation key so that it can start normally (you don't have to start MRxSMB10 first).

This will update and replace the default values in the following 2 entries in the registry

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ services\ mrxsmb10 registry key: Start REG_DWORD: 4 = Disabled

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanWorkstation registry key: DependOnService REG_MULTI_SZ: "Bowser", "MRxSmb20", "NSI"

Note: the MRxSMB10 included by default has now been deleted as a dependency.

Configure the process using Group Policy

1. Open the Group Policy Management console. Right-click the Group Policy object (GPO) that should contain the new preferences, and then click Edit.

2. In the console tree under computer configuration, expand the preferences folder, and then expand the Windows Settings folder.

Right-click the registry node, point to New, and then select the registry key.

4. In the New Registry Properties dialog box, select the following:

Actions: updatin

Hive: HKEY_LOCAL_MACHINE

Registry key path: SYSTEM\ CurrentControlSet\ services\ mrxsmb10

Value name: Start

Value type: REG_DWORD

Value data: 4

Then delete the dependency of the MRxSMB10 that you just disabled

5. In the New Registry Properties dialog box, select the following:

Actions: replacin

Hive: HKEY_LOCAL_MACHINE

Registry key path: SYSTEM\ CurrentControlSet\ Services\ LanmanWorkstation

Value name: DependOnService

Value type REG_MULTI_SZ

Value data:

Bowser

MRxSmb20

NSI

Note: these three strings are unbulleted (as follows)

In multiple versions of Windows, the default value includes MRxSMB10, and by replacing it with this multi-valued string, MRxSMB10 as a LanmanServer dependency is effectively removed, resulting in a reduction from four default values to the above three values.

Note: when using the Group Policy Management console, you do not need to use quotation marks or commas. Just type each item on each line, as shown above.

Need to restart

After the policy is applied and the registry is set correctly, you must restart the target system before you can disable SMB v1.

Abstract

If all settings are in the same group policy object (GPO), Group Policy Management displays the following settings.

Testing and verification

Policy replication and updates are allowed as soon as the configuration is complete. As a necessary step in the test, run gpupdate/force from the CMD.EXE prompt, and then check the target computer to ensure that the registry settings are applied correctly. Ensure that SMBv2 and SMBv3 are functioning properly on all other systems in the environment.

Note: be sure to restart the target system.

How to easily delete SMBv1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016

Windows Server: using the Server Manager

Windows Server: using PowerShell (Remove-WindowsFeature FS-SMB1)

Windows client: using add or remove programs

Windows client: using PowerShell (Disable-WindowsOptionalFeature-Online-FeatureName smb1protocol)

Reference and applicability

This article comes from Microsoft's official technical documentation: how to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.

If there is any change, the official Microsoft shall prevail.

The information in this article applies to:

Windows 10 Pro released in July 2015

Windows 10 Enterprise released in July 2015

Windows Vista Enterprise

Windows Vista Business

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Ultimate

Windows 7 Enterprise

Windows 7 Home Basic

Windows 7 Home Premium

Windows 7 Professional

Windows 7 Ultimate

Windows Server 2008 Datacenter

Windows Server 2008 Enterprise

Windows Server 2008 Standard

Windows Server 2008 R2 Datacenter

Windows Server 2008 R2 Enterprise

Windows Server 2008 R2 Standard

Windows 8

Windows 8 Enterprise

Windows 8 Pro

Windows Server 2012 Datacenter

Windows Server 2012 Datacente

Windows Server 2012 Essentials

Windows Server 2012 Foundation

Windows Server 2012 Foundation

Windows Server 2012 Standard

Windows Server 2012 Standard

Windows Server 2016

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.