🧠 Introduction

What is SMBv1?

SMBv1 (Server Message Block version 1) is a legacy protocol used in older versions of Windows for file and printer sharing. It is outdated, insecure, and known to be vulnerable to remote code execution (RCE) and wormable attacks such as WannaCry and NotPetya.

Example:
“SMBv1 is an old communication protocol that lacks modern security features. Attackers can use it to move laterally across networks, install malware, or exploit known vulnerabilities.”

Why It’s Important

• 💥 RCE via EternalBlue (MS17-010) and similar exploits
• 🧑‍💻 Common target in ransomware campaigns and red team ops
• 🧱 No support for encryption or signing (integrity)
• 🛑 Deprecated by Microsoft — unsafe in all modern networks

“Leaving SMBv1 enabled is like leaving your front door unlocked in a dangerous neighborhood.”

⚙️ Technical Explanation (For IT Professionals)

Root Cause

The system has SMBv1 protocol enabled on Windows Server or Windows Client OS — either via Windows Features, Group Policy, or registry settings. This allows unauthenticated SMBv1 connections.

How It Works (Attack Path)

1. Attacker scans internal network for SMBv1-capable hosts (port 445)
2. Exploits vulnerability (e.g., EternalBlue / MS17-010)
3. Executes code remotely or propagates ransomware
4. Compromises sensitive data, spreads laterally

🧪 Detection and Verification

1. Manual Check

🔍 PowerShell (All Systems):

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

🔍 DISM (Alternative Check):

dism /online /Get-Features | findstr "SMB1Protocol"

2. Using Tools

• ✅ Nessus Plugin ID 10394 – SMBv1 Enabled
• ✅ Nmap NSE:

nmap --script smb-protocols -p445 <target-ip>

Output will show SMBv1 enabled: true

🛠️ Step-by-Step Fix Guide

🧩 Step 1 – Identify Affected Systems

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

🧩 Step 2 – Backup System State

reg export "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" C:\smb_backup.reg

🧩 Step 3 – Apply the Fix

✅ Option A: PowerShell

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

✅ Option B: Hardening SMB on All Domain-Joined Machines Using Group Policy (GPO)

This procedure does two things:

1. Disables insecure guest/anonymous SMB access.
2. Completely disables SMBv1 (both server and client behavior).

You’ll do all of this inside one GPO.

🔹 Step 1: Open Group Policy Management Console (GPMC)

1. On a Domain Controller or management host:

   • Press Win + R, then type:

     gpmc.msc
     

     (Use gpedit.msc instead if you’re doing this on a standalone, non-domain machine and only want local policy.)

2. Press Enter to launch the Group Policy Management Console.

🔹 Step 2: Create and Link a GPO

1. In the left pane under your domain or target OU:
   • Right-click → Create a GPO in this domain, and Link it here...

(If you already have a security hardening GPO for servers or workstations, you can edit that instead.)

2. Name it something clear like:

   Hardening - Disable SMBv1 & Guest Logons
   

3. Make sure you link it to the correct OU:
   • Workstations OU (for laptops / desktops)
   • Servers OU (for servers / DCs, ideally after testing)
   • Or root of the domain + use WMI filters to scope

🔹 Step 3: Edit the GPO

1. Right-click the GPO you just created → Edit.

2. We’re going to configure two things inside this single GPO:

   • A policy setting (Administrative Templates) to disable insecure guest logons.
   • Registry Preferences to kill SMBv1.

We’ll do them in that order.

🔹 Step 4: Disable Insecure Guest Logons

This blocks the machine from connecting to SMB shares using anonymous / guest access. That kills a very common lateral movement & data theft trick.

1. In the GPO Editor, go to:

   Computer Configuration
     > Administrative Templates
       > Network
         > Lanman Workstation
   

2. Find and double-click:

   Enable insecure guest logons
   

3. Set it to:

   Disabled
   

4. Click Apply → OK.

💡 Result:

• The system will refuse to fall back to unauthenticated “guest” SMB sessions.
• Forces proper authentication instead of anonymous access.

⚠ Note:

• This is strongly recommended for all workstations.
• For servers and domain controllers, also recommended unless you KNOW something still relies on guest/anonymous SMB access (old NAS / copier / OT gear). Test first.

🔹 Step 5: Push SMBv1 Disable via Registry Preferences

Now we kill SMBv1 protocol support (both server and client) and make sure the Workstation service uses only SMBv2/SMBv3.

In the same GPO Editor, go to:

Computer Configuration
  > Preferences
    > Windows Settings
      > Registry

We will create three Registry Items: (A), (B), and (C).

(A) Disable SMBv1 Server Component

This prevents the machine from serving SMBv1 to anyone.

