How to Disable SMB1 using Group Policy Administrative Templates

So, incase you have not heard, SMB1 is Bad… Really BAD. Not only is it woefully old and inefficient protocol it’s also now widely known to be the attack vector for the recent WannaCry virus. By now you probably have seen my very popular previous blog post called How to disable SMB 1 on Windows 7 via Group Policy to Prevent WannaCry . This article explains how to disable SMB1 Server and Client protocols by setting custom registry keys by configuring Group Policy Preferences Registry key option. But as with any thing you do with Group Policy configured the exact registry key can be a bit tricky and is of course prone to typos and errors that could cause all sorts of issues.

To make it easier to disable SMB1 in your environment Microsoft has now release an ADMX/ADML file that adds defines the required registry keys so they can be configured as Administrative Template setting.

To get the SMB1 policy setting visit https://blogs.technet.microsoft.com/secguide/2017/06/15/security-baseline-for-windows-10-creators-update-v1703-draft/ and download the Windows-10-RS2-Security-Baseline ZIP file.

Open the ZIP file and navigate to the “Templates” folder where you then need to extract the SecGuide.adml and SecGuide.ADMX files.

Then copy the two files you extracted ro your “PolicyDefinitions” folder in your SYSVOL. Once you copy these files as with adding any ADMX/ADML file to the Policy Definitions folder you will then see your Group Policies get the new “MS Security Guide” under Computer Administrative templates.

Now, as per the guidance text of the policy you need to do the following and you will have disabled SMB1 on all your Windows computers.

APPLIES ONLY TO: Windows 7 and Windows Servers 2008, 2008R2 and 2012 (NOT 2012R2):

To disable client-side processing of the SMBv1 protocol (recommended), do ALL of the following:
* Set the SMBv1 client driver to “Disable driver” using the “Configure SMB v1 client driver” setting;
* Enable this setting;
* In the “Configure LanmanWorkstation dependencies” text box, enter the following three lines of text:
Bowser
MRxSmb20
NSI

 

3 Comments

  1. Pingback: Deshabilitar SMB1 – JoseMCT

Leave a Reply

Your email address will not be published. Required fields are marked *