Windows 10 does not open network folders. Disable SMB1 to protect your Windows computer from attacks. Setting up a local network for other OS
SMB or Server Message Block is a network communication protocol designed for sharing files, printers and others various devices... There are three versions of SMB - SMBv1, SMBv2, and SMBv3. For security reasons, Microsoft recommends disabling SMB version 1 as it is outdated and uses technology that is almost 30 years old. To avoid infection with ransomware viruses such as WannaCrypt, you need to disable SMB1 and install updates for the operating system. This protocol is used by Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2 - therefore, network file access to these OS versions will not be available. The same applies to some NAS devices, scanners, etc.
Disconnecting SMB1 from Control Panel
Start -\u003e Control Panel -\u003e Programs and Features -\u003e Turn on or off windows components
Disable ‘Support general access to SMB 1.0 / CIFS files'
Disable SMB1 via Powershell
Open a Powershell console with administrator rights and enter the following command:
Set-ItemProperty -Path "HKLM: \\ SYSTEM \\ CurrentControlSet \\ Services \\ LanmanServer \\ Parameters" SMB1 -Type DWORD -Value 0 -Force
Disable SMB1 using Windows Registry
You can also disable SMBv1 by running regedit.exe and moving on to the next section:
HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Services \\ LanmanServer \\ ParametersCreate a DWORD in this section SMB1 with meaning 0 .
Values \u200b\u200bto enable and disable SMB1:
- 0 \u003d Disabled
- 1 \u003d Enabled
After that, you need to install the update MS17-010.The update came out for everything windows versionsincluding no longer supported Windows XP and Windows Server 2003.
And in conclusion I would like to say that, despite installed antivirus and regular updates of the operating system, if your data is dear to you, you need to think about backup first.
Why and how to disable SMB1 in Windows 10/8/7
Recent large-scale virus attacks have spread using holes and flaws in the old SMB1 protocol. For one minor reason, the Windows operating system still allows it to work by default. This old version of the protocol is used for file sharing in local network... Its newer versions 2 and 3 are more secure and should be left enabled. The way you use the new operating system numbered 10 or the previous one - 8 or even the outdated one - 7, you must disable this protocol on your PC.
It is included only because some users still use old applications that were not updated in time to work with SMB2 or SMB3. Microsoft has compiled a list of them. Find it and view it on the Internet, if necessary.
If you keep all of your programs installed on your computer in good condition (update on time), you most likely need to disable this protocol. By doing this, increase the security of your operating system and confidential data by one step. By the way, even the specialists of the corporation itself recommend turning it off, if necessary.
Are you ready to make changes? Then let's continue.
SMB1
Open the Control Panel, go to the “Programs” section and select the subsection “Turn Windows features on / off”.
In the list, find the option “Support for SMB 1.0 / CIFS file sharing”, uncheck it and click “OK”.
Reboot the operating system after saving all your previously edited files, such as documents, etc.
FOR WINDOWS 7
Editing will help you here system registry... It is a powerful tool of the system and, if incorrect data is entered into it, it can lead to unstable operation of the OS. Use it with caution, be sure to back it up before doing so.
Open the editor by pressing the Win + R key combination on your keyboard and typing “regedit” in the input field. Then follow the next path:
HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Services \\ LanmanServer \\ Parameters
create a new 32-bit DWORD and name it “SMB1” with the value “0”. Reboot your system.
Attention! These methods work to disable the protocol on one PC only, but not on the entire network. Refer to the official Microsoft documentation for the information you are interested in.
Hello! For those who are not in the subject, I'll start from afar. On computers and laptops with installed Windows there is a separate "Network" tab in the explorer. This tab displays devices from Network Neighborhood. That is, by opening the "Network" tab, we can observe computers there, network storage (NAS), multimedia devices (DLNA), flash drives and external drivesthat are connected to the router and are configured for sharing. Simply put, those devices that are connected through one router (are on the same network) and which have network discovery enabled (devices that can be discovered on the local network)... Our router can also be displayed there. (section "Network infrastructure") and other devices.
