如何在 Windows 中检测、启用和禁用 SMBv1、SMBv2 和 SMBv3How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows

摘要Summary

本文介绍如何在 SMB 客户端和服务器组件上启用和禁用服务器消息块(SMB)版本1(SMBv1)、SMB 版本2(SMBv2)和 SMB 版本3(SMBv3)。This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components. 

重要

建议你不要禁用 SMBv2或 SMBv3。We recommend that you do not disable SMBv2 or SMBv3. 仅将 SMBv2 或 SMBv3 作为临时故障排除度量值禁用。Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. 不要让 SMBv2 或 SMBv3 处于禁用状态。Do not leave SMBv2 or SMBv3 disabled.

在 Windows 7 和 Windows Server 2008 R2 中,禁用 SMBv2 将停用以下功能:In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

  • 请求复合-允许将多个 SMB 2 请求作为单个网络请求发送Request compounding - allows for sending multiple SMB 2 requests as a single network request
  • 更大的读写,更好地使用更快的网络Larger reads and writes - better use of faster networks
  • 文件夹和文件属性的缓存-客户端保留文件夹和文件的本地副本Caching of folder and file properties - clients keep local copies of folders and files
  • 持久句柄-如果有临时断开连接,则允许连接以透明方式重新连接到服务器Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • 改进的消息签名-HMAC SHA-256 将 MD5 替换为哈希算法Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
  • 文件共享的可伸缩性改进-每个服务器的用户、共享和打开文件的数量大大增加Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
  • 支持符号链接Support for symbolic links
  • 客户端 oplock 租赁模式-限制在客户端与服务器之间传输的数据,提高高延迟网络的性能并提高 SMB 服务器的可伸缩性Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • 大 MTU 支持-完全使用 10-gigabye (GB)以太网Large MTU support - for full use of 10-gigabye (GB) Ethernet
  • 提高了能效-已向服务器打开文件的客户端可以进入睡眠状态Improved energy efficiency - clients that have open files to a server can sleep

在 Windows 8、Windows 8.1、Windows 10、Windows Server 2012、Windows Server 2012 R2、Windows Server 2016 和 Windows Server 2019 中,禁用 SMBv3 将停用以下功能(以及前面的列表中所述的 SMBv2 功能):In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):

  • 透明故障转移-客户端在维护或故障转移过程中重新连接而不中断群集节点Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
  • Scale Out –对所有文件群集节点上的共享数据进行并发访问Scale Out – concurrent access to shared data on all file cluster nodes 
  • 多通道-如果客户端和服务器之间有多个路径,则聚合网络带宽和容错Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
  • SMB Direct –为非常高的性能增加了 RDMA 网络支持,并提供低延迟和低 CPU 使用率SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
  • 加密–提供端对端加密并防止在不受信任的网络上窃听Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
  • 目录租用-通过缓存改善分支机构中的应用程序响应时间Directory Leasing - Improves application response times in branch offices through caching
  • 性能优化-优化小型随机读/写 i/oPerformance Optimizations - optimizations for small random read/write I/O

更多信息More Information

Windows Vista 和 Windows Server 2008 中引入了 SMBv2 协议。The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.

Windows 8 和 Windows Server 2012 中引入了 SMBv3 协议。The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

有关 SMBv2 和 SMBv3 功能的功能的详细信息,请参阅以下文章:For more information about the capabilities of SMBv2 and SMBv3 capabilities, see the following articles:

服务器消息块概述Server Message Block overview

SMB 中的新增功能What's New in SMB

如何在 Windows 8.1、Windows 10、Windows 2012 R2、Windows Server 2016 和 Windows Server 2019 中正常删除 SMB v1How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, Windows Server 2016, and Windows Server 2019

PowerShell 方法PowerShell methods

SMB v1 (客户端和服务器)SMB v1 (client and server)
  • 察觉Detect:

    Get-WindowsFeature FS-SMB1
    
  • 禁用Disable:

    Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
    
  • 启用:Enable:

    Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
    

Windows Server 2012 R2、Windows Server 2016、Windows Server 2019:用于禁用 SMB 的服务器管理器方法Windows Server 2012 R2, Windows Server 2016, Windows Server 2019: Server Manager method for disabling SMB

SMB v1SMB v1

服务器管理器-仪表板方法

Windows 8.1 和 Windows 10: PowerShell 方法Windows 8.1 and Windows 10: PowerShell method

SMB v1 协议SMB v1 Protocol
  • 察觉Detect:

    Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
    
  • 禁用Disable:

    Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    
  • 启用:Enable:

    Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    
SMB v2/v3 协议(仅禁用 SMB v2/v3 服务器)SMB v2/v3 Protocol (only disables SMB v2/v3 Server)
  • 察觉Detect:

    Get-SmbServerConfiguration | Select EnableSMB2Protocol
    
  • 禁用Disable:

    Set-SmbServerConfiguration –EnableSMB2Protocol $false
    
  • 启用:Enable:

    Set-SmbServerConfiguration –EnableSMB2Protocol $true
    

Windows 8.1 和 Windows 10:添加或删除程序方法Windows 8.1 and Windows 10: Add or Remove Programs method

添加/删除程序客户端方法

如何在 SMB 服务器上检测状态、启用和禁用 SMB 协议How to detect status, enable, and disable SMB protocols on the SMB Server

适用于 Windows 8 和 Windows Server 2012For Windows 8 and Windows Server 2012

Windows 8 和 Windows Server 2012 引入了新的SMBServerConfiguration Windows PowerShell cmdlet。Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. Cmdlet 可用于启用或禁用服务器组件上的 SMBv1、SMBv2 和 SMBv3 协议。The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component. 

备注

启用或禁用 Windows 8 或 Windows Server 2012 中的 SMBv2 时,也会启用或禁用 SMBv3。When you enable or disable SMBv2 in Windows 8 or Windows Server 2012, SMBv3 is also enabled or disabled. 之所以发生此行为,是因为这些协议共享同一堆栈。This behavior occurs because these protocols share the same stack.

运行SMBServerConfiguration cmdlet 后,无需重新启动计算机。You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

SMB 服务器上的 SMB v1SMB v1 on SMB Server
  • 察觉Detect:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol
    
  • 禁用Disable:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false
    
  • 启用:Enable:

    Set-SmbServerConfiguration -EnableSMB1Protocol $true
    

有关详细信息,请参阅Microsoft 服务器存储For more information, see Server storage at Microsoft.

Smb 服务器上的 SMB v2/v3SMB v2/v3 on SMB Server
  • 察觉Detect:

    Get-SmbServerConfiguration | Select EnableSMB2Protocol
    
  • 禁用Disable:

    Set-SmbServerConfiguration -EnableSMB2Protocol $false
    
  • 启用:Enable:

    Set-SmbServerConfiguration -EnableSMB2Protocol $true
    

适用于 Windows 7、Windows Server 2008 R2、Windows Vista 和 Windows Server 2008For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

若要在运行 Windows 7、Windows Server 2008 R2、Windows Vista 或 Windows Server 2008 的 SMB 服务器上启用或禁用 SMB 协议,请使用 Windows PowerShell 或注册表编辑器。To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell 方法PowerShell methods

备注

此方法需要 PowerShell 2.0 或更高版本的 PowerShell。This method requires PowerShell 2.0 or later version of PowerShell.

SMB 服务器上的 SMB v1SMB v1 on SMB Server

察觉Detect:

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

默认配置 = Enabled (未创建注册表项),因此将不返回 SMB1 值Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

禁用Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

启用:Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

注意进行这些更改之后,必须重新启动计算机。Note You must restart the computer after you make these changes. 有关详细信息,请参阅Microsoft 服务器存储For more information, see Server storage at Microsoft.

Smb 服务器上的 SMB v2/v3SMB v2/v3 on SMB Server

察觉Detect:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} 

禁用Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force  

启用:Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force 

备注

进行这些更改之后,必须重新启动计算机。You must restart the computer after you make these changes.

