如何在 Windows 中检测、启用和禁用 SMBv1、SMBv2 和 SMBv3How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows

适用于: Windows 10,Windows 8.1,Windows 8,Windows Server 2019,Windows Server 2016,Windows Server 2012 R2,Windows Server 2012Applies to: Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本文介绍如何在 SMB 客户端和服务器组件上启用和禁用 (SMB) 版本 1 (SMBv1) 、SMB 版本 2 (SMBv2) 和 SMB 版本 3 (SMBv3) 的服务器消息块。This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.

在禁用或删除 SMBv1 时,可能会导致旧计算机或软件出现一些兼容性问题,SMBv1 会出现严重的安全漏洞, 我们强烈建议您不要使用它While disabling or removing SMBv1 might cause some compatibility issues with old computers or software, SMBv1 has significant security vulnerabilities and we strongly encourage you not to use it.

禁用 SMBv2 或 SMBv3 以进行故障排除Disabling SMBv2 or SMBv3 for troubleshooting

我们建议将 SMBv2 和 SMBv3 保持启用状态,但你可能会发现暂时禁用其中一项进行故障排除会很有用。We recommend keeping SMBv2 and SMBv3 enabled, but you might find it useful to disable one temporarily for troubleshooting. 有关详细信息,请参阅 如何在 Smb 服务器上检测状态、启用和禁用 smb 协议For more information, see How to detect status, enable, and disable SMB protocols on the SMB Server.

在 Windows 10、Windows 8.1、Windows 8、Windows Server 2019、Windows Server 2016、Windows Server 2012 R2 和 Windows Server 2012 中,禁用 SMBv3 将停用以下功能:In Windows 10, Windows 8.1, and Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012, disabling SMBv3 deactivates the following functionality:

  • 透明故障转移-客户端在维护或故障转移过程中重新连接而不中断群集节点Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
  • Scale Out 对所有文件群集节点上的共享数据进行并发访问Scale Out - concurrent access to shared data on all file cluster nodes
  • 多通道-如果客户端和服务器之间有多个路径,则聚合网络带宽和容错Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
  • SMB 直接添加 RDMA 网络支持,实现高性能,延迟较低且 CPU 使用率低SMB Direct - adds RDMA networking support for high performance, with low latency and low CPU use
  • 加密-提供端对端加密并防止在不受信任的网络上窃听Encryption - Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
  • 目录租用-通过缓存改善分支机构中的应用程序响应时间Directory Leasing - Improves application response times in branch offices through caching
  • 性能优化-优化小型随机读/写 i/oPerformance Optimizations - optimizations for small random read/write I/O

在 Windows 7 和 Windows Server 2008 R2 中,禁用 SMBv2 将停用以下功能:In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

  • 请求复合-允许将多个 SMBv2 请求作为单个网络请求发送Request compounding - allows for sending multiple SMBv2 requests as a single network request
  • 更大的读写,更好地使用更快的网络Larger reads and writes - better use of faster networks
  • 文件夹和文件属性的缓存-客户端保留文件夹和文件的本地副本Caching of folder and file properties - clients keep local copies of folders and files
  • 持久句柄-如果有临时断开连接,则允许连接以透明方式重新连接到服务器Durable handles - allow for connection to transparently reconnect to the server if there's a temporary disconnection
  • 改进的消息签名-HMAC SHA-256 将 MD5 替换为哈希算法Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
  • 文件共享的可伸缩性改进-每个服务器的用户、共享和打开文件的数量大大增加Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
  • 支持符号链接Support for symbolic links
  • 客户端 oplock 租赁模式-限制在客户端与服务器之间传输的数据,提高高延迟网络的性能并提高 SMB 服务器的可伸缩性Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • 大 MTU 支持-用于充分利用10千兆以太网 (GbE) Large MTU support - for full use of 10 Gigabit Ethernet (GbE)
  • 提高了能效-已向服务器打开文件的客户端可以进入睡眠状态Improved energy efficiency - clients that have open files to a server can sleep

Windows Vista 和 Windows Server 2008 中引入了 SMBv2 协议,而 SMBv3 协议是在 Windows 8 和 Windows Server 2012 中引入的。The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. 有关 SMBv2 和 SMBv3 功能的详细信息,请参阅以下文章:For more information about SMBv2 and SMBv3 capabilities, see the following articles:

如何删除 SMBv1How to remove SMBv1

下面介绍了如何在 Windows 10、Windows 8.1、Windows Server 2019、Windows Server 2016 和 Windows 2012 R2 中删除 SMBv1。Here's how to remove SMBv1 in Windows 10, Windows 8.1, Windows Server 2019, Windows Server 2016, and Windows 2012 R2.

