SMBv1: Why It Needs Disabling for Cyber Essentials

‍​‌​​​‌‌‌​‌​​​‌‌​‌​​​‌‌​‌‌​‌‌‌‌​​‌​​​‌‌​‌​​​‌‌​​‌​​​‌‌​​​‌​​​​‌​​‍SMBv1 (Server Message Block version 1) is the protocol that WannaCry exploited in 2017, costing the NHS over £92 million and cancelling 19,000 patient appointments. Microsoft has deprecated it. Every security framework recommends disabling it. I still find it enabled on networks regularly during assessments. If it's on your machines, it'll fail the Secure Configuration control.

Why I specifically check for this

Here's why SMBv1 is on my CE Plus assessment checklist: it's the single most reliable indicator of whether an organisation has done any hardening beyond the basics. If SMBv1 is still enabled, the machine was set up and left in its default state. That tells me the Secure Configuration control wasn't applied thoroughly, and I should look more carefully at everything else.

It's also a real risk, not a theoretical one, because WannaCry proved it in 2017. The ransomware used the EternalBlue exploit against SMBv1 to propagate across networks at speed. The NHS was hit because hospitals were running unpatched machines with SMBv1 enabled. A protocol designed in the 1980s, with no encryption and no integrity checking, was still active on systems handling patient data. The cost was £92 million and 19,000 cancelled appointments. Honestly, that should have been the end of SMBv1 everywhere.

The vulnerabilities in SMBv1 are not implementation bugs. They are design flaws in the protocol itself. No amount of patching makes SMBv1 secure because the fundamental architecture is broken. Microsoft deprecated it years ago, and modern file sharing uses SMBv2 and SMBv3, which were designed with authentication and encryption built in.

The only reason SMBv1 is still running on machines in 2026 is that nobody turned it off. It's a brutal gap in otherwise reasonable security postures.

Legacy devices and the resistance to disabling

Every time I recommend disabling SMBv1 across a network, someone asks "but what about the printer, or the NAS, or the copier with scan-to-folder?" Look, I understand the worried reaction, but the answer is straightforward.

Some very old devices (network printers with firmware from 2010, legacy NAS devices, old copiers) genuinely depend on SMBv1 for file sharing. If you have one, the right answer is to replace it. That device is using a protocol with known critical vulnerabilities, and keeping SMBv1 enabled across your entire network to support one piece of ancient hardware puts everything else at risk.

If replacement isn't immediately possible, isolate the device on its own network segment. Don't leave SMBv1 active on every workstation and server because one printer needs it. A VLAN configuration costs a few hundred pounds in IT time. A ransomware incident that spreads through your network costs tens of thousands. Recovery fees of £15,000 or more aren't unusual. Losing three days of billable work to exactly this scenario is not uncommon. (in line with the January 2025 assurance advisory).

How to check if it's enabled

Windows 10 and 11

Open PowerShell as Administrator:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

If it returns True, SMBv1 is enabled.

You can also check the client side:

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

If the State shows Enabled, the SMBv1 feature is installed.

Windows Server

The same commands apply on Windows Server as well, and on older Windows Server versions (2012 R2 and earlier), SMBv1 is enabled by default.

How to disable it

Method 1: PowerShell (immediate)

Disable the SMBv1 server:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

Remove the SMBv1 feature entirely:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

Restart the machine after removing the feature.

Method 2: Group Policy (recommended for domains)

For domain environments, use Group Policy to enforce the setting across all machines:

• Create a GPO that runs a startup script disabling SMBv1
• Or use Group Policy Preferences to set the registry value:
  • Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: DWORD
  • Value data: 0

Group Policy ensures consistency. If someone re-enables SMBv1 locally, the GPO will disable it again at the next refresh.

Method 3: Windows Features (GUI)

On Windows 10/11, use the GUI method:

• Open Control Panel > Programs and Features
• Click "Turn Windows features on or off"
• Uncheck "SMB 1.0/CIFS File Sharing Support"
• Restart the machine after unchecking

What might break?

On a modern network, usually nothing. SMBv2 and SMBv3 handle all file sharing between current Windows machines.

If disabling SMBv1 breaks connectivity to a device, that device is almost certainly unsupported and should be replaced. Common culprits:

• Old network printers with firmware from 2010 or earlier
• Legacy NAS devices running outdated firmware
• Old copiers with scan-to-folder functionality

If you genuinely can't replace the device immediately, isolate it on its own network segment and don't leave SMBv1 enabled across your entire estate to support it.

