如何偵測、啟用和停用 Windows 中的 SMBv1、SMBv2 和 SMBv3How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows
摘要Summary
本文說明如何在 SMB 用戶端和伺服器元件上啟用和停用伺服器訊息區(SMB)第1版(SMBv1)、SMB 版本2(SMBv2)和 SMB 第3版(SMBv3)。This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.
重要
我們建議您不要停用 SMBv2 或 SMBv3。We recommend that you do not disable SMBv2 or SMBv3. 僅停用 SMBv2 或 SMBv3 做為暫時的疑難排解措施。Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. 請勿讓 SMBv2 或 SMBv3 停用。Do not leave SMBv2 or SMBv3 disabled.
在 Windows 7 和 Windows Server 2008 R2 中,停用 SMBv2 會停用下列功能:In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:
- 要求複利-允許以單一網路要求傳送多個 SMB 2 要求Request compounding - allows for sending multiple SMB 2 requests as a single network request
- 較大的讀取和寫入-更有效率地使用更快速的網路Larger reads and writes - better use of faster networks
- 資料夾和檔案屬性的快取-用戶端保留資料夾和檔案的本機複本Caching of folder and file properties - clients keep local copies of folders and files
- 持久的控制碼-允許連接在暫時中斷連線時,以透明的方式重新連線到伺服器Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
- 改良的訊息簽署-HMAC SHA-256 將 MD5 取代為雜湊演算法Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
- 增強檔案共用的擴充性-每台伺服器的使用者、共用和開啟檔案數目大幅增加Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
- 符號連結的支援Support for symbolic links
- 用戶端 oplock 租用模型-限制用戶端與伺服器之間傳輸的資料,改善高延遲網路的效能並增加 SMB 伺服器的擴充性Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
- 大型 MTU 支援-適用于 10 gigabye (GB) Ethernet 的完整使用Large MTU support - for full use of 10-gigabye (GB) Ethernet
- 改良的能源效率-已開啟伺服器的用戶端可以進入睡眠狀態Improved energy efficiency - clients that have open files to a server can sleep
在 Windows 8、Windows 8.1、Windows 10、Windows Server 2012 和 Windows Server 2016 中,停用 SMBv3 會停用下列功能(以及前述清單中所述的 SMBv2 功能):In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):
- 透明容錯移轉-在維護或容錯移轉期間,用戶端不會中斷叢集節點的重新連線Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
- Scale Out –所有檔案叢集節點上共用資料的平行存取Scale Out – concurrent access to shared data on all file cluster nodes
- 多重通道-當用戶端與伺服器之間有多個路徑可用時,網路頻寬和容錯的匯總Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
- SMB 直接傳輸-新增 RDMA 網路支援以提供非常高效能,並具有低延遲和低 CPU 使用率SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
- 加密–提供端對端加密,並保護不受信任網路上的竊聽Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
- 目錄租用-透過快取改善分公司中的應用程式回應時間Directory Leasing - Improves application response times in branch offices through caching
- 效能優化-針對小型隨機讀取/寫入 i/o 的優化Performance Optimizations - optimizations for small random read/write I/O
詳細資訊More Information
SMBv2 通訊協定是在 Windows Vista 和 Windows Server 2008 中引進。The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.
SMBv3 通訊協定是在 Windows 8 和 Windows Server 2012 中引進。The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.
