In light to the recent cyber attack of ransomware which goes by the name “WannaCry” has affected more over 99 countries. This attack is believed to use the exploit tool called “ETERNALBLUE” which was leaked from the NSA, by the hacker group called ShadowBrokers. This tool exploits the vulnerability in the SMB service of the machine to spread and propagate. This document will provide you with the steps that a reader can take to disable the SMB service. By disabling the service the propagation of the virus will stop from spreading.
Please note: Before proceeding further it is strongly advised to take a backup of the machine because you will in some case might require to change the Windows Registry. If the steps are not carefully followed it might even crash the machine.
For Windows 10/8/7
Windows 10 users can disable the SMB feature by following these simple steps:
1. Click on the Search option and search for “Windows Features” and you will see the result as “Turn Windows Feature on and off.”
2. Upon clicking the option, the following screen will be prompted
3.Now untick the box and click on “Ok”.
This is the simplest way that you can disable the SMB 1.0 Service.
Using PowerShell:
1. Go to Start Menu, search for PowerShell.
2. The very first result you will see is for PowerShell.
3. Right-click on the selection and select “Run as Administrator”
4. Once the PowerShell opens (with Administrator privileges)
5. Type the following command:
- This is to disable SMB v1.
Set - ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 –Force
Image: PowerShell command to disable SMB1
- The Command to disable SMB v2
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Value 0 –Force
Image: PowerShell command to disable SMB2
Disabling using Registry Key:
- Steps to enable and disable the SMBv1 on the SMB server using the registry:
Registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Para meters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
- Steps to enable and disable SMBv2 on the SMB server using the registry:
Registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Para meters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
- Steps to Enable and Disable SMB protocols on the SMB client
The below steps applies to Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012.
- Disables the SMBv1 on the SMB client by running the below commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
- Disables the SMBv2 and SMBv3 on the SMB client by running the below commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
- The Drawbacks of Disabling SMB2
Request compounding – it enable users to send multiple SMB 2 requests as a single network request
• Larger reads and writes – better use of faster networks
• Caching of folder and file properties – clients keep local copies of folders and files
• Durable handles – when a temporary disconnection is there, it enables for connection to transparently rejoin to the server
• Improved message signing – HMAC SHA-256 replaces MD5 as hashing algorithm
• Improved scalability for file sharing – increases the no. of users, shares, and open files per server
• Support for symbolic links
• Client oplock leasing model – it automatically limits the volume of data transferred in between the client and server, resulting in the improved performance on high-latency networks and increasing the scalability of SMB server
• Large MTU support – for full use of 10-gigabyte (GB) Ethernet
• Enhanced energy efficiency – clients that have open files to a server can sleep
Popular posts like this: