/SMB1 should die

SMB1 should die

Part of the reason why the WanaCry outbreak got so big is that a lot of systems were not running the latest security patches. SMB1 is an old protocol designed in the early 1990’s. If the WanaCry outbreak showed us anything, it’s that old protocols can be dangerous. Leaving old (unsupported) protocols enabled exposes your systems to vulnerabilities.

Already in September 2016, I posted an article discussing the issues associated with using SMB1. We all know that disabling stuff might lead to other issues, but if you don’t disable old protocols it’s just a matter of time someone will find a vulnerability and will force you to disable the protocol.

Most of the times the biggest problem are the vendors of 3rd party software. Last year a client got an e-mail from a software company telling them not to install the latest web browser because these won’t support the necessary Java and ActiveX plugins. While everyone knew this was going to happen, it still took them 7 months to update their software after the support ended, forcing the client to use old, vulnerable, unsupported browsers for over half a year.

Software developers are not going to update their software until everyone stops using old protocols.

How to disable SMB1

There are several ways to disable SMB1, which one you should use depends on your personal preference. You only need to perform one of these 3 to fully disable SMB1.

Powershell

Start Windows PowerShell as administrator an use the following command to disable SMB1:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force

Reboot your computer, SMB1 is now disabled.

This essentially only changes an registry value, something you could also do using the registry editor.

Registry

Open the registry editor and navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Set the SMB1 DWORD value to 0 (disabled).

Reboot your computer, SMB1 is now disabled.

Control Panel

You are also able to disable SMB1 using the windows GUI.

Open the Control Panel and choose “Program & Features”, here click “Turn Windows features on or off”.

In the Windows Features list disable SMB1 by unchecking “SMB 1.0/CIFS File Sharing Support”.

Disable SMB1 using windows features UI

Reboot your computer, SMB1 is now disabled.