PowerShell 方法PowerShell methods

SMBv1 (客户端和服务器) SMBv1 (client and server)
  • 察觉Detect:

    Get-WindowsOptionalFeature -Online -FeatureName smb1protocol
    
  • 禁用Disable:

    Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
    
  • 启用:Enable:

    Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
    

Windows Server 2012 R2、Windows Server 2016、Windows Server 2019:用于禁用 SMB 的服务器管理器方法Windows Server 2012 R2, Windows Server 2016, Windows Server 2019: Server Manager method for disabling SMB

SMBv1SMBv1

服务器管理器-仪表板方法

删除 Windows Server 中的 SMBv1:To remove SMBv1 from Windows Server:

  1. 在要删除 SMBv1 的服务器的 "服务器管理器" 面板上的 " 配置此本地服务器" 下,选择 " 添加角色和功能"。On the Server Manager Dashboard of the server where you want to remove SMBv1, under Configure this local server, select Add roles and features.
  2. 在 " 开始之前 " 页上,选择 " 启动角色和功能向导",然后在下一页上选择 " 下一步"。On the Before you begin page, select Start the Remove Roles and Features Wizard, and then on the following page, select Next.
  3. 在 "服务器池" 下的 "选择目标服务器" 页上,确保选中要从中删除功能的服务器,然后选择 "下一步"。On the Select destination server page under Server Pool, ensure that the server you want to remove the feature from is selected, and then select Next.
  4. 在 " 删除服务器角色 " 页上,选择 " 下一步"。On the Remove server roles page, select Next.
  5. 在 " 删除功能 " 页上,清除 " SMB 1.0/CIFS 文件共享支持 " 复选框,然后选择 " 下一步"。On the Remove features page, clear the check box for SMB 1.0/CIFS File Sharing Support and select Next.
  6. 在 " 确认删除选择 " 页上,确认列出了该功能,然后选择 " 删除"。On the Confirm removal selections page, confirm that the feature is listed, and then select Remove.

Windows 8.1 和 Windows 10: PowerShell 方法Windows 8.1 and Windows 10: PowerShell method

SMBv1 协议SMBv1 Protocol
  • 察觉Detect:

    Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    
  • 禁用Disable:

    Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    
  • 启用:Enable:

    Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    
SMBv2/v3 协议 (仅禁用 SMBv2/v3 服务器) SMBv2/v3 Protocol (only disables SMBv2/v3 Server)
  • 察觉Detect:

    Get-SmbServerConfiguration | Select EnableSMB2Protocol
    
  • 禁用Disable:

    Set-SmbServerConfiguration -EnableSMB2Protocol $false
    
  • 启用:Enable:

    Set-SmbServerConfiguration -EnableSMB2Protocol $true
    

Windows 8.1 和 Windows 10:添加或删除程序方法Windows 8.1 and Windows 10: Add or Remove Programs method

Add-Remove 程序客户端方法

若要禁用 Windows 8.1 和 Windows 10 上的 SMBv1:To disable SMBv1 on Windows 8.1 and Windows 10:

  1. 在“控制面板”中,选择“程序和功能”。 In Control Panel, select Programs and Features.
  2. 在 " 控制面板主页" 下,选择 " 打开或关闭 windows 功能 " 打开 " windows 功能 " 框。Under Control Panel Home, select Turn Windows features on or off to open the Windows Features box.
  3. 在 " Windows 功能 " 框中,向下滚动列表,清除 SMB 1.0/CIFS 文件共享支持 的复选框,然后选择 "确定"In the Windows Features box, scroll down the list, clear the check box for SMB 1.0/CIFS File Sharing Support and select OK.
  4. Windows 应用更改后,在 "确认" 页上选择 " 立即重新启动"。After Windows applies the change, on the confirmation page, select Restart now.

