Windows currently still includes some legacy protocols posing significant security risks. SMBv1 is one such protocol and Microsoft is still gradually phasing it out. In this article I'll be providing you with a guide to disable SMBv1 and enable SBMv1 auditing.
Older versions of SMB cannot be disabled easily. If you're doing this in a larger environment, it is entirely possible that some devices or applications may still be relying on outdated protocols.
What uses SMBv1?
Starting in Windows 10/11 and Windows Server 2019, SMBv1 is disabled by default, however, in Server 2016, it is still enabled.
Your organization might have enabled SMBv1 on newer server versions to be compatible with older devices, but this may not actually be necessary.
Enable SMBv1 auditing
SMBv1 is an optional feature for Windows 11/10 and also a feature on Windows Server. You can determine if it is currently installed using the below PowerShell command:
Get-WindowsOptionalFeature -Online -FeatureName smb1protocol
This command will work on workstations and servers.
Since SMBv1 requests can come from various devices, you should also enable SMBv1 auditing on each server using the below PowerShell command:
Set-SmbServerConfiguration -AuditSmb1Access $true
Once you've run the above command, you can check whether SMBv1 monitoring is now active using the below PowerShell Command:
Get-SmbServerConfiguration | select AuditSmb1Access
Should a client attempt to establish a connection using SMBv1, the server will write an event with ID 3000 to the log. This happens regardless of whether the request was accepted or rejected.
You can then use the below PowerShell command to retrieve these logged events:
Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit
If somebody enabled SMBv1, you can disable it through a variety of ways. The easiest way to do is is through the below Powershell command:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol