20.57 Ensure 'Server Message Block (SMB) v1 protocol must not be installed'

Information

This policy setting ensures that Server Message Block (SMB) v1 protocol is not installed on the system. SMBv1 is a legacy version of the Server Message Block protocol Windows uses for file sharing on a local network.

The STIG recommended state for this setting is: Not installed

SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.

Solution

To uninstall the

SMBv1 protocol

:

- Start

Server Manager

- Select the

server

with the role
- Scroll down to

ROLES AND FEATURES

in the right pane
- Select

Remove Roles and Features

from the drop-down

TASKS

list
- Select the appropriate server on the

Server Selection

page and click Next
- Deselect

SMB 1.0/CIFS File Sharing Support

on the

Features

page
- Click next and

Remove

as prompted (if installed).

OR

- Open

Windows PowerShell

with elevated privileges (run as administrator)
- Type

Uninstall-WindowsFeature -Name FS-SMB1 -Restart

(Omit the Restart parameter if an immediate restart of the system cannot be done.)

Impact:

Disabling SMBv1 without thoroughly testing for SMBv1 traffic in your environment can have unintended consequences, up to and including a complete suspension of all network services, denied access to all resources, and remote authentication failures (like LDAP).

See Also

https://workbench.cisecurity.org/benchmarks/18857