如何在 SMB 服务器上检测状态、启用和禁用 SMB 协议How to detect status, enable, and disable SMB protocols on the SMB Server

适用于 Windows 8 和 Windows Server 2012For Windows 8 and Windows Server 2012

Windows 8 和 Windows Server 2012 引入了新的 SMBServerConfiguration Windows PowerShell cmdlet。Windows 8 and Windows Server 2012 introduced the new Set-SMBServerConfiguration Windows PowerShell cmdlet. Cmdlet 可用于启用或禁用服务器组件上的 SMBv1、SMBv2 和 SMBv3 协议。The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

备注

启用或禁用 Windows 8 或 Windows Server 2012 中的 SMBv2 时,也会启用或禁用 SMBv3。When you enable or disable SMBv2 in Windows 8 or Windows Server 2012, SMBv3 is also enabled or disabled. 之所以发生此行为,是因为这些协议共享同一堆栈。This behavior occurs because these protocols share the same stack.

运行 SMBServerConfiguration cmdlet 后,无需重新启动计算机。You don't have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

SMB 服务器上的 SMBv1SMBv1 on SMB Server
  • 察觉Detect:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol
    
  • 禁用Disable:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false
    
  • 启用:Enable:

    Set-SmbServerConfiguration -EnableSMB1Protocol $true
    

有关详细信息,请参阅 Microsoft 服务器存储For more information, see Server storage at Microsoft.

Smb 服务器上的 SMB v2/v3SMB v2/v3 on SMB Server
  • 察觉Detect:

    Get-SmbServerConfiguration | Select EnableSMB2Protocol
    
  • 禁用Disable:

    Set-SmbServerConfiguration -EnableSMB2Protocol $false
    
  • 启用:Enable:

    Set-SmbServerConfiguration -EnableSMB2Protocol $true
    

适用于 Windows 7、Windows Server 2008 R2、Windows Vista 和 Windows Server 2008For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

若要在运行 Windows 7、Windows Server 2008 R2、Windows Vista 或 Windows Server 2008 的 SMB 服务器上启用或禁用 SMB 协议,请使用 Windows PowerShell 或注册表编辑器。To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell 方法PowerShell methods

备注

此方法需要 PowerShell 2.0 或更高版本的 PowerShell。This method requires PowerShell 2.0 or later version of PowerShell.

SMB 服务器上的 SMBv1SMBv1 on SMB Server

察觉Detect:

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

默认配置 = Enabled (未) 创建注册表项,因此不会返回 SMB1 值Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

禁用Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

启用:Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

注意 进行这些更改之后,必须重新启动计算机。Note You must restart the computer after you make these changes. 有关详细信息,请参阅 Microsoft 服务器存储For more information, see Server storage at Microsoft.

SMB 服务器上的 SMBv2/v3SMBv2/v3 on SMB Server

察觉Detect:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

禁用Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force

启用:Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

备注

进行这些更改之后,必须重新启动计算机。You must restart the computer after you make these changes.

注册表编辑器Registry Editor

重要

请认真遵循本部分所述的步骤。Follow the steps in this section carefully. 如果注册表修改不正确,可能会发生严重问题。Serious problems might occur if you modify the registry incorrectly. 在修改注册表之前,请备份注册表,以便在出现问题时可以还原。Before you modify it, back up the registry for restoration in case problems occur.

若要在 SMB 服务器上启用或禁用 SMBv1,请配置以下注册表项:To enable or disable SMBv1 on the SMB server, configure the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

若要在 SMB 服务器上启用或禁用 SMBv2,请配置以下注册表项:To enable or disable SMBv2 on the SMB server, configure the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

备注

进行这些更改之后,必须重新启动计算机。You must restart the computer after you make these changes.

如何在 SMB 客户端上检测状态、启用和禁用 SMB 协议How to detect status, enable, and disable SMB protocols on the SMB Client

对于 Windows Vista、Windows Server 2008、Windows 7、Windows Server 2008 R2、Windows 8 和 Windows Server 2012For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

备注

启用或禁用 Windows 8 或 Windows Server 2012 中的 SMBv2 时,也会启用或禁用 SMBv3。When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. 之所以发生此行为,是因为这些协议共享同一堆栈。This behavior occurs because these protocols share the same stack.