Now I will explain what and how, and why I decided to write this article at all. I have an ASUS router that I connected to USB flash drive, and set up general access to this flash drive for all devices on the network. And what do you think, in the "Network" section on all computers this network drive appeared (it appears there as "Computer")and it didn't show up on my computer. That is, my computer did not see a USB flash drive connected to the router, or other computers on this network. But the DLNA server was displayed running on the same router. But that doesn't change anything, since I need regular network access to the drive.
Also, I could not access the flash drive when I typed its address //192.168.1.1 in explorer. This address was immediately opened through the browser. And I was unable to connect this drive as a network drive. It simply wasn't on the list of available devices in the network environment.
This problem, when Windows 7, Windows 8, or Windows 10 does not see network devices, is not uncommon. It doesn't have to be a flash drive, or an external HDD that you connected to your router, as in my case. Most often, they configure shared access between computers on a local network. And in the same way, they face the problem when computers are connected to the same network (to one router), the sharing settings are correct, but the "Network" tab is empty. Or, only the router and your computer are displayed.
Since there can be many reasons and, accordingly, solutions, I will probably start with the simplest (which didn't help me) and at the end of this article I will share the solution that helped in my case. As a result, my laptop still saw all the devices on the network. Including a network drive and another computer that is also connected to this network.
But this does not mean that you have the same case. Therefore, I advise you to check all the settings in order.
Checking the sharing settings
We will consider two cases:
- When computers cannot see each other on the local network.
- Sharing the NAS. We can have a flash drive, or hDD which is connected to the router, or a separate drive (aka NAS).
First case
For computers to be able to see each other and appear in the explorer in the "Network" section, they must be connected through the same router. Or directly connected (by cable, or via Wi-Fi)... Simply put, they must be on the same local network.
Further, on all computers (I don't know how many you have there), it is desirable to assign the network status "Home" (private). How to do this in Windows 10, I wrote in the article. In Windows 7, just go to the "Network and Sharing Center" and change the status of the current connection there.
If after that the computer still does not detect other computers (or vice versa), then let's check the sharing settings.
To do this, in the "Network and Sharing Center" window (if you do not know how to open it in Windows 10, then see the article) click on the item "Change advanced sharing settings".
And for the current profile (usually "Private") set the parameters as in the screenshot below.
Do it on all computers on the local network.
Articles on this topic:
As a rule, these tips solve all problems with detecting computers on the local network.
Second case
When you have problems accessing your NAS. As in my case. Windows 10 did not see the USB drive that was connected to the ASUS router. Nowadays, many routers have a USB port for connecting drives and other devices, so the topic is relevant.
You need to make sure that this drive is defined in the settings of the router, and public access to it is enabled. It is clear that this is done in different ways on different routers. On aSUS routersfor example, it looks like this:
Related articles:
Don't confuse sharing settings with FTP settings. In this case, the FTP server settings on the router have nothing to do with it.
Well, if other devices see the network drive and have access to it, but on a particular computer there is no access to it, then the problem is not on the side of the router. Go through the settings of the "problem" PC in this article.
Antivirus or firewall might block network devices
If your antivirus or firewall (firewall) installed on your computer does not like something, then it can easily make it so that neither you can see other devices in the network environment, nor can anyone detect you.
True, after disabling the built-in firewall in the antivirus, the problem was not solved (which means that the problem is most likely not in him), but everything exactly seems to me that in my case it was not without the participation of an antivirus.
Therefore, try to completely stop the antivirus for a while, or at least disable the built-in firewall (firewall) ... NOD 32 does it like this:
To check this you need to do on all computersthat will participate in the local network.
It is possible that you have installed some other programs that can monitor the network and manage network connections.
If it turns out that the problem is in the antivirus, then you need to add your network to the exceptions. Forbid the firewall to block the network itself, or network devices.
If you do not have an antivirus, then you can experiment with disabling / enabling the Windows built-in firewall.
Working group
The workgroup should be the same on all devices. As a rule, it is. But it is advisable to check. To do this, open the computer properties "System" and go to "Advanced system settings".