Registry Item Settings:

• Action: Create
• Hive: HKEY_LOCAL_MACHINE
• Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
• Value name: SMB1
• Value type: REG_DWORD
• Value data: 0

Why:

• SMB1 = 0 disables the SMBv1 server role.
• The machine will no longer offer SMBv1 to clients.

Why “Create” instead of “Update”:

• On newer OS (Server 2019/2022/2025, etc.), SMBv1 might not even be installed, so this value might not exist.
• Create forces it to exist and be explicitly set to 0 = disabled.

(B) Disable SMBv1 Client Redirector

This prevents the machine from initiating outbound SMBv1 connections to someone else.

Registry Item Settings:

• Action: Update
• Hive: HKEY_LOCAL_MACHINE
• Key Path: SYSTEM\CurrentControlSet\Services\mrxsmb10
• Value name: Start
• Value type: REG_DWORD
• Value data: 4

Why:

• Start = 4 means “Disabled, do not load this driver at boot.”
• That driver (mrxsmb10) is the SMBv1 client redirector.
• Result: the machine refuses to negotiate SMBv1 as a client.

(C) Fix LanmanWorkstation Dependencies

If you disable the SMBv1 client driver (mrxsmb10) but don’t fix dependencies, the LanmanWorkstation service can think it still needs SMBv1 and may fail to start.

We rewrite the dependencies so it only depends on modern SMBv2/SMBv3 components.

Registry Item Settings:

• Action: Replace
• Hive: HKEY_LOCAL_MACHINE
• Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
• Value name: DependOnService
• Value type: REG_MULTI_SZ
• Value data (EXACTLY these three lines, each on its own line):

  Bowser
  MRxSmb20
  NSI
  

Why:

• Removes MRxSmb10 (SMBv1 client) from required dependencies.
• Keeps only:
  • Bowser
  • MRxSmb20 (SMBv2/3 stack)
  • NSI
• Ensures the Workstation service still starts clean using SMBv2/3 only.

⚠ Important: When entering a REG_MULTI_SZ in Group Policy Preferences, you must put each value on its OWN line. No commas, no quotes, no brackets. Just:

• Bowser
• MRxSmb20
• NSI

🔹 Step 6: Apply, Reboot, Verify

1. Link this GPO to the correct OU(s) (Workstations OU, Servers OU, Domain Controllers OU — or root + WMI filters).
2. Force policy on a pilot machine:

   gpupdate /force
   

3. Reboot that machine. (Reboot is required for the SMBv1 driver/start-type changes.)
4. Test normal stuff:
   • Logon scripts / SYSVOL access
   • Mapped drives
   • File shares
   • Apps that talk to file shares

If nothing breaks, roll to the rest of the environment.

🧠 Result

After this GPO is deployed and machines reboot:

• SMBv1 is disabled for both serving and consuming.
• No fallback to anonymous “guest” SMB sessions.
• All SMB traffic is forced onto modern SMBv2 / SMBv3 with real credentials.

This is the baseline you want for ransomware resistance, lateral movement reduction, and compliance hardening.

🔐 Prevention & Hardening

✅ Disable SMBv1 on all systems
✅ Restrict SMB port 445
✅ Use SMBv3 with encryption
✅ Monitor for SMB scanning
✅ Disable guest/anonymous access

📊 Risk & Impact Summary

🧱 Standards Mapping

🧭 Verification After Fix

On a hardened machine, run PowerShell as Administrator:

# Check SMBv1 server exposure:
Get-SmbServerConfiguration | Select EnableSMB1Protocol

# Check if the SMBv1 optional feature is gone:
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# Check the registry values we pushed:
(Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters").SMB1
(Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10").Start
(Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation").DependOnService

Expected:

• EnableSMB1Protocol is False.
• SMB1Protocol feature is Disabled or Not Present.
• SMB1 = 0
• Start = 4
• DependOnService only shows Bowser, MRxSmb20, NSI.

Recheck:

nmap --script smb-protocols -p445 <target>

Output will show SMBv1 enabled: false

🧩 Additional Tips

• Use test OUs to stage GPOs
• Monitor logs for anonymous access
• Validate backups before patching
• Document legacy systems still requiring SMBv1

💬 FAQ

Q1: Will disabling SMBv1 break old printers or scanners?

Possibly. Always check compatibility before rollout.

Q2: Is SMBv2/v3 safe?

Yes, especially SMBv3 with signing/encryption.

🔗 References

• Microsoft Docs
• CVE-2017-0144
• MITRE ATT&CK
• SAMA Framework

⚖️ Legal & Ethical Note

For authorized environments only.
Don’t modify systems without explicit permission.

✍️ Author’s Note

Written by Khaled Al‑Refaee (Ozex)
Cybersecurity Consultant | Red Team Operator | Offensive Security Professional

🌐 ozex.gitlab.io
☕ Buy me a coffee