注册表编辑器Registry Editor

重要

请认真遵循本部分所述的步骤。Follow the steps in this section carefully. 如果注册表修改不正确,可能会发生严重问题。Serious problems might occur if you modify the registry incorrectly. 在修改注册表之前,请备份注册表,以便在出现问题时可以还原。Before you modify it, back up the registry for restoration in case problems occur.

若要在 SMB 服务器上启用或禁用 SMBv1,请配置以下注册表项:To enable or disable SMBv1 on the SMB server, configure the following registry key:

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

若要在 SMB 服务器上启用或禁用 SMBv2,请配置以下注册表项:To enable or disable SMBv2 on the SMB server, configure the following registry key:

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created) 

备注

 进行这些更改之后,必须重新启动计算机。 You must restart the computer after you make these changes.

如何在 SMB 客户端上检测状态、启用和禁用 SMB 协议How to detect status, enable, and disable SMB protocols on the SMB Client

对于 Windows Vista、Windows Server 2008、Windows 7、Windows Server 2008 R2、Windows 8 和 Windows Server 2012For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

备注

启用或禁用 Windows 8 或 Windows Server 2012 中的 SMBv2 时,也会启用或禁用 SMBv3。When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. 之所以发生此行为,是因为这些协议共享同一堆栈。This behavior occurs because these protocols share the same stack.

SMB v1 (在 SMB 客户端上)SMB v1 on SMB Client
  • DetectDetect

    sc.exe qc lanmanworkstation
    
  • 禁用Disable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled
    
  • 启用:Enable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= auto
    

有关详细信息,请参阅Microsoft 的服务器存储For more information, see Server storage at Microsoft

Smb v2/在 SMB 客户端上SMB v2/v3 on SMB Client
  • 察觉Detect:

    sc.exe qc lanmanworkstation
    
  • 禁用Disable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
    sc.exe config mrxsmb20 start= disabled 
    
  • 启用:Enable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    sc.exe config mrxsmb20 start= auto
    

备注

  • 你必须在提升的命令提示符下运行这些命令。You must run these commands at an elevated command prompt.
  • 进行这些更改之后,必须重新启动计算机。You must restart the computer after you make these changes.

通过组策略禁用 SMBv1 服务器Disable SMBv1 Server with Group Policy

此过程在注册表中配置以下新项:This procedure configures the following new item in the registry:

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

  • 注册表项: SMB1Registry entry: SMB1
  • REG_DWORD: 0 = 已禁用REG_DWORD: 0 = Disabled

若要使用组策略进行配置,请执行以下步骤:To configure this by using Group Policy, follow these steps:

  1. 打开“组策略管理控制台”****。Open the Group Policy Management Console. 右键单击应该包含新首选项的组策略对象 (GPO),然后单击 “编辑”Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

  2. 在控制台树中的 "计算机配置" 下,展开 "首选项" 文件夹,然后展开 " Windows 设置" 文件夹。In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. 右键单击 "注册表" 节点,指向 "新建",然后选择 "注册表项"。Right-click the Registry node, point to New, and select Registry Item.

    注册表-New-Registry 项

在 "新建注册表属性" 对话框中,选择以下项:In the New Registry Propertiesdialog box, select the following:

  • 操作:创建Action: Create
  • Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
  • 密钥路径: SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersKey Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • 值名称: SMB1Value name: SMB1
  • 值类型: REG_DWORDValue type: REG_DWORD
  • 值数据:0Value data: 0

新注册表属性-常规

这将禁用 SMBv1 服务器组件。This disables the SMBv1 Server components. 此组策略必须应用于域中的所有必要工作站、服务器和域控制器。This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.

备注

 WMI 筛选器还可以设置为排除不受支持的操作系统或所选的排除项,例如 Windows XP。 WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.

重要

当你在旧的 Windows XP 或更早版本的 Linux 和第三方系统(不支持 SMBv2 或 SMBv3)的域控制器上进行这些更改时,请小心,要求访问 SYSVOL 或正在禁用 SMB v1 的其他文件共享。Be careful when you make these changes on domain controllers on which legacy Windows XP or older Linux and third-party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.