The "Working Group" will be listed there. To change it, you need to click on the "Change" button.
Once again, the workgroup name must be the same on all computers.
If you have a problem accessing your NAS (to a USB flash drive through a router), then the working group is also indicated in the sharing settings on the same ASUS router. You can see the screenshot above in the article. It should be the same as on the computer.
Problem with accessing network share via SMB1 on Windows 10 (my solution)
Let's go back specifically to my problem. Everything that I described above has been checked and rechecked 10 times already. I did it a couple of times, but Windows 10 did not see other computers on the network and, most importantly, the shared folder in the form of a flash connected to the router did not appear in Explorer. And on other devices on the network, everything was determined without problems. Including my laptop.
I read somewhere that you can try to open the shared folder through the Run window. Pressed the key combination Win + R, entered the address of the network folder //192.168.1.1 (he is the address of the router).
I didn't get access to the drive, but an interesting error appeared:
You cannot connect to the shared folder because it is insecure. This shared folder uses the legacy SMB1 protocol, which is insecure and could put your system at risk of attack.
Your system must be using SMB2 or later.
This is already interesting. At least something.
SMB (Server Message Block) is a network protocol that is responsible for sharing files, printers and other network devices.
I started looking. And it turns out that Windows 10 has dropped the SMB1 protocol. For security. And the Samba software package installed on my router works over the SMB1 protocol. Therefore, Windows 10 does not see it. But other computers that also work on Windows 10 were also not displayed on the "Network" tab for me.
Since I could not update the protocol to SMB2 in the router settings, I decided that I needed to somehow enable SMB1 support in Windows 10. And as it turned out, this can be done without any problems. As a result, after connecting the "Client SMB 1.0 / CIFS" component, everything worked for me. The system saw shared folders on computers on the network and the network folder configured on the router itself.
How to enable SMB1 in Windows 10?
Search for and open the old "Control Panel".
Switch to "Small Icons" and open "Programs and Features".
Open "Turn Windows features on or off". We find the item "Support for sharing files SMB 1.0 / CIFS". Open it and put a checkmark next to "SMB 1.0 / CIFS Client". Click Ok.
If the computer asks to restart, restart it. If there is no window with a proposal, then restart it manually.
After rebooting, on the "Network" - "Computer" tab, all available devices on your network should appear.
I would be glad if this article is useful to someone and helps to solve the problem. Do not forget to write in the comments about the results. Or ask a question, where can we go without them 🙂
annotation
This article provides procedures for enabling and disabling Server Message Block (SMB) version 1, SMB version 2 (SMBv2), and SMB version 3 (SMBv3) in SMB client and server components.
Warning. It is not recommended to disable SMB v2 or 3. Disable SMB v2 or 3 only as a temporary troubleshooting measure. Do not leave SMB version 2 or 3 disabled.
On Windows 7 and Windows Server 2008 R2, disabling SMB version 2 will disable the following functionality.
- Combining requests, allowing multiple SMB 2 requests to be sent as a single network request.
- High volumes of read and write operations to optimize use of fast networks.
- Caching the properties of files and folders in which clients save local copies of files and folders.
- Long-term descriptors that allow you to transparently reconnect to the server in the event of a temporary disconnection.
- Enhanced message signatures where the HMAC SHA-256 hashing algorithm replaces MD5.
- Improved scaling for file sharing (significantly increased the number of users, shares and open files to the server).
- Support for symbolic links.
- A client-side soft-lock lease model that limits the amount of data transferred between the client and the server, which improves the performance of high-latency networks and improves the scalability of the SMB server.
- Large MTU support for full use of 10 Gigabit Ethernet.
- Reduced power consumption - Clients with files open to the server can be in sleep mode.
- Transparent failover, where clients fail over to cluster nodes during maintenance or outage without disruption.
- Scaling - with the provision of concurrent access to shared data on all cluster nodes.
- Multichannel provides network link bandwidth aggregation and network resiliency across the various links available between the client and server.
- SMB Direct - Provides support for RDMA networks to provide very high performance, low latency and low CPU utilization.