SMB 客户端上的 SMBv1SMBv1 on SMB Client
  • DetectDetect

    sc.exe qc lanmanworkstation
    
  • 禁用Disable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled
    
  • 启用:Enable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= auto
    

有关详细信息,请参阅 Microsoft 的服务器存储For more information, see Server storage at Microsoft

SMB 客户端上的 SMBv2/v3SMBv2/v3 on SMB Client
  • 察觉Detect:

    sc.exe qc lanmanworkstation
    
  • 禁用Disable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
    sc.exe config mrxsmb20 start= disabled
    
  • 启用:Enable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    sc.exe config mrxsmb20 start= auto
    

备注

  • 你必须在提升的命令提示符下运行这些命令。You must run these commands at an elevated command prompt.
  • 进行这些更改之后,必须重新启动计算机。You must restart the computer after you make these changes.

通过组策略禁用 SMBv1 服务器Disable SMBv1 Server with Group Policy

此过程在注册表中配置以下新项:This procedure configures the following new item in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

  • 注册表项: SMB1Registry entry: SMB1
  • REG_DWORD: 0 = 已禁用REG_DWORD: 0 = Disabled

若要使用组策略配置此设置,请执行以下步骤:To use Group Policy to configure this, follow these steps:

  1. 打开“组策略管理控制台”。Open the Group Policy Management Console. 右键单击应该包含新首选项的组策略对象 (GPO),然后单击 “编辑”Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

  2. 在控制台树中的 " 计算机配置" 下,展开 " 首选项 " 文件夹,然后展开 " Windows 设置 " 文件夹。In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. 右键单击 " 注册表 " 节点,指向 " 新建",然后选择 " 注册表项"。Right-click the Registry node, point to New, and select Registry Item.

    注册表-New-Registry 项

在 " 新建注册表属性 " 对话框中,选择以下项:In the New Registry Properties dialog box, select the following:

  • 操作:创建Action: Create
  • Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
  • 密钥路径: SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersKey Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • 值名称: SMB1Value name: SMB1
  • 值类型: REG_DWORDValue type: REG_DWORD
  • 值数据:0Value data: 0

新注册表属性-常规

此过程将禁用 SMBv1 服务器组件。This procedure disables the SMBv1 Server components. 此组策略必须应用于域中的所有必要工作站、服务器和域控制器。This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.

备注

WMI 筛选器 还可以设置为排除不受支持的操作系统或所选的排除项,例如 Windows XP。WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.

重要

如果在不支持 SMBv2 或 SMBv3 的旧的 Windows XP 或更低版本的 Linux 和第三方系统 (不支持或) 的域控制器上进行这些更改,则需小心,否则,将需要访问要禁用 SMB v1 的 SYSVOL 或其他文件共享。Be careful when you make these changes on domain controllers on which legacy Windows XP or older Linux and third-party systems (that don't support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.

通过组策略禁用 SMBv1 客户端Disable SMBv1 Client with Group Policy

若要禁用 SMBv1 客户端,需要更新服务注册表项以禁用 MRxSMB10 的启动,然后需要从 LanmanWorkstation 条目中删除对 MRxSMB10 的依赖项,以便它能够正常启动,而无需首先启动 MRxSMB10To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

本指南将更新并替换注册表中以下两项中的默认值:This guidance updates and replaces the default values in the following two items in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

注册表项: 开始 REG_DWORD: 4= 已禁用Registry entry: Start REG_DWORD: 4= Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstationHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

注册表项: DependOnService REG_MULTI_SZ: "Bowser"、"MRxSmb20"、"NSI"Registry entry: DependOnService REG_MULTI_SZ: "Bowser","MRxSmb20″,"NSI"

备注

默认已包含的 MRxSMB10,现已删除为依赖项。The default included MRxSMB10 which is now removed as dependency.

若要使用组策略进行配置,请执行以下步骤:To configure this by using Group Policy, follow these steps:

  1. 打开“组策略管理控制台”。Open the Group Policy Management Console. 右键单击应该包含新首选项的 GPO,然后单击 " 编辑"。Right-click the GPO that should contain the new preference item, and then click Edit.

