I recently ran into this issue during a vulnerability assessment performed at work, so I figured I would add it here so that maybe it will help someone else out.
Server Message Blocks Protocol (SMB) is the file sharing protocol used by default on Windows-based computers. SMB 1.0 was designed for early Windows network operating systems such as Microsoft LAN Manager and Windows for Workgroups, but until Windows Server 2008 and Vista, all Microsoft-based operating systems continued to use it more or less in its original format.
SMB 2.0 was introduced in Windows Vista and Windows Server 2008. SMB 2.0 is designed for the needs of the next generation of file servers. Windows Server 2008 and Windows Vista support both SMB 1.0 and SMB 2.0 in order to preserve backward compatibility.
Some of the enhancements in SMB 2.0, include:
- Sending multiple SMB commands in the same packet which reduces the number of packets sent between a client and server
- Larger buffer sizes
- Increased scalability, including an increase in the number of concurrent open file handles on the server and the number of shares that a server can share out
- Support for Durable Handles that can withstand short network problems
- Support of Symbolic Links
Testing done with copying large files between Windows Vista and Windows Server 2008, and then Vista to Windows 2003, have shown that by using SMB 2.0 the file copying was, in averege, 2 times faster than with older operating systems.
However, while SMB 2.0 seems to do a good job if BOTH client and server OSs support it, in some cases it will slow things down. The reson for this is that the version of SMB used for file sharing is determined during the SMB session negotiation. If both the client and server support SMB 2.0, then SMB 2.0 is selected during the initial negotiation. However, if they don’t both support it, SMB 1.0 will be used to in order to preserve backwards compatibility.
The SMB protocol version to be used for file operations is decided during the negotiation phase. During the negotiation phase, a Windows Vista client advertises to the server that it can understand the new SMB 2.0 protocol. If the server (Windows Server 2008 or otherwise) understands SMB 2.0, then SMB 2.0 is chosen for subsequent communication. Otherwise the client and server use SMB 1.0.
When using the terms “client” and “server” in case of file and print sharing, it does not necessarily mean that a client-type OS such as Vista “always” connects to a server-type Os such as Windows Server 2008. Sometimes, a Vista computer will connect to another Vista computer, and in that case, the computer that is “serving” the shares is considered to be the “server”.
Here’s how SMB is used when related to SMB versions:
- When a Windows Server 2008/Vista “client” connects to a Windows Server 2008/Vista “server”, SMB 2.0 is used.
- When a Windows Server 2008/Vista “client” connects to a Windows 2000/XP/2003 “server”, SMB 1.0 is used.
- When a Windows 2000/XP/2003 “client” connects to a Windows Server 2008/Vista “server”, SMB 1.0 is used.
- When a Windows 2000/XP/2003 “client” connects to a Windows 2000/XP/2003 “server”, SMB 1.0 is used.
So, for troubleshooting purposes, mostly in an environment that has mixes operating systems, you might want to consider disabling SMB 2.0. You need to do so on both the “client” and the “server” operating systems. To disable SMB 2.0 for Windows Vista or Windows Server 2008 systems that are the “client” systems run the following commands:
sc config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc config mrxsmb20 start= disabled
Note there’s an extra ” ” (space) after the “=” sign.
To enable back SMB 2.0 for Windows Vista or Windows Server 2008 systems that are the “client” systems run the following commands:
sc config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc config mrxsmb20 start= auto
Again, note there’s an extra ” ” (space) after the “=” sign.
In order to disable SMB 2.0 on the server-side computer, follow these steps:
This document contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a trained computer specialist.
- Run “regedit” on Windows Server 2008 based computer.
- Expand and locate the sub tree as follows.
- Add a new REG_DWORD key with the name of “Smb2″ (without quotation mark)
Value name: Smb2
Value type: REG_DWORD
0 = disabled
1 = enabled
- Set the value to 0 to disable SMB 2.0, or set it to 1 to re-enable SMB 2.0.
- Reboot the machine