SMB Version 1
SMBv1 is an older protocol, nearly 30 years old. It was designed when sophisticated attacks were not an issue. SMBv1 forms the basis of such attacks as Eternal Blue otherwise known as MS17-011 and Double Pulsar. It should be disabled where possible . Its use is required where Windows XP and Windows 2003 are involved in file sharing or printing.
There are multiple ways to disable SMBv1.
- PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol or Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove
- Registry: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters > set SMB1 to 0
- Add Roles and Features in Control Panel
SMB Signing
To further enhance SMB security, enable SMB Signing. These policies can be configured through Group Policy and the policies found here
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
- Microsoft network server: Digitally sign communications (always)
- Microsoft network server: Digitally sign communications (if client agrees)
- Microsoft network client: Digitally sign communications (always)
- Microsoft network client: Digitally sign communications (if server agrees)