20.56 Ensure 'Server Message Block (SMB) v1 protocol must not be installed'

Information

This policy setting ensures that Server Message Block (SMB) v1 protocol NOT installed on the system. SMBv1 is a legacy version of the Server Message Block protocol Windows uses for file sharing on a local network.

The STIG recommended state for this setting is: Not installed

SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.

Solution

To uninstall the

SMBv1 protocol

:

- Start

Server Manager

- Select the

server

with the role
- Scroll down to

ROLES AND FEATURES

in the right pane
- Select

Remove Roles and Features

from the drop-down

TASKS

list
- Select the appropriate server on the

Server Selection

page and click Next
- Deselect

SMB 1.0/CIFS File Sharing Support

on the

Features

page
- Click next and

Remove

as prompted (if installed).

OR

- Open

Windows PowerShell

with elevated privileges (run as administrator)
- Type

Uninstall-WindowsFeature -Name FS-SMB1 -Restart

(Omit the Restart parameter if an immediate restart of the system cannot be done.)

Impact:

Disabling SMBv1 without thoroughly testing for SMBv1 traffic in your environment can have unintended consequences, up to and including a complete suspension of all network services, denied access to all resources, and remote authentication failures (like LDAP).

See Also

https://workbench.cisecurity.org/benchmarks/15301