SOLVED: How To Disable SMB1 and Keep Safe From WannaCry Variants

Even the latest Windows 10 1703 still has SMB1 enabled by default.  If you want to keep yourself safe from WannaCry / WannaCrypt0r 2 variants you need to disable SMB 1.0.

You can disable SMB 1.0 in 5 ways:

A – How to Disable SMB 1 using the GUI

  1. Click the START button and type FEATURES
  2. Click TURN WINDOWS FEATURES ON OR OFF
  3. Scroll through the list and uncheck SMB 1.0/CIFS FILE SHARING SUPPORT

B – How to Disable SMB 1 using a PowerShell Script:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0  – Force

C – How to Disable SMB 1 using CMD Line:

DISM /online /disable-feature /featurename:SMB1Protocol

D – How to Disable SMB 1 using a GPO:

  1. Create a new GPO and edit it
  2. Expand COMPUTER > PREFERENCES > WINDOWS > REGISTRY
  3. Right click and one at a time add the following three entries:

    Action:
    Create
    Hive: HKEY_LOCAL_MACHINE
    Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    Value name: SMB1
    Value type: REG_DWORD
    .
    Value data: 0Action: Update
    Hive: HKEY_LOCAL_MACHINE
    Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
    Value name: Start
    Value type: REG_DWORD
    .
    Value data: 4Action: Replace
    Hive: HKEY_LOCAL_MACHINE
    Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
    Value name: DependOnService
    Value type REG_MULTI_SZ
    Value data:
    • Bowser
    • MRxSmb20
    • NSI
      Note: These 3 strings will NOT have bullets

For details read THIS Microsoft post.

E – How to Disable SMB 1 by Editing the Registry:

Create the registry entries specified in step 3 of option “D” above

 

How to Verify SMB 1.0 Is Disabled:

Note that there appears to be no ready way to test and confirm that SMB 1.0 is disabled.  In fact I found that after setting the GPO that both the GUI and the following command showed that SMB 1.0 was still enabled.

DISM /online /get-features /format:table | more

Microsoft Partner Support tells me “…already use GPP to set the registry value to 0. Per the current information we have, if the value is 0, then the SMBv1 is disabled. For the UI of features, it just shows this computer has the ability to provide SMBv1 service, however, whether the service is enabled or not, the switch is in the registry.

If you want to see the discussion I had with Partner Support, which includes many screen shots, click HERE.

.

Published by
Ian Matthews

This website uses cookies.