Tắt smbv1

In this article

Applies to: Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server năm nhâm thìn, Windows Server 2012 R2, Windows Server 2012

This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client và hệ thống components.

Bạn đang xem: Tắt smbv1

While disabling or removing SMBv1 might cause some compatibility issues with old computers or software, SMBv1 has significant security vulnerabilities và we strongly encourage you not to use it.

Disabling SMBv2 or SMBv3 for troubleshooting

While we recommend that you keep SMBv2 and SMBv3 enabled, you might find it useful to lớn disable one temporarily for troubleshooting, as described in How khổng lồ detect status, enable, và disable SMB protocols on the SMB Server.

In Windows 10, Windows 8.1, and Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, & Windows Server 2012, disabling SMBv3 deactivates the following functionality (và also the SMBv2 functionality that"s described in the previous list):

Transparent Failover - clients reconnect without interruption to lớn cluster nodes during maintenance or failoverScale Out – concurrent access to lớn shared data on all tệp tin cluster nodes Multichannel - aggregation of network bandwidth và fault tolerance if multiple paths are available between client và serverSMB Direct – adds RDMA networking tư vấn for very high performance, with low latency and low CPU utilizationEncryption – Provides end-to-kết thúc encryption & protects from eavesdropping on untrustworthy networksDirectory Leasing - Improves application response times in branch offices through cachingPerformance Optimizations - optimizations for small random read/write I/O

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

Request compounding - allows for sending multiple SMB 2 requests as a single network requestLarger reads and writes - better use of faster networksCaching of thư mục and file properties - clients keep local copies of folders & filesDurable handles - allow for connection to transparently reconnect to lớn the server if there is a temporary disconnectionImproved message signing - HMAC SHA-256 replaces MD5 as hashing algorithmImproved scalability for tệp tin sharing - number of users, shares, and open files per VPS greatly increasedSupport for symbolic linksClient oploông xã leasing Mã Sản Phẩm - limits the data transferred between the client and hệ thống, improving performance on high-latency networks và increasing SMB VPS scalabilityLarge MTU support - for full use of 10-gigabye (GB) EthernetImproved energy efficiency - clients that have sầu open files khổng lồ a server can sleep

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 & Windows Server 2012. For more information about the capabilities of SMBv2 and SMBv3 capabilities, see the following articles:

Server Message Blochồng overview

What"s New in SMB

How lớn remove sầu SMB v1

Here"s how to lớn remove sầu SMBv1 in Windows 10, Windows 8.1, Windows Server 2019, Windows Server năm 2016, và Windows 2012 R2.

PowerShell methodsSMB v1 (client & server)

Detect:

Get-WindowsOptionalFeature -Online -FeatureName smb1protocolDisable:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocolEnable:

Enable-WindowsOptionalFeature -Online -FeatureName smb1protocolWindows Server 2012 R2, Windows Server năm nhâm thìn, Windows Server 2019: Server Manager method for disabling SMBSMB v1

*

Windows 8.1 and Windows 10: PowerShell methodSMB v1 Protocol

Detect:

Get-WindowsOptionalFeature -Online -FeatureName SMB1ProtocolDisable:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1ProtocolEnable:

Enable-WindowsOptionalFeature -Online -FeatureName SMB1ProtocolSMB v2/v3 Protocol (only disables SMB v2/v3 Server)Detect:

Get-SmbServerConfiguration | Select EnableSMB2ProtocolDisable:

Set-SmbServerConfiguration -EnableSMB2Protocol $falseEnable:

Set-SmbServerConfiguration -EnableSMB2Protocol $trueWindows 8.1 and Windows 10: Add or Remove Programs method

*

How to detect status, enable, and disable SMB protocols on the SMB Server

For Windows 8 & Windows Server 2012

Windows 8 và Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you khổng lồ enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component. 


Note

When you enable or disable SMBv2 in Windows 8 or Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols nội dung the same stack.


You vị not have sầu to lớn restart the computer after you run the Set-SMBServerConfiguration cmdlet.

SMB v1 on SMB Server

Detect:

Get-SmbServerConfiguration | Select EnableSMB1ProtocolDisable:

Set-SmbServerConfiguration -EnableSMB1Protocol $falseEnable:

Set-SmbServerConfiguration -EnableSMB1Protocol $trueFor more information, see Server storage at onfire-bg.com.

SMB v2/v3 on SMB Server

Detect:

Get-SmbServerConfiguration | Select EnableSMB2ProtocolDisable:

Set-SmbServerConfiguration -EnableSMB2Protocol $falseEnable:

Set-SmbServerConfiguration -EnableSMB2Protocol $true

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell methods
SMB v1 on SMB Server

Detect:

Get-Item HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters | ForEach-Object Get-ItemProperty $_.pspathDefault configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Disable:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" SMB1 -Type DWORD -Value 0 -ForceEnable:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" SMB1 -Type DWORD -Value 1 -ForceNote You must restart the computer after you make these changes.For more information, see Server storage at onfire-bg.com.

SMB v2/v3 on SMB Server

Detect:

Get-ItemProperty HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters | ForEach-Object Get-ItemProperty $_.pspathDisable:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" SMB2 -Type DWORD -Value 0 -ForceEnable:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" SMB2 -Type DWORD -Value 1 -Force

Important

Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, bachồng up the registry for restoration in case problems occur.