Auditing SMBv1 across the entire network

Checking one machine is straightforward enough, but the challenge is confirming SMBv1 is disabled everywhere. If you have Active Directory, you can run the check remotely across all domain-joined machines:

$computers = Get-ADComputer -Filter {OperatingSystem -like "*Windows*"} | Select -ExpandProperty Name
foreach ($pc in $computers) {
    try {
        $result = Invoke-Command -ComputerName $pc -ScriptBlock {
            (Get-SmbServerConfiguration).EnableSMB1Protocol
        } -ErrorAction Stop
        Write-Output "$pc : SMBv1 = $result"
    } catch {
        Write-Output "$pc : UNREACHABLE"
    }
}

Any machine that returns True needs remediation. Any machine that is unreachable needs investigating separately, because it might be off the network, powered down, or running without WinRM enabled.

For non-domain environments, you need to check each machine individually. If you use a remote monitoring and management tool, most of them can run PowerShell commands across your managed fleet and report the results. Set up a recurring check that alerts on any machine where SMBv1 is enabled, so new machines or rebuilt machines get caught.

What happens during a CE Plus assessment

During the technical audit, I sample a set of machines and run the SMBv1 check on each one. If SMBv1 is enabled on any sampled machine, that is a finding under the Secure Configuration control. The assessor notes it, and you need to remediate before the certificate can be issued.

Under Danzell v3.3, if the first sample fails, the assessor doubles the sample size. Two failures in the doubled sample means the entire assessment fails. Bottom line: one machine with SMBv1 enabled becomes a problem that scales.

The fix itself takes two minutes per machine, or one Group Policy change for an entire domain. The effort per machine is minimal, and the real difficulty is knowing SMBv1 is there in the first place, which is why I recommend running the audit above before your assessment, not during it. What actually catches people out is the machines they forgot about.

SMBv2 and SMBv3 are not optional alternatives

People sometimes ask whether they should keep SMBv1 "as a fallback." No. Bluntly, SMBv2 and SMBv3 aren't optional upgrades. They're the replacement, and they've been the default for over a decade.

SMBv2 was introduced with Windows Vista and Windows Server 2008. It is supported on every Windows version that is still receiving security patches. If a device cannot use SMBv2, it is running software that should have been retired years ago.

SMBv3 adds encryption, which means file sharing traffic between machines is encrypted in transit. On a network where SMBv3 is available, an attacker who intercepts the traffic between your workstation and the file server gets encrypted data they cannot read. With SMBv1, the traffic is in cleartext. Anyone who can see the network traffic can read the files being transferred.

The practical difference: SMBv1 gives you file sharing with no encryption and no integrity checking. SMBv3 gives you file sharing with AES-128 encryption and message integrity. There is no scenario where SMBv1 is the better choice.

How pen testers use SMBv1 against you

During internal pen testing engagements, SMBv1 is one of the first things I check for. If it's enabled, I can typically access every file server on the network within 15 minutes.

The typical attack chain works like this. I compromise one workstation through phishing or a local exploit. I run a network scan and find that SMBv1 is enabled on file servers. I use known exploits against the SMBv1 service to gain access to those servers without needing valid credentials. From there, I access shared drives, extract passwords stored in files, and escalate privileges.

None of this works if SMBv1 is disabled. The exploits that target SMBv1 do not work against SMBv2 or SMBv3. It is not a matter of the attacker trying harder. The attack surface simply does not exist when the protocol is turned off.

This is why I check it during CE Plus assessments. Not because it's a box-ticking exercise, but because it's a practical security measure that directly reduces the attack surface I would exploit during a pen test.

Verify the fix

After disabling SMBv1, run the check again on a sample of machines:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

Confirm it returns False. Run this across enough machines to give yourself confidence that the GPO or manual change has applied everywhere. Document the results for your assessment evidence folder. A screenshot of the PowerShell output on three or four representative machines is usually sufficient.

---

Need help with your Cyber Essentials assessment? Get in touch or request a quote to talk through your scope.

---

Related articles

• Cyber Essentials FAQ: The Questions Businesses Actually Ask
• RDP Security: What CE Assessors Find
• TLS 1.0 and 1.1: Why They Need Disabling
• LLMNR and NBT-NS Attacks: What Your IT Team Should Know

netsec-canary-f61781c3bbcd.