Information
This policy setting ensures that Server Message Block (SMB) v1 protocol NOT installed on the system. SMBv1 is a legacy version of the Server Message Block protocol Windows uses for file sharing on a local network.
The STIG recommended state for this setting is: Not installed
SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.
Solution
To uninstall the
SMBv1 protocol
:
- Start
Server Manager
- Select the
server
with the role
- Scroll down to
ROLES AND FEATURES
in the right pane
- Select
Remove Roles and Features
from the drop-down
TASKS
list
- Select the appropriate server on the
Server Selection
page and click Next
- Deselect
SMB 1.0/CIFS File Sharing Support
on the
Features
page
- Click next and
Remove
as prompted (if installed).
OR
- Open
Windows PowerShell
with elevated privileges (run as administrator)
- Type
Uninstall-WindowsFeature -Name FS-SMB1 -Restart
(Omit the Restart parameter if an immediate restart of the system cannot be done.)
Impact:
Disabling SMBv1 without thoroughly testing for SMBv1 traffic in your environment can have unintended consequences, up to and including a complete suspension of all network services, denied access to all resources, and remote authentication failures (like LDAP).