To enable or disable SMBv1 on the SMB server, configure the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters

Registry entry: SMB1REG_DWORD: 0 = DisabledREG_DWORD: 1 = EnabledDefault: 1 = Enabled (No registry key is created)To enable or disable SMBv2 on the SMB hệ thống, configure the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters

Registry entry: SMB2REG_DWORD: 0 = DisabledREG_DWORD: 1 = EnabledDefault: 1 = Enabled (No registry key is created)

How lớn detect status, enable, & disable SMB protocols on the SMB Client

For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, và Windows Server 2012


Note

When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols chia sẻ the same stachồng.


SMB v1 on SMB Client

Detect

sc.exe qc lanmanworkstationDisable:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsisc.exe pháo config mrxsmb10 start= disabledEnable:

sc.exe pháo config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsisc.exe cộ config mrxsmb10 start= autoFor more information, see Server storage at onfire-bg.com

SMB v2/v3 on SMB Client

Detect:

sc.exe qc lanmanworkstationDisable:

sc.exe cộ config lanmanworkstation depend= bowser/mrxsmb10/nsisc.exe pháo config mrxsmbtrăng tròn start= disabledEnable:

sc.exe cộ config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsisc.exe config mrxsmb20 start= auto
Note

You must run these commands at an elevated comm& prompt.You must restart the computer after you make these changes.

Disable SMBv1 Server with Group Policy

This procedure configures the following new sản phẩm in the registry:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters

Registry entry: SMB1REG_DWORD: 0 = Disabled

To configure this by using Group Policy, follow these steps:

mở cửa the Group Policy Management Console. Right-cliông xã the Group Policy object (GPO) that should contain the new preference tòa tháp, & then cliông xã Edit.

In the console tree under Computer Configuration, expvà the Preferences thư mục, and then expand the Windows Settings folder.

Right-click the Registry node, point khổng lồ New, & select Registry Item.

Xem thêm: Http://Sieuanhhung - Pocketgamesol : Website Stats And Valuation

*

In the New Registry Propertiesdialog box, select the following:

Action: CreateHive: HKEY_LOCAL_MACHINEKey Path: SYSTEMCurrentControlSetServicesLanmanServerParametersValue name: SMB1Value type: REG_DWORDValue data: 0

*

This disables the SMBv1 Server components. This Group Policy must be applied lớn all necessary workstations, servers, & tên miền controllers in the domain.


Note

 WXiaoMI filters can also be mix to exclude unsupported operating systems or selected exclusions, such as Windows XPhường.


Important

Be careful when you make these changes on domain controllers on which legacy Windows XPhường or older Linux & third-tiệc nhỏ systems (that do not tư vấn SMBv2 or SMBv3) require access khổng lồ SYSVOL or other file shares where SMB v1 is being disabled.


Disable SMBv1 Client with Group Policy

To disable the SMBv1 client, the services registry key needs to lớn be updated to lớn disable the start of MRxSMB10 & then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update & replace the default values in the following two items in the registry:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesmrxsmb10

Registry entry: Start REG_DWORD: 4= Disabled

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: "Bowser","MRxSmb20″,"NSI"


To configure this by using Group Policy, follow these steps:

xuất hiện the Group Policy Management Console. Right-clichồng the Group Policy object (GPO) that should contain the new preference thành công, và then clichồng Edit.

In the console tree under Computer Configuration, expvà the Preferences folder, và then expand the Windows Settings thư mục.

Right-click the Registry node, point lớn New, và select Registry Item.

In the New Registry Properties dialog box, select the following:

Action: UpdateHive: HKEY_LOCAL_MACHINEKey Path: SYSTEMCurrentControlSetservicesmrxsmb10Value name: StartValue type: REG_DWORDValue data: 4

*

Then remove sầu the dependency on the MRxSMB10 that was just disabled.

In the New Registry Properties dialog box, select the following:

Action: ReplaceHive: HKEY_LOCAL_MACHINEKey Path: SYSTEMCurrentControlSetServicesLanmanWorkstationValue name: DependOnServiceValue type: REG_MULTI_SZValue data:BowserMRxSmb20NSI

*

The mặc định value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer và going from four default values down lớn just these three values above sầu.


Note

When you use Group Policy Management Console, you don"t have sầu to use quotation marks or commas. Just type the each entry on individual lines.


Restart the targeted systems to finish disabling SMB v1.

Auditing SMBv1 usage

To determine which clients are attempting khổng lồ connect to lớn an SMB hệ thống with SMBv1, you can enable auditing on Windows Server năm 2016, Windows 10, và Windows Server 2019. You can also audit on Windows 7 và Windows Server 2008 R2 if they installed the May 2018 monthly update & on Windows 8.1 and Windows Server 2012 R2 if they installed the July 2017 monthly update.

Enable:

Set-SmbServerConfiguration -AuditSmb1Access $trueDisable:

Set-SmbServerConfiguration -AuditSmb1Access $falseDetect:

Get-SmbServerConfiguration | Select AuditSmb1AccessWhen SMBv1 auditing is enabled, sự kiện 3000 appears in the "onfire-bg.com-Windows-SMBServerAudit" sự kiện log, identifying each client that attempts khổng lồ connect with SMBv1.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.

Xem thêm: Từ Điển Việt Anh "Hệ Thống Dây Chuyền Sản Xuất Tiếng Anh Là Gì ?

*

Testing và validation

After these are configured, allow the policy lớn replicate and update. As necessary for testing, run gpupdate /force at a comm& prompt, & then đánh giá the target computers lớn make sure that the registry settings are applied correctly. Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.


Chuyên mục: Công Nghệ 4.0