Facing out old smb

1.Can I remove smb 1.0 #

SMB 1.0 Support in Windows Server 2012 R2 / Windows Server 2016

A new version of SMB 3 protocol was introduced since Windows Server 2012 R2 (technically, it is SMB 3.02, since SMB 3.0 appeared in Windows Server 2012). Now you can disable the driver of the legacy SMB 1.0 protocol and block its components from loading. If you disable the SMB 1.0 protocol, the outdated OS versions (Windows XP, Server 2003) and compatible clients (Mac OSX 10.8 Mountain Lion, Snow Leopard, Mavericks, earlier Linux versions) won’t be able to access shared files located on the file servers running Windows 2012 R2 / 2016.

Contents

SMB versions in Windows

Stop Using SMBv1 Protocol

SMB 1.0 in Windows Server 2012 R2

SMB 1.0 in Windows Server 2016

SMB versions in Windows

SMB (Server Message Block, sometimes called LAN-Manager) is a network protocol for remote access to files, printers and other network services. The connection uses the TCP port 445. Different versions of the SMB protocol appeared in the following Windows versions:

  • CIFS – Windows NT 4.0
  • SMB 1.0 – Windows 2000
  • SMB 2.0 – Windows Server 2008 and Windows Vista SP1
  • SMB 2.1 – Windows Server 2008 R2 and Windows 7
  • SMB 3.0 – Windows Server 2012 and Windows 8 (added SMB encryption)
  • SMB 3.02 – Windows Server 2012 R2 and Windows 8.1
  • SMB 3.1.1 – Windows Server 2016 and Windows 10

In the network communication over SMB protocol, a client and a server use the maximum version of the SMB protocol supported both by the client and the server.

The summary table of SMB version compatibility looks like this. Using this table, you can determine the version of the SMB protocol that is selected when different versions of Windows interact:

Operation System Windows 10, Server 2016 Windows 8.1,
Server 2012 R2
Windows 8,
Server 2012
Windows 7,
Server 2008 R2
Windows Vista,
Server 2008
Windows XP, Server 2003 and earlier
Windows 10 ,
Windows Server 2016
SMB 3.1.1 SMB 3.02 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 8.1 ,
Server 2012 R2
SMB 3.02 SMB 3.02 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 8 ,
Server 2012
SMB 3.0 SMB 3.0 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 7,
Server 2008 R2
SMB 2.1 SMB 2.1 SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0
Windows Vista,
Server 2008
SMB 2.0 SMB 2.0 SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0
Windows XP, 2003 and earlier SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0

For example, if a client computer running Windows 7 connects to a file server with Windows Server 2012 R2, the SMB 2.1 protocol will be used.

Tip. You can check the version of the SMB protocol by which the client connects to the server using the PowerShell command:

Get-SmbConnection

On the file server side, you can display a list of the versions of the SMB protocols that the clients are currently using. Run the command:

Get-SmbSession | Select-Object -ExpandProperty Dialect | Sort-Object -Unique

Get-SmbSession used Dialect versions

In this example, there are 898 clients connected to the server using SMB 2.1 (Windows 7/ 2008 R2) and 8 clients via SMB 3.02 (Windows 8.1 / 2012 R2).

According to the table, Windows XP and Windows Server 2003 can use only SMB 1.0 to access folders and files, that one can be disabled in new versions of Windows Server (2012 R2 / 2016). So, if your infrastructure uses computers running Windows XP ( no longer supported ), Windows Server 2003 / R2 and servers running Windows Server 2012 R2 / 2016, you should understand that the legacy clients will not be able to access files and folders on a file server running new OS. If Windows Server 2016 / 2012 R2 is used as a domain controller, it means that Windows XP / Server 2003 clients won’t be able to execute logon scripts (NETLOGON) and apply some of the group policies stored in the network folders on the domain controllers (for example, when using the Central Store for ADMX templates). If you try to connect to a shared folder on a file server with SMBv1 disabled, the old client will receive the following error message:

The specified network name is no longer available

Stop Using SMBv1 Protocol

Today the SMB 1.0 protocol is obsolete and it has a large number of critical vulnerabilities (remember the last incidents with the ransomware attacks – WannaCry and NotPetya that exploited the vulnerability in SMBv1 protocol). Microsoft and other IT companies strongly recommend that you stop using SMBv1 in your network.

If there are clients in your network running Windows XP and Windows Server 2003 /R2, they should be migrated as soon as possible to newer versions of Microsoft’s OS or carefully isolated.

SMB 1.0 in Windows Server 2012 R2

If you open the list of Windows Server 2012 R2 components, you can see a feature with the name SMB 1.0/CIFS File Sharing Support, which is not installed. But the SMB 1.0 driver itself works. If you install this feature, the Computer Browser service appears in the system. This is an SMB 1.0 client, without which it will not be possible to connect from this server to other computers that support only smbv1 protocol.

SMB 1.0/CIFS File Sharing Support feature in windows server 2012 r2

Tip. If you don’t need to support an older SMB version 1.0 for computers running Windows XP or Windows Server 2003, you can disable this feature to reduce the system load and improve security as shown below:

Remove-WindowsFeature FS-SMB1

Then on the server side you need to completely disable SMB 1.0 with the command:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

By default, both drivers SMB 1 and SMB 2 are loaded in Windows Server 2012. To confirm this, open the properties of a system service Server (LanmanServer) and on the Dependencies tab you can see that Server SMB 1.xxx Driver and SMB 2.xxx Driver are running on the server at the same time.

