Disable SMBv1

WannaCry, NotPetya, EternalBlue. If those names don’t send a shiver down your spine, you’ve been lucky. The common thread? SMBv1. This isn’t ancient history; it’s still a live threat.

SMBv1 is an obsolete protocol. There’s no legitimate reason for it to be running in any modern environment. Even patched systems are vulnerable to new zero-days targeting this specific protocol. Keeping it enabled is just asking for trouble.

This is basic hygiene. Do it. The commands are straightforward and remove a massive attack surface.

Here’s how: Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

If you haven’t done this, you’re leaving a gaping hole. Close it today.

The fix

# PowerShell

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Disable SMBv1 client

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

Reference: CIS Windows Server Benchmark 18.3.3