I've done an audit of my environment and found about nine servers still running SMBv1, even though SMBv2 and SMBv3 are available everywhere. My audit logs barely show any SMBv1 traffic over the last year, mostly just occasional scans or random connections. Before I go ahead and disable SMBv1, I want to ensure that no production systems are relying on it. What's the safest approach to confirm that SMBv1 isn't in use? Are there any checklists or steps I should follow?
5 Answers
Audit the usage first! You can check out the official guide on how to audit SMBv1 usage. Set specific registry keys and then check event ID 3000 in the logs to see which clients are trying to connect using SMBv1. Also, look at the shared files on those servers to spot any old devices that might be causing trouble, like outdated printers.
You could also try turning it off and waiting to see if anyone reports issues. I remember the last device that relied solely on SMBv1 was like a clock-in machine from ages ago. You may encounter some old devices, but they’re probably due for an upgrade anyway.
It’s crucial to have a plan. If scanners are currently using SMBv1, they will definitely stop working once you disable it. If budget allows, consider setting up a non-domain server to handle these communications and sync with tools like Robocopy. That way, you can gradually phase out the older protocols.
Another solid method is to capture traffic using something like Wireshark on those servers. You can log the output and specifically filter for SMBv1 traffic. This will give you a clearer picture of what's actually using it before you make any changes.
One straightforward approach is to just turn off SMBv1 and see if anything breaks. It might sound risky, but if no one complains after a short while, you might be in the clear. Just make sure to monitor the systems closely for any issues that pop up afterwards.
Yeah, I would suggest giving it at least a couple of weeks before you call it 'done'. Better to be safe!