LET'S TALK

How To Disable SMBv1 On Windows

Ransomware is spreading through the inter-webs on all machines that still have SMBv1 enabled using an old NSA exploit leaked by “ShadowBrokers”. Here’s how to protect yourself from ransomware WanaCrypt0r 2.0 and disable it on Windows computers.

What Is WanaCrypt0r 2.0
 This ransomware is spreading through an exploit that was actively used by the NSA to infiltrate Windows machines. The exploit called EternalBlue allows an attacker to access your machine with full root privileges via the insecure SMB1 protocol, a protocol for sharing access to files, printers, and other devices. SMBv2 and SMBv3 seem to be unaffected. SMB stands for Server Message Block — a subversion known as Common Internet File System which should already give you a hint of what it’s being used for. In essence, the protocol used for sharing access to files, printers, and serial ports for communication on your local network is being exploited to be used from the outside.

How to check whether SMBv1 is enabled or not?

  1. Open PowerShell, hit Windows Key + R, and enter powershell.exe
  2. Enter the following command line : Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
  3. If it says EnableSMB1Protocol is false then it is already disabled. But if it says true, then you need to disable it.
  4. In order to disable SMB1 copy and paste this command: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

How to Disable SMBv1 via PowerShell:

  1. Open PowerShell, hit Windows Key + R, and enter powershell.exe
  2. Copy and paste Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
  3. Restart PC

How to Disable SMBv1 via Registry:

  1. Hit Windows Key + R, and enter regedit.exe
  2. In HKEY_Local_Machine go to SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and create a new DWORD key SMB1 with the value 0
  3. In HKEY_Local_Machine go to HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation and verify that DependOnService is set to Bowser”,” MRxSmb20″,” NSI
  4. In HKEY_Local_Machine go to System\CurrentControlSet\services\mrxsmb1 and set the value of Start to 4
  5. Restart PC

Be safe from the WannCry attack.

© 2009-22. All rights reserved by Amith Vijayan