如需 SMBv2 和 SMBv3 功能功能的詳細資訊,請參閱下列文章:For more information about the capabilities of SMBv2 and SMBv3 capabilities, see the following articles:
伺服器訊息區概觀Server Message Block overview
如何在 Windows 8.1、Windows 10、Windows 2012 R2 和 Windows Server 2016 中正常移除 SMB v1How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016
Windows Server 2012 R2 & 2016: PowerShell 方法Windows Server 2012 R2 & 2016: PowerShell methods
SMB v1SMB v1
是否Detect:
Get-WindowsFeature FS-SMB1啟用Disable:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol啟用Enable:
Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
SMB v2/v3SMB v2/v3
是否Detect:
Get-SmbServerConfiguration | Select EnableSMB2Protocol啟用Disable:
Set-SmbServerConfiguration -EnableSMB2Protocol $false啟用Enable:
Set-SmbServerConfiguration -EnableSMB2Protocol $true
Windows Server 2012 R2 和 Windows Server 2016:用來停用 SMB 的伺服器管理員方法Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB
SMB v1SMB v1
Windows 8.1 和 Windows 10: PowerShell 方法Windows 8.1 and Windows 10: PowerShell method
SMB v1 通訊協定SMB v1 Protocol
是否Detect:
Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol啟用Disable:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol啟用Enable:
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
SMB v2/v3 通訊協定SMB v2/v3 Protocol
是否Detect:
Get-SmbServerConfiguration | Select EnableSMB2Protocol啟用Disable:
Set-SmbServerConfiguration –EnableSMB2Protocol $false啟用Enable:
Set-SmbServerConfiguration –EnableSMB2Protocol $true
Windows 8.1 和 Windows 10:新增或移除程式方法Windows 8.1 and Windows 10: Add or Remove Programs method
![[新增-移除程式] 用戶端方法](media/detect-enable-and-disable-smbv1-v2-v3-2.png)
如何在 SMB 伺服器上偵測狀態、啟用和停用 SMB 通訊協定How to detect status, enable, and disable SMB protocols on the SMB Server
適用于 Windows 8 和 Windows Server 2012For Windows 8 and Windows Server 2012
Windows 8 和 Windows Server 2012 引進了新的SMBServerConfiguration Windows PowerShell Cmdlet。Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. 此 Cmdlet 可讓您在伺服器元件上啟用或停用 SMBv1、SMBv2 和 SMBv3 通訊協定。The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.
注意
當您啟用或停用 Windows 8 或 Windows Server 2012 中的 SMBv2 時,也會啟用或停用 SMBv3。When you enable or disable SMBv2 in Windows 8 or Windows Server 2012, SMBv3 is also enabled or disabled. 之所以會發生這種行為,是因為這些通訊協定共用相同的堆疊。This behavior occurs because these protocols share the same stack.
您不需要在執行SMBServerConfiguration Cmdlet 之後重新開機電腦。You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.
SMB 伺服器上的 SMB v1SMB v1 on SMB Server
是否Detect:
Get-SmbServerConfiguration | Select EnableSMB1Protocol啟用Disable:
Set-SmbServerConfiguration -EnableSMB1Protocol $false啟用Enable:
Set-SmbServerConfiguration -EnableSMB1Protocol $true
如需詳細資訊,請參閱Microsoft 的伺服器儲存體。For more information, see Server storage at Microsoft.
SMB 伺服器上的 SMB v2/v3SMB v2/v3 on SMB Server
是否Detect:
Get-SmbServerConfiguration | Select EnableSMB2Protocol啟用Disable:
Set-SmbServerConfiguration -EnableSMB2Protocol $false啟用Enable:
Set-SmbServerConfiguration -EnableSMB2Protocol $true
適用于 Windows 7、Windows Server 2008 R2、Windows Vista 和 Windows Server 2008For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
若要在 runningWindows 7、Windows Server 2008 R2、Windows Vista 或 Windows Server 2008 的 SMB 伺服器上啟用或停用 SMB 通訊協定,請使用 Windows PowerShell 或登錄編輯程式。To enable or disable SMB protocols on an SMB Server that is runningWindows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.
PowerShell 方法PowerShell methods
注意
此方法需要 powershell 2.0 或更新版本的 PowerShell。This method requires PowerShell 2.0 or later version of PowerShell.
SMB 伺服器上的 SMB v1SMB v1 on SMB Server
是否Detect:
Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
預設設定 = [已啟用] (不會建立登錄機碼),因此不會傳回任何 SMB1 值Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned
啟用Disable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
啟用Enable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force
注意進行這些變更之後,您必須重新開機電腦。Note You must restart the computer after you make these changes. 如需詳細資訊,請參閱Microsoft 的伺服器儲存體。For more information, see Server storage at Microsoft.
