EPFL > VPSI > IT > EXAPP - Site d'information: WinAD (Windows Active Directory)
 

  Affiche tous les articles

 Mode d'emploi du moteur de recherche  Rechercher : 
Moteur de recherche
Home page
Accréditation
Activation MS
AD c'est quoi ?
AD PowerShell
Authentifications
Autorisations DHCP
bugs
Conseils AD
· SSL/TLS Alert Protocol & the Alert Codes
· Intégration d'un serveur et Workstation Linux dans AD
· How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows
· Forest Functional Level
· WIN10 (version1511) No Télémétrie & No WebApp
· Kerberos Failure Codes
· En bref les rôles FSMO
· Ajout d'un ordinateur Macintosh dans un domaine AD
· License Logging Service
DCs Sécurité
Délégations OUs
Domaine SC
Gaspar
GPO
Grp-Staff
KMS
Migrations
Outils
Procès verbaux
Profiles Itinérants
PWAD
Règles de nommage
Restaurations DC Fac
ServerAD2003
ServerAD2008
Seven
Students
synchro
toto1
Trucs et Astuces
Win 8.1
WinAD
Windows 10
Windows 8
Windows Server
Wins
Work Shop
  Afficher une version imprimable de ce document dans une nouvelle fenêtre
 
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows
 
En PS: for Win8 & 2012 >>
Pour vérifier l'état du protocole ( ne pas oublier d'ouvrir le Shell en mode administrator)
  • Get-SmbServerConfiguration
  • Get-SmbConnection
  • Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
 -----------------------------------------------------------------------

Pour obtenir cette information, on va simuler une connexion SMB sur la boucle locale de notre machine, tout simplement en listant le contenu du lecteur C: via SMB. Ce qui donnera :

dir \\localhost\c$
 
Et rapidement, vous devez enchaîner avec la commande ci-dessous avant que la session SMB se clôture.
 
Get-SmbConnection -ServerName localhost
-------------------------------------------------------
 
 
_________________________________________________________________________________________

Désactiver le SMBv1 et/ou SMBv2

si vous êtes prêt à basculer sur du 100% SMBv3, on va voir comment désactiver le SMBv1 voir même le SMBv2, en PowerShell.

Set-SmbServerConfiguration –EnableSMB1Protocol $false

Comme son nom l’indique, la commande ci-dessus permet de modifier la configuration du SMB, en l’occurrence ici le paramètre qui sert à rendre actif ou non la version 1 du protocole SMB. Si vous souhaitez effectuer la même chose pour SMBv2, répétez l’opération en modifiant le nom du paramètre :

Set-SmbServerConfiguration –EnableSMB2Protocol $false

Avec la commande « Get-SmbServerConfiguration » on peut vérifier que les deux paramètres « EnableSMB1Protocol » et « EnableSMB2Protocol » sont bien sur l’état false.

EnableSMB1Protocol : False
EnableSMB2Protocol : False
 _______________________________________________________
Historique des versions

La première version de SMB ne s’appelle pas SMB, en fait c’est le protocole CIFS (Common Internet File System) qui représente la première version de ce protocole. Autant vous dire que ce n’est pas tout nouveau puisque ce fût créé à l’époque de Windows NT 4.0.

Par la suite, et plus précisément depuis Windows 2000 la première version du protocole SMB est arrivée. Voici un récapitulatif des versions du protocole SMB :

SMB 1.0 : La première version portant le nom de SMB est arrivée avec Windows 2000, et fût utilisée par Windows XP, Windows Server 2003 et Windows Server 2003 R2.

SMB 2.0 : La version utilisée dans Windows Vista (SP1 et supérieur) et son équivalent serveur à savoir Windows Server 2008.

SMB 2.1 : La version utilisée dans Windows 7 et Windows Server 2008 R2.

SMB 3.0 : La naissance de la v3 du protocole SMB, au lancement de Windows 8 et de Windows Server 2012.

SMB 3.02 : Les premières évolutions du protocole SMB v3 profitent à Windows 8.1 et Windows Server 2012 R2 avec cette version v3.02 du SMB.
 
SMB 3.1.1 : en version Windows 10/ server 2016 (1607)

Vous avez maintenant connaissance de l’évolution du protocole SMB dans le temps et les versions de Windows qui ont introduit ces différentes versions.

 
smb-compatibilité
 
 
______________________________________________________________

How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

                     
        
                
This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components. 

Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:
  • Request compounding - allows for sending multiple SMB 2 requests as a single network request
  • Larger reads and writes - better use of faster networks
  • Caching of folder and file properties - clients keep local copies of folders and files
  • Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
  • Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
  • Support for symbolic links
  • Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • Large MTU support - for full use of 10-gigabye (GB) Ethernet
  • Improved energy efficiency - clients that have open files to a server can sleep
In Windows 8 and Windows Server 2012, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that is described in the previous list):
  • Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
  • Scale Out – concurrent access to shared data on all file cluster nodes 
  • Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
  • SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
  • Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
  • Directory Leasing - Improves application response times in branch offices through caching
  • Performance Optimizations - optimizations for small random read
 
        

More Information

                
The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.

The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

For more information about the capabilities of SMBv2 and SMBv3 capabilities, go to the following Microsoft TechNet websites:
        

How to enable or disable SMB protocols on the SMB server

    
    
        
                

Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

Notes When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.
  • To obtain the current state of the SMB server protocol configuration, run the following cmdlet:
    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
  • To disable SMBv1 on the SMB server, run the following cmdlet:
    Set-SmbServerConfiguration -EnableSMB1Protocol $false
  • To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
    Set-SmbServerConfiguration -EnableSMB2Protocol $false
  • To enable SMBv1 on the SMB server, run the following cmdlet:
    Set-SmbServerConfiguration -EnableSMB1Protocol $true
  • To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
    Set-SmbServerConfiguration -EnableSMB2Protocol $true

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is runningWindows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

Windows PowerShell 2.0 or a later version of PowerShell

  • To disable SMBv1 on the SMB server, run the following cmdlet:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
  • To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force
  • To enable SMBv1 on the SMB server, run the following cmdlet:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
  • To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
Note You must restart the computer after you make these changes.

Registry Editor

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry:  SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
To enable or disable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry:  SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
        
    
         
        

How to enable or disable SMB protocols on the SMB client

  
                

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.
  • To disable SMBv1 on the SMB client, run the following commands:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled
  • To enable SMBv1 on the SMB client, run the following commands:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= auto
  • To disable SMBv2 and SMBv3 on the SMB client, run the following commands:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
    sc.exe config mrxsmb20 start= disabled
  • To enable SMBv2 and SMBv3 on the SMB client, run the following commands:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    sc.exe config mrxsmb20 start= auto

    Notes
  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

Article N° 238, du 06.02.2017, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=238

© 2017 VPSI - EXAPP - TC