- Encryption - Provides end-to-end encryption of data and protects it from eavesdropping on untrusted networks.
- Directory leasing reduces application response times in branch offices through caching.
- Optimize performance for small random read and write operations.
Additional Information
How to enable and disable SMB protocols on an SMB server
Windows 8 and Windows Server 2012
Windows 8 and Windows Server 2012 introduced the new Windows PowerShell cmdlet Set-SMBServerConfiguration. It allows you to enable or disable SMB versions 1, 2, and 3 on the server.Notes. Enabling or disabling SMB version 2 in Windows 8 or Windows Server 2012 also enables or disables SMB version 3. This is due to the common stack used for these protocols.
After running the cmdlet
- To get the current state of the SMB server protocol configuration, run the following cmdlet:
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $ false
Set-SmbServerConfiguration -EnableSMB2Protocol $ false
Set-SmbServerConfiguration -EnableSMB1Protocol $ true
Set-SmbServerConfiguration -EnableSMB2Protocol $ true
Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
To enable or disable SMB protocols on an SMB server running Windows 7, Windows Server 2008 R2, Windows Vista or Windows Server 2008, use Windows PowerShell or Registry Editor.Windows PowerShell 2.0 or later PowerShell
- To disable SMB version 1 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM: \\ SYSTEM \\ CurrentControlSet \\ Serv ices \\ LanmanServer \\ Parameters" SMB1 -Type DWORD -Value 0 -Force
- To disable SMB versions 2 and 3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM: \\ SYSTEM \\ CurrentControlSet \\ Serv ices \\ LanmanServer \\ Parameters" SMB2 -Type DWORD -Value 0 -Force
- To enable SMB version 1 protocol on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM: \\ SYSTEM \\ CurrentControlSet \\ Serv ices \\ LanmanServer \\ Parameters" SMB1 -Type DWORD -Value 1 -Force
- To enable SMB versions 2 and 3 on the SMB server, run the following cmdlet:
Set-ItemProperty -Path "HKLM: \\ SYSTEM \\ CurrentControlSet \\ Serv ices \\ LanmanServer \\ Parameters" SMB2 -Type DWORD -Value 1 -Force
Registry editor
Attention ! This article contains information about modifying the registry. It is recommended that you back up the registry before making any changes. and learn how to recover it in case a problem occurs. More information about creating backuprestore and modify the registry, see the following article in the Microsoft Knowledge Base.To enable or disable SMB version 1 protocol on the SMB server, configure the following registry key:Registry subkey: Registry entry: SMB1
REG_DWORD: 0 \u003d disabled
REG_DWORD: 1 \u003d enabled
Default: 1 \u003d Enabled
Registry subkey: HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControl Set \\ Services \\ LanmanServer \\ ParametersRegistry entry: SMB2
REG_DWORD: 0 \u003d disabled
REG_DWORD: 1 \u003d enabled
Default: 1 \u003d Enabled
sc.exe config lanmanworkstation depends \u003d bowser / mrxsmb20 / nsi
sc.exe config mrxsmb10 start \u003d disabled
- To enable SMB version 1 protocol on an SMB client, run the following commands:
sc.exe config mrxsmb10 start \u003d auto
- To disable SMB versions 2 and 3 on an SMB client, run the following commands:
sc.exe config lanmanworkstation depends \u003d bowser / mrxsmb10 / nsi
sc.exe config mrxsmb20 start \u003d disabled
- To enable SMB versions 2 and 3 on an SMB client, run the following commands:
sc.exe config lanmanworkstation depends \u003d bowser / mrxsmb10 / mrxsmb20 / nsi
sc.exe config mrxsmb20 start \u003d auto
- These commands should be entered in command line with elevated privileges.
- After making these changes, the computer must be restarted.
In connection with the recent outbreak of the WannaCry ransomware exploiting the SMB v1 vulnerability, there are again tips on the network to disable this protocol. Moreover, Microsoft strongly recommended disabling the first version of SMB back in September 2016. But such a shutdown can lead to unexpected consequences, up to curiosities: I personally came across a company where, after the fight against SMB, Sonos wireless speakers stopped playing.
