Jump to content

WannaCry - Disabling SMB


straycat19

Recommended Posts

straycat19

How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Summary
This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components. 

 

Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

 

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:
Request compounding - allows for sending multiple SMB 2 requests as a single network request
Larger reads and writes - better use of faster networks
Caching of folder and file properties - clients keep local copies of folders and files
Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
Support for symbolic links
Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
Large MTU support - for full use of 10-gigabye (GB) Ethernet
Improved energy efficiency - clients that have open files to a server can sleep
In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):
Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
Scale Out – concurrent access to shared data on all file cluster nodes 
Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
Directory Leasing - Improves application response times in branch offices through caching
Performance Optimizations - optimizations for small random read/write I/O

More Information

 

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008. 

 

The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

 

For more information about the capabilities of SMBv2 and SMBv3 capabilities, go to the following Microsoft TechNet websites:

 

Server Message Block overview

What's New in SMB  


How to enable or disable SMB protocols on the SMB server
Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1,

 

SMBv2, and SMBv3 protocols on the server component. 

 

Notes When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack. 

 

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

 

To obtain the current state of the SMB server protocol configuration, run the following cmdlet:
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

 

To disable SMBv1 on the SMB server, run the following cmdlet:
Set-SmbServerConfiguration -EnableSMB1Protocol $false

 

To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-SmbServerConfiguration -EnableSMB2Protocol $false

 

To enable SMBv1 on the SMB server, run the following cmdlet:
Set-SmbServerConfiguration -EnableSMB1Protocol $true

 

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-SmbServerConfiguration -EnableSMB2Protocol $true

 

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

 

Windows PowerShell 2.0 or a later version of PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

 

To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force

 

To enable SMBv1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

 

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

 

Note You must restart the computer after you make these changes.

 

Registry Editor

 

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft

 

Knowledge Base:
322756 How to back up and restore the registry in Windows

 

To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

 

To enable or disable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

 

How to enable or disable SMB protocols on the SMB client

 

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

 

To disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

 

To enable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi 
sc.exe config mrxsmb10 start= auto

 

To disable SMBv2 and SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi 
sc.exe config mrxsmb20 start= disabled

 

To enable SMBv2 and SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi 
sc.exe config mrxsmb20 start= auto


Notes
You must run these commands at an elevated command prompt.
You must restart the computer after you make these changes.
How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016
Windows Server: Server Manager method 

Server Manager - Dashboard method 

Windows Server: PowerShell method (Remove-WindowsFeature FS-SMB1)

Server PowerShell method 
 
Windows Client: Add or Remove Programs method

Add-Remove Programs client method 
 
Windows Client: PowerShell method (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)

Windows Powershell as Administrator 

 

For more information, see Server storage at Microsoft.
Properties
Article ID: 2696547 - Last Review: 28-Feb-2017 - Revision: 23

Applies to
Windows 10 Pro released in July 2015, Windows 10 Enterprise released in July 2015, Windows Vista Enterprise, Windows Vista Business, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Ultimate, Windows 7 Enterprise, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows 8, Windows 8 Enterprise, Windows 8 Pro, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2016
 

 

Source

Link to comment
Share on other sites


  • Replies 7
  • Views 2k
  • Created
  • Last Reply

Great article with valuable information!  ^_^

 

Kudos, [S]traycat19:flowers:

Link to comment
Share on other sites


On 2017-5-14 at 4:54 PM, saeed_dc said:

Damn this thing targeted 99 countries, mostly UK hospitals are affected

Now more then 150 countries :( 

The computer security companies
  Symantec and Kaspersky investigate whether
  North Korea is the distributor of the
  Hostage software that last weekend
  Became active worldwide.
                                        
  Code in an early version of the
  Hostage software WannaCry was sitting on
  Associated with the Lazarus-
  Group, a group of computer criminals who
  From North Korea would operate. It can
  Also, the distributors are the code
  Have copied.
                                        
  WannaCry enabled users to
  At least 150 countries are no longer with them
  Files unless they are the distributors
  Amount would be transferred.
source
Dutch tv - teletekst 

Link to comment
Share on other sites


16 minutes ago, tigertje said:

Now more then 150 countries :( 

The computer security companies
  Symantec and Kaspersky investigate whether
  North Korea is the distributor of the
  Hostage software that last weekend
  Became active worldwide.
                                        
  Code in an early version of the
  Hostage software WannaCry was sitting on
  Associated with the Lazarus-
  Group, a group of computer criminals who
  From North Korea would operate. It can
  Also, the distributors are the code
  Have copied.
                                        
  WannaCry enabled users to
  At least 150 countries are no longer with them
  Files unless they are the distributors
  Amount would be transferred.
source
Dutch tv - teletekst 

 

It was NSA, dutch tv sucks ass. dont listen to that bullshit

http://www.npr.org/sections/thetwo-way/2017/05/15/528439968/wannacry-ransomware-microsoft-calls-out-nsa-for-stockpiling-vulnerabilities

http://www.presstv.ir/Detail/2017/05/13/521690/NSA-spy-tool-used-in-global-ransomware-attack

 

 

Fortunately, our Iranian Antivirus programs could prevent it successfully while some big companies failed to do so.

Link to comment
Share on other sites


54 minutes ago, saeed_dc said:

... Fortunately, our Iranian Antivirus programs could prevent it successfully ...

Thinking well is wise;

planning well, wiser;

but doing well is the wisest and best of all.  

~ Persian Proverb   :flowers:

Link to comment
Share on other sites


2 hours ago, adi said:

Thinking well is wise;

planning well, wiser;

but doing well is the wisest and best of all.  

~ Persian Proverb   :flowers:

 

:flowers:thank you:flowers:

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...