SMB 伺服器上的 SMB v2/v3SMB v2/v3 on SMB Server
是否Detect:
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
啟用Disable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force
啟用Enable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force
注意
進行這些變更之後,您必須重新開機電腦。You must restart the computer after you make these changes.
登錄編輯程式Registry Editor
重要
請仔細依循本節中的步驟。Follow the steps in this section carefully. 若您不正確地修改登錄,可能會發生嚴重的問題。Serious problems might occur if you modify the registry incorrectly. 在修改之前,備份登錄以供還原,以免發生問題。Before you modify it, back up the registry for restoration in case problems occur.
若要啟用或停用 SMB 伺服器上的 SMBv1,請設定下列登錄機碼:To enable or disable SMBv1 on the SMB server, configure the following registry key:
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)
若要啟用或停用 SMB 伺服器上的 SMBv2,請設定下列登錄機碼:To enable or disable SMBv2 on the SMB server, configure the following registry key:
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)
注意
您必須在進行這些變更之後重新開機電腦。 You must restart the computer after you make these changes.
如何在 SMB 用戶端上偵測狀態、啟用和停用 SMB 通訊協定How to detect status, enable, and disable SMB protocols on the SMB Client
適用于 Windows Vista、Windows Server 2008、Windows 7、Windows Server 2008 R2、Windows 8 和 Windows Server 2012For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
注意
當您啟用或停用 Windows 8 或 Windows Server 2012 中的 SMBv2 時,也會啟用或停用 SMBv3。When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. 之所以會發生這種行為,是因為這些通訊協定共用相同的堆疊。This behavior occurs because these protocols share the same stack.
SMB 用戶端上的 SMB v1SMB v1 on SMB Client
DetectDetect
sc.exe qc lanmanworkstation啟用Disable:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled啟用Enable:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb10 start= auto
如需詳細資訊,請參閱Microsoft 的伺服器儲存體For more information, see Server storage at Microsoft
Smb 用戶端上的 SMB v2/v3SMB v2/v3 on SMB Client
是否Detect:
sc.exe qc lanmanworkstation啟用Disable:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start= disabled啟用Enable:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb20 start= auto
注意
- 您必須在提高許可權的命令提示字元中執行這些命令。You must run these commands at an elevated command prompt.
- 進行這些變更之後,您必須重新開機電腦。You must restart the computer after you make these changes.
使用群組原則停用 SMBv1 伺服器Disable SMBv1 Server with Group Policy
此程式會在登錄中設定下列新專案:This procedure configures the following new item in the registry:
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- 登錄專案: SMB1Registry entry: SMB1
- REG_DWORD: 0 = 已停用REG_DWORD: 0 = Disabled
若要使用群組原則來進行此設定,請遵循下列步驟:To configure this by using Group Policy, follow these steps:
開啟 [群組原則管理主控台]。Open the Group Policy Management Console. 在應包含新的喜好設定項目之群組原則物件 (GPO) 上按一下滑鼠右鍵,然後按一下 [編輯]。Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
在 [電腦設定] 底下的主控台樹中,展開 [喜好設定] 資料夾,然後展開 [ Windows 設定] 資料夾。In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
以滑鼠右鍵按一下 [登錄] 節點,指向 [新增],然後選取 [登錄專案]。Right-click the Registry node, point to New, and select Registry Item.
在 [新增登錄內容] 對話方塊中,選取下列各項:In the New Registry Propertiesdialog box, select the following:
- 動作:建立Action: Create
- Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
- 金鑰路徑: SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersKey Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- 值名稱: SMB1Value name: SMB1
- 數值型別: REG_DWORDValue type: REG_DWORD
- 數值資料:0Value data: 0
這會停用 SMBv1 伺服器元件。This disables the SMBv1 Server components. 此群組原則必須套用至網域中所有必要的工作站、伺服器和網域控制站。This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.
注意
WMI 篩選器也可以設定為排除不支援的作業系統或選取的排除專案,例如 Windows XP。 WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.
重要
當您在舊版 Windows XP 或舊版 Linux 和協力廠商系統(不支援 SMBv2 或 SMBv3)的網域控制站上進行這些變更時,請務必小心,需要存取 SYSVOL 或停用 SMB v1 的其他檔案共用。Be careful when you make these changes on domain controllers on which legacy Windows XP or older Linux and third-party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.
