Impact when disabling SMBv2/v3 for all Windows Server 2016 OS and above? - Microsoft Q&A (2024)

FAQs

Is it safe to disable SMBv2? ›

Is it safe to disable SMB v2/v3 in Windows Server? In some situations, one may desire to disable SMB v2/v3 protocols in order to harden their systems. The immediate question is: Is this safe? As per Microsoft, "...we recommend that you do not disable SMBv2 or SMBv3.

While disabling or removing SMBv1 might cause some compatibility issues with old computers or software, SMBv1 has significant security vulnerabilities, and we strongly encourage you not to use it. SMB 1.0 isn't installed by default in any edition of Windows 11 or Windows Server 2019 and later.

A new hashing algorithm, HMAC SHA-256, makes SMB2. 0 more secure compared to the earlier dialects. With SMB3. 0, security has been further enhanced by the AES-CMAC algorithm, and with Windows 11, AES-256-GCM has been introduced.

Description. The remote version of Windows contains a version of SMBv2 (Server Message Block) protocol that has several vulnerabilities. An attacker may exploit these flaws to elevate his privileges and gain control of the remote host.

SMB1 is certainly fraught with security issues and should be discouraged. SMB2 is still fine and if disabled may cause some scanners to stop scan to folder and other options (and other devices might stop working as well as most have only just stopped using SMB1). Disable SMB1 first and check the effects.

The SMBv1 protocol is not safe to use. By using this old protocol, you lose protections such as pre-authentication integrity, secure dialect negotiation, encryption, disabling insecure guest logins, and improved message signing.

Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system.

Microsoft has since deprecated SMBv1 in favor of more secure and efficient versions. SMBv2 was introduced with Windows Vista and Windows Server 2008, bringing notable performance improvements, reduced complexity, and enhanced security.

Step 1: Open control panel Step 2: Navigate to programs and features. Step 3: Click on "Turn Windows features on or off. Step 4: Disable "(Server Message Block) SMB v1"Step 5 : Click ok.

What is SMB used for? ›

Server Message Block (SMB) enables file sharing, printer sharing, network browsing, and inter-process communication (through named pipes) over a computer network. SMB serves as the basis for Microsoft's Distributed File System implementation. SMB relies on the TCP and IP protocols for transport.

The Microsoft Server Message Block 1.0 (SMBv1) allows denial of service when an attacker sends specially crafted requests to the server, aka "Windows SMB Denial of Service Vulnerability".

These improvements help protect sensitive data from eavesdropping and man-in-the-middle attacks, making SMBv3 the most secure version of the protocol to date. To analyze SMB traffic using Wireshark, you can use display filters to focus on specific SMB versions.

In combination with systems where SMB signing is disabled, an attacker or malicious person can, by performing an NTLM relay attack, increase the privileges within the network. Depending on the network environment an attacker may be able to increase privileges to the highest level.

SMB2 is used to provide shared access to files, printers, and miscellaneous services.

Disabling SMB signing may be necessary if you're unable to disable guest usage for your third-party. However, this means that you're using guest access and preventing your client from ensuring signing to a trusted device. We don't recommend disabling SMB signing as a workaround for third-party servers.

Typically, you won't need to disable SMB Direct, however, you can disable it along with its features, by running the following Windows PowerShell commands. When you disable RDMA on either the client or the server, the systems can't use it.