This tool checks and can disable the insecure SMB v1 protocol.
By default SMB version 1.0 is enabled in Windows 10 and Windows Server 2016.
SMB 1.0 was needed in Windows XP and Windows Server 2003, but now newer versions of SMB are more secure and have additional features.
It’s a good idea to disable or remove SMB version 1.0 as a number of recent vulnerabilities specifically affect SMB version 1, like MS17-010
Open Powershell as Administrator and run the script.
If you have problems you should check your execution policies.
Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSignedIf "RemoteSigned" didn't work set temporally "Unrestricted".
Set-ExecutionPolicy Unrestricted- Powershell 5.1
- XAML
If you have Windows 10 or Windows Server 2016 you are good to go.
- Powershell 5.1 : Powershell Link
- Windows Management Framework 5.1 : WMF Download Link
-
Open PowerShell as Administrator
-
Check SMB1
Get-SmbServerConfiguration | Select-Object -Property "EnableSMB1Protocol"
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol | Select-Object -Property "State"- Disable SMB1
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force- Disable SMB1 Feature
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart- Restart computer
You can propagate this via GPO:
You need to create and edit the policy, navigate to:
Computer Configuration > Windows Settings > Scripts
And add these lines as PowerShell script.
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestartIf you have Active Directory you should also disable LM and NTLM v1 in GPO.
Navigate to Computer Configuration\Windows\Settings\Security Settings\Local Policies\Security Options
and set the "Network security: LAN Manager authentication level" field to "Send NTLMv2 response only/refuse LM & NTLM"
Twitter: @RomelSan
Date: April 15, 2017
MIT