The devastating global ransomware outbreak wannacry and Petya quickly spread due to a loophole in the Internet's oldest network protocol, the message message Block 1, also known as SMBV1.
Computers running Windows 10 can be protected from this exploit, but that doesn't mean you'll be lucky to be in the next encounter. To implement a comprehensive multi-tier security policy, Microsoft recommends that you completely disable the SMBV1 protocol. The world has moved to SMBv3, and there is no excuse to keep this old and horrible insecure protocol running on your network.
To permanently remove SMBV1 support from Windows 10, use one of these two methods.
Open Control Panel (just start typing controls in the search box to quickly find shortcuts). Click Programs, and then click Turn Windows Features on or off (under program title). Clear the check boxes for the SMB 1.0/cifs file share support as shown below.
(Note that you can use the same procedure in Windows 8.1.) For Windows 7, you cannot delete SMBv1, but you can disable it by using the instructions in this article)
As an alternative to Windows 10, open the Windows PowerShell prompt with administrative permissions. In Windows 10 Creator Update version 1703, right-click the Start button and choose Windows PowerShell (Admin) from the Quick Links menu. If you are running an earlier version of Windows 10, enter Windows PowerShell in the search box, right-click the Windows PowerShell shortcut, and then click Run as Administrator.
From the elevated PowerShell prompt, type the following command:
Disable-windowsoptionalfeature-nline-featurename Smb1protocol
Press Enter and you are done.
Group Policy can of course be used on Windows domains. Complete instructions (and help manage to understand why this is a good idea for a link) in this Microsoft TechNet article: Disable SMB v1 in a managed environment that has Group Policy.
Disabling SMBV1 should not have any effect on modern, fully updated hardware. Some consumer network-attached storage devices use this protocol by default, but firmware updates or settings changes may cause you to change them to be more secure. Unfortunately, some older database programs, and even new devices such as Sonos need SMBv1.
If you find an application or network device that cannot be used without this feature, use Control Panel to re-enable the feature. Then consider whether the application or device is worth the impact on your network security and whether you need to look for replacements.
Jiangsu Three AI Network Technology Co., Ltd.
Emergency: WINDOWS10 user, stop this dangerous agreement as soon as possible!