Especially in order to minimize the likelihood of a "shot in the leg", I want to remind you about the features of SMB and consider in detail what threatens the ill-considered disabling of its old versions.
SMB (Server Message Block) - network protocol for remote access to files and printers. It is he who is used when connecting resources via \\ servername \\ sharename. The protocol originally ran on top of NetBIOS using UDP ports 137, 138 and TCP 137, 139. windows exit 2000 began to work directly, using TCP port 445. SMB is also used to log into and work in an Active Directory domain.
In addition to remote access to resources, the protocol is also used for interprocessor communication through named pipes. The process is addressed along the path \\. \\ Pipe \\ name.
The first version of the protocol, also known as CIFS (Common Internet File System), was created back in the 1980s, but the second version appeared only with Windows Vista, in 2006. The third version of the protocol came out with Windows 8. In parallel with Microsoft, the protocol was created and updated in its open implementation Samba.
In each new version various improvements were added to the protocol to improve performance, security, and support for new features. But at the same time, support for old protocols remained for compatibility. Of course, older versions had and still have enough vulnerabilities, one of which is used by WannaCry.
Under the spoiler you will find summary table changes in SMB versions.
| Version | operating system | Added compared to the previous version |
| SMB 2.0 | Windows Vista / 2008 | Changed the number of protocol commands from 100+ to 19 |
| Possibility of "pipeline" work - sending additional requests before receiving a response to the previous | ||
| Support for symbolic links | ||
| HMAC SHA256 message signature instead of MD5 | ||
| Increase cache and write / read blocks | ||
| SMB 2.1 | Windows 7 / 2008R2 | Performance improvement |
| Higher MTU support | ||
| BranchCache Service Support - A mechanism that caches requests in global network in the local network | ||
| SMB 3.0 | Windows 8/2012 | Ability to build a transparent failover cluster with load balancing |
| Direct Memory Access (RDMA) support | ||
| Powershell cmdlet management | ||
| VSS support | ||
| AES – CMAC signature | ||
| AES-CCM encryption | ||
| Ability to use network folders for storage virtual machines HyperV | ||
| Ability to use network folders to store Microsoft SQL databases | ||
| SMB 3.02 | Windows 8.1 / 2012R2 | Security and performance improvements |
| Automatic balancing in the cluster | ||
| SMB 3.1.1 | Windows 10/2016 | AES-GCM encryption support |
| Integrity check before authentication using SHA512 hash | ||
| Mandatory secure "negotiations" when working with clients SMB 2.x and higher |
We consider conditionally injured
It is quite simple to view the currently used version of the protocol, we use the cmdlet for this Get – SmbConnection:
Cmdlet output with open network resources on servers with different version Windows.
From the output, it can be seen that the client supporting all protocol versions uses the maximum possible version from those supported by the server. Of course, if the client only supports old version protocol, and on the server it will be disabled - the connection will not be established. Enable or disable legacy support in modern windows systems using the cmdlet Set – SmbServerConfiguration, and see the state like this:
Get – SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
Turn off SMBv1 on a server running Windows 2012 R2.
Result when connecting from Windows 2003.
Thus, if you disable the old, vulnerable protocol, you can lose the functionality of the network with old clients. At the same time, in addition to Windows XP and 2003, SMB v1 is also used in a number of software and hardware solutions (for example, a NAS on GNU \\ Linux using an old version of samba).