Windows 2012: SMB 1.xxx Driver and SMB 2.xxx Drivers

If you open the properties of the LanmanServer service on Windows 2012 R2, you can see that the driver supporting SMB 1.0 is excluded from the dependencies.

Windows Server 2012 R2 support only smb 2 driver

However, this does not mean that the SMB 1.0 driver is not working. To check whether SMB 1.0 is enabled on the server side, you can use the command:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

smb 1 protocol enabled

As you can see, the SMB1 protocol in Windows Server 2012 R2 is enabled despite the absence of the SMB 1.0/CIFS File Sharing Support feature and driver dependencies for the LanmanServer service.

To restore the access of XP/2003 (and other legacy) clients over SMB to the file servers/domain controllers on Windows Server 2012 R2, you can enable SMB 1 support as follows. First, enable the protocol in the server settings:

Set-SmbServerConfiguration -EnableSMB1Protocol $true

Then enable the dependencies of SMB 1.0 in Windows Server 2012 R2 through the registry. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer and change the value of DependOnService parameter from SamSS Srv2 to SamSS Srv.

SamSS Srv in dependencies LanmanServer service

After that you have to reboot the system and make sure that SMB 1.0 driver is working again.

smb 1 support on windows server 2012 R2

These actions should be performed on all file servers and domain controllers to which legacy versions of clients are connected.

SMB 1.0 in Windows Server 2016

In Windows Server 2016, support for SMB 1.0 on the client side is also enabled as a separate feature, which can be found in the Add/Remove Features Wizard. This component is also called SMB 1.0 / CIFS File Sharing Support.

windows 2016: enable SMB 1.0 feauture

You can disable SMB v1 and completely remove the component with the commands:

Remove-WindowsFeature FS-SMB1
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

ws2016 disabling smb 1.0

Note. Complete manual to disable SMB 1.0 on Windows 10 / Server 2016

Starting from Windows Server 2016 1709 (and Windows 10 Fall Creators), the SMBv1 component (both client and server) is disabled by default (guest access via SMBv2 is disabled as well). To access legacy systems using an outdated version of the protocol, it must be installed separately. You need to install the SMB 1.0/CIFS File Sharing Support feature and enable SMB 1.0 with the commands:

Add-WindowsFeature FS-SMB1
Set-SmbServerConfiguration -EnableSMB1Protocol $true

 

2.Encryption on SMB 3 #

Traffic Encryption in SMB 3.0

In the version of the Server Message Block (SMB) 3.0 protocol introduced in Windows Server 2012 / Windows 8, it became possible to encrypt data transferred over the network between the SMB file server and the clients. Data are encrypted transparently from the client’s point of view and doesn’t require any significant organization or resources, unlike the implementation of VPN, IPSec or PKI infrastructure. In the latest version of SMB 3.1.1 (used in Windows 10 and Windows Server 2016), AES 128 GCM type of encryption is used, and the performance of the algorithm is significantly increased. In addition, automatic data signing and verification are performed.

Let’s consider the aspects of the implementation of SMB encryption in Windows Server 2012. First of all, you have to understand that if a client and a server support different SMB versions, when connection is established between a client and a server the highest SMB version supported both by the client and the server is selected. It means that all clients running earlier Windows versions than Windows 8 / Server 2012 won’t be able to interact with the network folder  that has SMB encryption enabled.

On the file server, you can get the version of the SMB protocol used by clients (the version of the protocol used is shown in the Dialect column):

Get-SmbConnection

Get-SmbConnection - used SMB protocol versions

By default, the encryption of SMB traffic is disabled on Windows Server 2012 file server. You can enable the encryption individually for each SMB share or all SMB connections.

If you have to enable encryption for the specific directory, open Server Manager console on your server and go to File and Storage Services –> Shares. Select the desired shared folder and open its properties. Then go to the Settings tab and enable Encrypt Data Access. Save the changes.

windows server 2012 Encrypt Data Access SMB Share

You can also enable SMB encryption from PowerShell console. Enable the encryption for one share:

Set-SmbShare –Name Install -EncryptData $true

Or for all SMB connections to the server (to shared folders or administrative resources):

Set-SmbServerConfiguration –EncryptData $true

Set-SmbServerConfiguration –EncryptData $true

After SMB encryption for a network share is enabled, all legacy clients (earlier than Windows 8) will not be able to connect to this share, since they do not support SMB 3.0. To allow these Windows clients to access the share (as a rule, it is a temporary access, otherwise there is no sense to enable the encryption), you can allow to connect to the server without encryption:

Set-SmbServerConfiguration –RejectUnencryptedAccess $false

Tip. After this mode is enabled, a connecting client can switch to the out-of-date version SMB 1.0, which is not secure (in Windows Server 2012 R2, SMB 1.0 is already disabled by default.) In this case, in order to partially secure you server, it is better to disable SMB 1.0 support:
Set-SmbServerConfiguration –EnableSMB1Protocol $false

 

Help Guide Powered by Documentor
Suggest Edit