18.4.3 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'

Information

This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service ( MRxSmb10 ), which is recommended to be disabled.

The recommended state for this setting is: Enabled: Disable driver (recommended)

Note: Do not,

under any circumstances

, configure this overall setting as Disabled as doing so will delete the underlying registry entry altogether, which will cause serious problems.

Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3.

More information on this can be found at the following links:

Stop using SMB1 | Storage at Microsoft

Disable SMB v1 in Managed Environments with Group Policy - 'Stay Safe' Cyber Security Blog

Disabling SMBv1 through Group Policy - Microsoft Security Guidance blog

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended) :

Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 client driver

Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required - it is available from Microsoft at

this link

.

Impact:

Some legacy OSes (e.g. Windows XP, Server 2003 or older), applications and appliances may no longer be able to communicate with the system once SMBv1 is disabled. We recommend careful testing be performed to determine the impact prior to configuring this as a widespread control, and where possible, remediate any incompatibilities found with the vendor of the incompatible system. Microsoft is also maintaining a thorough (although not comprehensive) list of known SMBv1 incompatibilities at this link:

SMB1 Product Clearinghouse | Storage at Microsoft

See Also

https://workbench.cisecurity.org/benchmarks/15105