Disable SMBv1 in Managed Environments (Group Policy)


To totally unlock this section you need to Log-in


Login

After the WannaCry ransomware attack of the last weeks, it’s important to patch against the known SMBv1 vulnerabilities released in MS17-010 and subsequent KB 4013389 for Windows XP/2003. However because of numerous variants of WannaCrypt and these other known security issues with SMB v1 (e.g. man-in the middle); many organizations have issued mandates to completely disable SMBv1 as strategic security countermeasure against future threats.

An enterprise approach to disabling SMB v1 is to use Active Directory (AD) Group Policy preferences to configure and enforce the registry settings related to disabling SMBv1 client and server components for Windows Vista and Server 2008 and later.

Group Policy registry preference items allow you to create, update, replace, and delete keys and values in the Windows registry. The following are the registry keys that need to be created or updated to disable SMB v1.

Disable SMBv1 Server with Group Policy

This will configure the following new item in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 , REG_DWORD: 0 = Disabled

To configure this using Group Policy:

Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder. Right-click the Registry node, point to New, and select Registry Item.

Disable SMBv1 in Managed Environments (Group Policy)

In the New Registry Properties dialog box, select the following:

Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value name: SMB1
Value type: REG_DWORD
Value data: 0

Disable SMBv1 in Managed Environments (Group Policy)

This disables the SMBv1 Server components. This Group Policy needs to be applied to all necessary workstations, servers, and domain controllers in the domain.

Note: WMI filters can also be set to exclude unsupported operating systems or selected exclusions such as Windows XP.

Caution: Be careful when making these changes on domain controllers where legacy Windows XP or older Linux and 3rd party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMBv1 is being disabled.

Disable SMBv1 Client with Group Policy

To disable the SMBv1 client the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: 4 = Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI”

Note: The default included MRxSMB10 which is now removed as dependency.

To configure this using Group Policy:

Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

Right-click the Registry node, point to New, and select Registry Item.

Disable SMBv1 in Managed Environments (Group Policy)

In the New Registry Properties dialog box, select the following:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
Value name: Start
Value type: REG_DWORD
Value data: 4

Disable SMBv1 in Managed Environments (Group Policy)

Then remove the dependency on the MRxSMB10 that was just disabled.

In the New Registry Properties dialog box, select the following:

Action: Replace
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
Value name: DependOnService
Value type: REG_MULTI_SZ
Value data: Bowser,MRxSmb20,NSI

Note: These 3 strings will not have bullets (see below).

Disable SMBv1 in Managed Environments (Group Policy)

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note: When using Group Policy Management Console, there is no need to use quotation marks or commas. Just type the each entry on individual lines as shown above:

Reboot Required

After the policy has applied and the registry settings are in place, the targeted systems must be rebooted before SMBv1 is disabled.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management will show the settings below.

Disable SMBv1 in Managed Environments (Group Policy)

Testing and Validation

Once these are configured, then allow the policy to replicate and update. As necessary for testing, run gpupdate /force from a CMD.EXE prompt and then review the target machines to ensure the registry settings are getting applied correctly. Make sure SMBv2 and SMBv3 is functioning for all other systems in the environment.

Caution! Don’t forget to reboot the targeted systems.