  2. 在控制台树中的 " 计算机配置" 下,展开 " 首选项 " 文件夹,然后展开 " Windows 设置 " 文件夹。In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. 右键单击 " 注册表 " 节点,指向 " 新建",然后选择 " 注册表项"。Right-click the Registry node, point to New, and select Registry Item.

  4. 在 " 新建注册表属性 " 对话框中,选择以下项:In the New Registry Properties dialog box, select the following:

    • 操作:更新Action: Update
    • Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
    • 密钥路径: SYSTEM\CurrentControlSet\services\mrxsmb10Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
    • 值名称: StartValue name: Start
    • 值类型: REG_DWORDValue type: REG_DWORD
    • 值数据:4Value data: 4

    启动属性-常规

  5. 然后,删除对已禁用的 MRxSMB10 的依赖项。Then remove the dependency on the MRxSMB10 that was disabled.

    在 " 新建注册表属性 " 对话框中,选择以下项:In the New Registry Properties dialog box, select the following:

    • 操作:替换Action: Replace
    • Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
    • 密钥路径: SYSTEM\CurrentControlSet\Services\LanmanWorkstationKey Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
    • 值名称: DependOnServiceValue name: DependOnService
    • 值类型: REG_MULTI_SZValue type: REG_MULTI_SZ
    • 值数据Value data:
      • BowserBowser
      • MRxSmb20MRxSmb20
      • NSINSI

    备注

    这三个字符串不会有项目符号 (请参阅以下屏幕截图) 。These three strings will not have bullets (see the following screen shot).

    DependOnService 属性

    在许多版本的 Windows 中,默认值都包含 MRxSMB10 ,因此通过使用此多值字符串替换它们,这实际上是将 MRxSMB10 删除为 LanmanServer 的依赖项,并从四个默认值向下转到上述三个值。The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

    备注

    使用组策略管理控制台时,不必使用引号或逗号。When you use Group Policy Management Console, you don't have to use quotation marks or commas. 只需在单独的行上键入每个条目。Just type each entry on individual lines.

  6. 重新启动目标系统以完成 SMB v1 的禁用。Restart the targeted systems to finish disabling SMB v1.

审核 SMBv1 使用情况Auditing SMBv1 usage

若要确定哪些客户端尝试使用 SMBv1 连接到 SMB 服务器,你可以在 Windows Server 2016、Windows 10 和 Windows Server 2019 上启用审核。To determine which clients are attempting to connect to an SMB server with SMBv1, you can enable auditing on Windows Server 2016, Windows 10, and Windows Server 2019. 如果安装了 2018 5 月更新,还可以在 Windows 7 和 Windows Server 2008 R2 上审核,如果安装了2017年7月更新,则还可以在 Windows 8.1 和 Windows Server 2012 R2 上进行审核。You can also audit on Windows 7 and Windows Server 2008 R2 if the May 2018 monthly update is installed, and on Windows 8.1 and Windows Server 2012 R2 if the July 2017 monthly update is installed.

  • 启用:Enable:

    Set-SmbServerConfiguration -AuditSmb1Access $true
    
  • 禁用Disable:

    Set-SmbServerConfiguration -AuditSmb1Access $false
    
  • 察觉Detect:

    Get-SmbServerConfiguration | Select AuditSmb1Access
    

启用 SMBv1 审核后,事件3000将出现在 "Microsoft-Windows-SMBServer\Audit" 事件日志中,标识尝试与 SMBv1 连接的每个客户端。When SMBv1 auditing is enabled, event 3000 appears in the "Microsoft-Windows-SMBServer\Audit" event log, identifying each client that attempts to connect with SMBv1.

总结Summary

如果所有设置都在同一 GPO 中,组策略管理将显示以下设置。If all the settings are in the same GPO, Group Policy Management displays the following settings.

组策略管理编辑器注册表

测试和验证Testing and validation

完成本文中的配置步骤后,允许复制和更新策略。After completing the configuration steps in this article, allow the policy to replicate and update. 如有必要,请在命令提示符下运行 gpupdate/force ,然后查看目标计算机以确保正确应用注册表设置。As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. 请确保 SMBv2 和 SMBv3 对环境中的所有其他系统都正常工作。Make sure SMBv2 and SMBv3 are functioning for all other systems in the environment.

备注

请不要忘记重新启动目标系统。Don't forget to restart the target systems.