Free training - ManageEngine OpManager

Blocking SMBv1 in Windows

The Server message block(SMB) is a communication protocol following client-server model that enables shared access between devices such as printers and ports. Among the three versions of SMB (SMBv1, SMBv2, SMBv3), Microsoft recommends blocking SMBv1 protocol since networks are prone to malicious attacks due to the vulnerabilities found in SMBv1. The following is a detailed guide on how to block SMBv1 in windows.

How to block 445 port?

  1. Navigate to start -> Control panel.
  2. Click on Windows Firewall/ Windows Defender firewall.
  3. Go to Advanced Settings.
  4. Right click on the Inbound rules button and cIick on the New Rule option.
  5. Now, select the Port option and click on Next.
  6. Specify the port as 445 under specific local ports.
  7. Select TCP and click on Next.
  8. Select the block the connection option and click on Next.
  9. Now, select the Domain, Private and Public options and click on Next.
  10. Provide a Name and Description and Click Finish.
  11. The TCP port 445 is now successfully blocked.

How to block SMBv1 communication protocol?

The SMBv1 protocol can be blocked by the following ways depending on the type of windows device being used:

For Windows Server 2012 Windows Server 2012 R2, Windows Server 2016, Windows Server 2019:

  1. Open the Server Manager Dashboard of the server.
  2. Select the Add Roles and Features option.
  3. Now click on Start the Remove Roles and Features Wizard, and click on Next.
  4. In the server pool tab under the Select destination server page, select the server from which the feature must be removed.
    5. Blocking smbv1 in Windows
  5. Click on Next.
  6. In the Remove server roles page, click on Next.
  7. In the Remove features page, clear the check box for SMB 1.0/CIFS File Sharing Support and click on Next.
    8. Blocking smbv1 in Windows
  8. In removal selections page, confirm that the feature is listed, and then select Remove.
  9. The SMBv1 protocol is now successfully blocked in your device.

For Windows 8.1 and windows 10:

  1. Navigate to start->Control panel.
  2. Under Control panel, select Programs and Features.
  3. Under the Control Panel Home section, select the Turn Windows features on or off to open the Windows features box.
  4. Scroll down the Windows Features box, clear the check box for SMB 1.0/CIFS File Sharing Support and click on OK.
    5. Blocking smbv1 in Windows

Using commands in Windows Powershell to enable/ disable SMB v1/ v2/ v3

  1. Open Windows PowerShell in Administrator mode.
  2. Use the below commands to enable SMBv1/SMBv2/SMBv3
    • Set-SmbServerConfiguration -EnableSMB1Protocol $true
    • Set-SmbServerConfiguration -EnableSMB2Protocol $true
  3. Use the below commands to disable SMBv1/SMBv2/SMBv3
    • Set-SmbServerConfiguration -EnableSMB1Protocol $false
    • Set-SmbServerConfiguration -EnableSMB2Protocol $false
  4. To check the status of SMBv1/SMBv2/SMBv3, kindly use the below commands.
    • Get-SmbServerConfiguration | Select EnableSMB1Protocol
    • Get-SmbServerConfiguration | Select EnableSMB2Protocol
Note:
  • Blocking SMB will not affect WMI data collection in OpManager. However, kindly consult with your sysadmin before proceeding with the same.
  • Since SMBv2 and SMBv3 protocols share the same stack, enabling or disabling SMBv2 will enable or disable SMBv3 too.
  • You don't have to restart the machine after you run the Set-SMBServerConfiguration cmdlet.

To know more, kindly visit this page.

Thank you for your feedback!

Was this content helpful?

We are sorry. Help us improve this page.

How can we improve this page?
Do you need assistance with this topic?
By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.