使用群組原則停用 SMBv1 用戶端Disable SMBv1 Client with Group Policy
若要停用 SMBv1 用戶端,必須更新服務登錄機碼,以停用MRxSMB10的開頭,然後必須從LanmanWorkstation的專案中移除對MRxSMB10的相依性,讓它可以正常啟動,而不需要先啟動MRxSMB10 。To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.
這會更新並取代登錄中下列2個專案的預設值:This will update and replace the default values in the following 2 items in the registry:
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\services\mrxsmb10HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10
登錄專案:啟動REG_DWORD: 4= 已停用Registry entry: Start REG_DWORD: 4= Disabled
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\LanmanWorkstationHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
登錄專案: DependOnService REG_MULTI_SZ: "Bowser"、"MRxSmb20"、"NSI"Registry entry: DependOnService REG_MULTI_SZ: "Bowser","MRxSmb20″,"NSI"
注意
預設包含的 MRxSMB10,現在已移除為相依性。 The default included MRxSMB10 which is now removed as dependency.
若要使用群組原則來進行此設定,請遵循下列步驟:To configure this by using Group Policy, follow these steps:
開啟 [群組原則管理主控台]。Open the Group Policy Management Console. 在應包含新的喜好設定項目之群組原則物件 (GPO) 上按一下滑鼠右鍵,然後按一下 [編輯]。Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
在 [電腦設定] 底下的主控台樹中,展開 [喜好設定] 資料夾,然後展開 [ Windows 設定] 資料夾。In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
以滑鼠右鍵按一下 [登錄] 節點,指向 [新增],然後選取 [登錄專案]。Right-click the Registry node, point to New, and select Registry Item.
在 [新增登錄內容] 對話方塊中,選取下列各項:In the New Registry Properties dialog box, select the following:
- 動作:更新Action: Update
- Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
- 金鑰路徑: SYSTEM\CurrentControlSet\services\mrxsmb10Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
- 值名稱: StartValue name: Start
- 數值型別: REG_DWORDValue type: REG_DWORD
- 數值資料:4Value data: 4
然後移除剛停用之MRxSMB10的相依性。Then remove the dependency on the MRxSMB10 that was just disabled.
在 [新增登錄內容] 對話方塊中,選取下列各項:In the New Registry Properties dialog box, select the following:
- 動作:取代Action: Replace
- Hive: HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
- 金鑰路徑: SYSTEM\CurrentControlSet\Services\LanmanWorkstationKey Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
- 值名稱: DependOnServiceValue name: DependOnService
- 數值型別: REG_MULTI_SZValue type: REG_MULTI_SZ
- 數值資料:Value data:
- BowserBowser
- MRxSmb20MRxSmb20
- NSINSI
注意
這三個字串不會有專案符號(請參閱下列螢幕擷取畫面)。These three strings will not have bullets (see the following screen shot).
預設值包含許多 Windows 版本中的MRxSMB10 ,因此藉由使用這個多重值字串來取代它們,它實際上是將MRxSMB10移除為LanmanServer的相依性,並從四個預設值減少為上述三個值。The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.
注意
當您使用群組原則管理主控台時,不需要使用引號或逗號。When you use Group Policy Management Console, you don't have to use quotation marks or commas. 只要在個別行上輸入每個專案。Just type the each entry on individual lines.
重新開機目標系統,以完成 SMB v1 的停用。Restart the targeted systems to finish disabling SMB v1.
摘要Summary
如果所有設定都位於相同的群組原則物件(GPO)中,群組原則管理會顯示下列設定。If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.
測試和驗證Testing and validation
這些設定完成後,允許原則進行複寫和更新。After these are configured, allow the policy to replicate and update. 如需測試,請在命令提示字元中執行gpupdate/force ,然後檢查目的電腦,以確保正確套用登錄設定。As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. 請確定 SMB v2 和 SMB v3 適用于環境中的所有其他系統。Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.
注意
別忘了重新開機目標系統。Do not forget to restart the target systems.