通过组策略禁用 SMBv1 客户端Disable SMBv1 Client with Group Policy

若要禁用 SMBv1 客户端,需要更新服务注册表项以禁用MRxSMB10的启动,然后需要从LanmanWorkstation条目中删除对MRxSMB10的依赖项,以便它能够正常启动,而无需首先启动MRxSMB10To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

这将更新并替换注册表中以下2项中的默认值:This will update and replace the default values in the following 2 items in the registry:

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\services\mrxsmb10HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

注册表项:开始REG_DWORD: 4= 已禁用Registry entry: Start REG_DWORD: 4= Disabled

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\LanmanWorkstationHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

注册表项: DependOnService REG_MULTI_SZ: "Bowser"、"MRxSmb20"、"NSI"Registry entry: DependOnService REG_MULTI_SZ: "Bowser","MRxSmb20″,"NSI"

备注

 默认已包含的 MRxSMB10,现已删除为依赖项。 The default included MRxSMB10 which is now removed as dependency.

若要使用组策略进行配置,请执行以下步骤:To configure this by using Group Policy, follow these steps:

  1. 打开“组策略管理控制台”****。Open the Group Policy Management Console. 右键单击应该包含新首选项的组策略对象 (GPO),然后单击 “编辑”Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

  2. 在控制台树中的 "计算机配置" 下,展开 "首选项" 文件夹,然后展开 " Windows 设置" 文件夹。In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. 右键单击 "注册表" 节点,指向 "新建",然后选择 "注册表项"。Right-click the Registry node, point to New, and select Registry Item.

  4. 在 "新建注册表属性" 对话框中,选择以下项:In the New Registry Properties dialog box, select the following:

    • 操作:更新Action: Update
    • Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
    • 密钥路径: SYSTEM\CurrentControlSet\services\mrxsmb10Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
    • 值名称: StartValue name: Start
    • 值类型: REG_DWORDValue type: REG_DWORD
    • 值数据:4Value data: 4

    启动属性-常规

  5. 然后删除刚刚禁用的MRxSMB10的依赖项。Then remove the dependency on the MRxSMB10 that was just disabled.

    在 "新建注册表属性" 对话框中,选择以下项:In the New Registry Properties dialog box, select the following:

    • 操作:替换Action: Replace
    • Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
    • 密钥路径: SYSTEM\CurrentControlSet\Services\LanmanWorkstationKey Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
    • 值名称: DependOnServiceValue name: DependOnService
    • 值类型: REG_MULTI_SZValue type: REG_MULTI_SZ
    • 值数据Value data:
      • BowserBowser
      • MRxSmb20MRxSmb20
      • NSINSI

    备注

    这三个字符串不包含项目符号(请参阅下面的屏幕截图)。These three strings will not have bullets (see the following screen shot).

    DependOnService 属性

    在许多版本的 Windows 中,默认值都包含MRxSMB10 ,因此通过使用此多值字符串替换它们,这实际上是将MRxSMB10删除为LanmanServer的依赖项,并从四个默认值向下转到上述三个值。The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

    备注

    使用组策略管理控制台时,不必使用引号或逗号。When you use Group Policy Management Console, you don't have to use quotation marks or commas. 只需在单独的行中键入每个条目。Just type the each entry on individual lines.

  6. 重新启动目标系统以完成 SMB v1 的禁用。Restart the targeted systems to finish disabling SMB v1.

摘要Summary

如果所有设置都在相同的组策略对象(GPO)中,组策略管理将显示以下设置。If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.

组策略管理编辑器注册表

测试和验证Testing and validation

配置这些配置后,允许对策略进行复制和更新。After these are configured, allow the policy to replicate and update. 如有必要,请在命令提示符下运行gpupdate/force ,然后查看目标计算机以确保正确应用注册表设置。As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. 请确保 SMB v2 和 SMB v3 在环境中的所有其他系统上正常工作。Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.

备注

请勿忘记重新启动目标系统。Do not forget to restart the target systems.