Stop Using SMB1
The NHS (National Health Service) in the U.K. has suffered a major ransomware attack affecting a large number of hospitals in the U.K. The attacker used this(patched) exploit.
This got me wondering about SMB1, I checked my homelab Windows Server 2012R2 file server and was surprised to see SMB1 enabled. It turns out SMB1 is still enabled by default…. There are cases where you have some legacy thing that only supports SMB1 but that’s the exception. So, How do you disable SMB1 in Windows Server 2012+?
- Check your SMB Server Configuration:
&>Get-SmbServerConfiguration | Select EnableSMB1Protocol EnableSMB1Protocol ------------------ False
- Disable:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false
Script:
This will disable SMB1 on the servers fed to it.
param(
[parameter(Mandatory=$true)]
[String[]]$Computers
)
foreach($computer in $Computers){
$session = New-PSSession -ComputerName $computer
Invoke-Command -Session $session -ScriptBlock{
if((Get-SmbServerConfiguration).EnableSMB1Protocol){
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false
Write-Host "SMB1 disabled on $env:computername"
}
}
}
Run it like this:
./script.ps1 -Computers computer1,computer2,etc.
Bam! that’s it. It would probably be better to remove it entirely though.
We can do that easily!
-
Check to see if the FS-SMB1 feature is installed:
&>Get-WindowsFeature -Name FS-SMB1 Display Name Name Install State ------------ ---- ------------- [X] SMB 1.0/CIFS File Sharing Support FS-SMB1 Installed
-
Remove it:
&>Remove-WindowsFeature -Name FS-SMB1
Note: The server will require a restart to fully complete the operation.
Script:
param(
[parameter(Mandatory=$true)]
[String[]]$Computers
)
foreach($computer in $Computers){
$session = New-PSSession -ComputerName $computer
Invoke-Command -Session $session -ScriptBlock{
if((Get-WindowsFeature -Name "FS-SMB1").InstallState -eq "Installed"){
Remove-WindowsFeature -Name "FS-SMB1" | Out-Null
Write-Host "FS-SMB1 removed on $env:computername"
}
}
}
Run it like this:
./script.ps1 -Computers computer1,computer2,etc.
If you are using ansible you might want to make sure the role is removed when you run your initial playbook against the server. You can do so like this:
- name: Remove FS-SMB1 feature
win_feature: name: "FS-SMB1" state: absent restart: yes
Thats it! SMB1 should be off or removed unless you have very specific needs that require it for some reason.