Disabling SMBv1 broke Network Login


As per the Microsoft recommendation, SMBv1 should be disabled on all servers of a domain. We made this change on our all servers. After some days, we found that we are not able to RDP into the servers and we are not able to resolve their DNS hostname as well.

After digging into the problem, I found that "NetLogon" Server was stopped. When I tried to run it, it gave me error that one of its dependency service is stopped or disabled. Later I found that it is because of "Workstation" service because it was also in stopped mode. In event log I found that it is not able to run because SMBv1 is disabled. Below are the screenshots which will show you what I am talking about.



Note: This problem was only with Windows Server 2008 R2 and earlier. Because SMBv1 is the dependency of "Workstation" service. In later versions of Windows server, like 2012, 2012 R2 and 2016. Microsoft has removed it from dependencies. See the below screenshot of "Workstation" service of Windows Server 2012 R2.

There are two ways to fix, either enabling SMBv1 back or remove it from "Workstation" service dependency. 

Enabling SMBv1 Back
Although it is not a good option because all famous attacks were based on SMBv1. So, i would not suggest it to do. But still i have mentioned the steps below.

1. Open "Command Prompt" as an administrator.
2. Type below command to enable SMBv1
     sc.exe query lanmanworkstation
     (This is to check the status of lanmanworkstation service)
     sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
     (Config all dependencies for "Workstation" Service
     sc.exe config mrxsmb10 start= auto
     (It will start it.)
3. Reboot the server and start "Workstation" service first and then "NetLogon" service.

Remove SMBv1 from dependencies of "Workstation" services
I would recommend this to do and it is easy.

1. Open registry editor and navigate to the below mentioned location.
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
2. Check for the key "DependOnService". It would have below mentioned services name.
     Bowser
     MRxSmb10
     MRxSmb20
     NSI
3. Remove "MRxSMB10" from the value of "DependOnService" key.
4. Open "Command Prompt" as an administrator run below mentioned commands.
     sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
     sc.exe config mrxsmb10 start= disabled
5. Check "Workstation" service now, it should not have SMBv1 in its dependencies.
6. Restart "Workstation" service.
7. That's all you have to do to remove SMBv1 from dependencies.

If you have any query regarding this post, please leave your message in comment box.

0 comments:

Post a Comment