Under the spoiler, I will give a list of manufacturers and products that will completely or partially stop working when SMB v1 is disabled.
| Manufacturer | Product | Comment |
| Barracuda | SSL VPN | |
| Web Security Gateway backups | ||
| Canon | Scan to network share | |
| Cisco | WSA / WSAv | |
| WAAS | Versions 5.0 and older | |
| F5 | RDP client gateway | |
| Microsoft Exchange Proxy | ||
| Forcepoint (Raytheon) | "Some products" | |
| HPE | ArcSight Legacy Unified Connector | Older versions |
| IBM | NetServer | Version V7R2 and older |
| QRadar Vulnerability Manager | Versions 7.2.x and older | |
| Lexmark | Firmware eSF 2.x and eSF 3.x | |
| Linux Kernel | CIFS client | From 2.5.42 to 3.5.x |
| McAfee | Web gateway | |
| Microsoft | Windows | XP / 2003 and older |
| MYOB | Accountants | |
| NetApp | ONTAP | Versions prior to 9.1 |
| NetGear | ReadyNAS | |
| Oracle | Solaris | 11.3 and older |
| Pulse Secure | PCS | 8.1R9 / 8.2R4 and older |
| PPS | 5.1R9 / 5.3R4 and older | |
| QNAP | All storage devices | Firmware older than 4.1 |
| RedHat | RHEL | Versions prior to 7.2 |
| Ricoh | MFP, scan to network resource | Besides a number of models |
| RSA | Authentication Manager Server | |
| Samba | Samba | Older than 3.5 |
| Sonos | Wireless speakers | |
| Sophos | Sophos UTM | |
| Sophos XG firewall | ||
| Sophos Web Appliance | ||
| SUSE | SLES | 11 and older |
| Synology | Diskstation Manager | Control only |
| Thomson reuters | CS Professional Suite | |
| Tintri | Tintri OS, Tintri Global Center | |
| VMware | Vcenter | |
| ESXi | Older than 6.0 | |
| Worldox | GX3 DMS | |
| Xerox | MFP, scan to network resource | Firmware without ConnectKey Firmware |
The list is taken from the Microsoft website, where it is regularly updated.
The list of products using the old version of the protocol is quite large - before disabling SMB v1, you should definitely think about the consequences.
Disable
If there are no programs and devices using SMB v1 on the network, then, of course, it is better to disable the old protocol. In this case, if shutdown on SMB windows server 8/2012 is done using the Powershell cmdlet, then for Windows 7/2008 you will need to edit the registry. This can be done using Powershell too:
Set – ItemProperty –Path "HKLM: \\ SYSTEM \\ CurrentControlSet \\ Services \\ LanmanServer \\ Parameters" SMB1 –Type DWORD –Value 0 –Force
Or any other in a convenient way... However, a reboot is required to apply the changes.
To disable SMB v1 support on a client, just stop the service responsible for its work and fix the dependencies of the lanmanworkstation service. This can be done with the following commands:
sc.exe config lanmanworkstation depends \u003d bowser / mrxsmb20 / nsi sc.exe config mrxsmb10 start \u003d disabled
For the convenience of disabling the protocol across the entire network, it is convenient to use group policies, in particular Group Policy Preferences. With the help of them, you can conveniently work with the registry.
Creating a registry entry through group policies.
To disable the protocol on the server, just create the following parameter:
- value: 0.
path: HKLM: \\ SYSTEM \\ CurrentControlSet \\ Services \\ LanmanServer \\ Parameters;
new parameter: REG_DWORD with the name SMB1;
Create a registry key to disable SMB v1 on the server through Group Policy.
To disable SMB v1 support on clients, you need to change the value of two parameters.
First, disable the SMB v1 protocol service:
- value: 4.
path: HKLM: \\ SYSTEM \\ CurrentControlSet \\ services \\ mrxsmb10;
parameter: REG_DWORD named Start;
We update one of the parameters.
Then we will fix the dependency of the LanmanWorkstation service so that it does not depend on SMB v1:
- value: three lines - Bowser, MRxSmb20 and NSI.
path: HKLM: \\ SYSTEM \\ CurrentControlSet \\ Services \\ LanmanWorkstation;
parameter: REG_MULTI_SZ named DependOnService;
And replace with another.
After application group policy you need to restart the computers in your organization. After reboot, SMB v1 will no longer be used.
Works - don't touch
Oddly enough, this old commandment is not always useful - ransomware and Trojans can be found in infrastructure that is rarely updated. However, inaccurate shutting down and updating services can paralyze an organization just like a virus.
Tell us, have you already disabled SMB of the first version? Were there many victims?
