cr0x.net — Hard Problems. Clean Solutions.
English

SMB1 vs SMB2/3: What to Disable (and Why You Should Care)

February 22, 2026 • February 22, 2026 • Read: 21 min • Views: 0

Was this helpful?

The file share works… until it doesn’t. One morning you get a flood of tickets: “Mapped drives are slow,” “Excel locks up,” “The NAS is down,”
“Why did ransomware hit the finance share first?” The uncomfortable truth is that SMB is often treated like plumbing: ignored until it explodes
through the ceiling tiles.

If your environment still allows SMB1, you’re not “supporting legacy.” You’re running a museum exhibit that can be exploited remotely.
And if you’ve already disabled SMB1 but SMB2/3 performance still stinks, you probably have a mismatch between what SMB can do and what your
network, clients, and storage are actually delivering. Let’s fix both.

The bottom line: what to disable

Disable SMB1 everywhere. Server-side and client-side. Then verify it’s truly gone.
Do it for security, yes—but also for reliability. SMB1’s chatty design, brittle negotiation, and lack of modern safeguards turn minor network
weirdness into user-visible failures.

Do this

  • Disable SMB1 server on Windows servers and on Samba appliances.
  • Disable SMB1 client on Windows desktops/VDI unless you have a documented, time-boxed exception.
  • Allow SMB2 and SMB3 (including SMB 3.1.1) and enforce sane security: signing where required, encryption only where it’s justified.
  • Track the last SMB1 holdouts (scanners, old copiers, embedded devices) and plan their retirement like any other risk.

A blunt opinion from operations

The only valid reason to keep SMB1 enabled is “we’ve accepted the risk, we’ve isolated it, we’ve logged it, and we have a removal date.”
Anything else is just procrastination with a network cable attached.

Joke #1: SMB1 is like keeping a screen door on a submarine because your great-uncle liked “fresh air.”

A few facts and history that matter

You don’t need to memorize protocol archaeology, but a handful of concrete facts will change how you troubleshoot and how you sell the change internally.

  1. SMB1 predates modern threat models. Its roots trace back to IBM PC networking and early Microsoft LAN Manager-era designs.
  2. SMB2 arrived with Windows Vista/Server 2008. It wasn’t a “minor update”; it was a redesign aimed at reducing chattiness and improving performance.
  3. SMB3 launched with Windows 8/Server 2012. It brought features meant for datacenters: encryption, multichannel, and SMB Direct (RDMA).
  4. WannaCry’s spread was accelerated by SMB1 exposure. That incident permanently moved “disable SMB1” from best practice to minimum hygiene.
  5. SMB 3.1.1 improved security negotiation. It introduced better pre-auth integrity protections that make downgrade/mitm tricks harder.
  6. SMB signing existed earlier but became more relevant. It’s often mandated for security, and it can become a performance constraint on weak CPUs.
  7. SMB is stateful and sensitive to latency. A little RTT is fine; jitter and packet loss are what make it scream.
  8. SMB “dialects” are negotiated per connection. You can disable SMB1 and still see odd clients failing if they can’t negotiate SMB2+.
  9. Samba isn’t “Windows SMB,” but it speaks the same language. Samba can do SMB3 features depending on version/build options and kernel support.

SMB1 vs SMB2 vs SMB3: what actually changed

SMB1: chatty, fragile, and too trusting

SMB1 is the old world. It tends to do lots of small request/response operations. That means more round trips, which means it amplifies latency.
It also means more places for middleboxes to interfere and more opportunities for obscure bugs to show up.

SMB1 also lacks modern defenses. Even when you wrap it in “the network is internal,” you’re betting that nothing untrusted can ever reach it.
That’s a bet you lose the moment a laptop brings malware onto the VPN, a misconfigured firewall opens a path, or a flat VLAN lets one workstation
talk to everything.

SMB2: fewer round trips, better semantics

SMB2 reduced protocol overhead substantially. It improved batching and pipelining. That’s not “nice to have”; it’s why SMB2 performs far better
across WAN-ish links, busy cores, and virtualized networks.

Operationally, SMB2+ also improves the observability story. You can often query negotiated dialects, signing state, and session details more cleanly,
which turns “it’s slow” into something you can measure.

SMB3: security and datacenter features (with sharp edges)

SMB3 adds things you actually want in modern environments: encryption (per share or per session), multichannel (multiple network paths per session),
and SMB Direct (RDMA) if you’re in the Windows/HCI world.

But SMB3 features can also create new failure modes:
multichannel can expose asymmetric routing, bad NIC offloads, or switch misconfigurations;
encryption can become a CPU bottleneck;
signing requirements can turn a weak NAS into a space heater that also serves files.

The one quote

“paraphrased idea” — Werner Vogels: you build reliability by assuming things will fail and designing for it, not by hoping the happy path holds.

What to disable (and what to keep)

Disable SMB1 protocol support

SMB1 should be disabled on servers and clients. Period. This is the part where some environments say “but the copier…”.
Great. Put the copier on a quarantined VLAN, give it a dedicated share with tight ACLs, and schedule replacement.
Don’t keep SMB1 enabled for the whole fleet because one embedded device is stuck in 2009.

Keep SMB2 and SMB3, but be deliberate about signing and encryption

SMB signing helps prevent tampering and some credential relay games. But signing costs CPU.
On modern servers it’s usually fine; on older NAS appliances or overloaded VMs, it can be the difference between “fast” and “why is everything 12 MB/s?”

SMB encryption is fantastic when you need it (untrusted networks, multi-tenant segments, sensitive shares).
It’s also an easy way to make a storage cluster look slow while the CPUs quietly max out doing cryptography.
Use it where it reduces real risk; don’t blanket-enable it and then act surprised when performance changes.

Disable legacy auth where you can

SMB1 often drags old authentication behaviors into the conversation. If you’re still allowing NTLMv1 or LM in 2026, you’re not “compatible”;
you’re inviting credential abuse. Move toward Kerberos and modern NTLM policies, and keep guest access off unless you enjoy incident response.

Joke #2: “Temporary SMB1 exception” is the IT equivalent of “I’ll just have one cookie.”

Practical tasks: commands, outputs, decisions

These are real tasks you can run in production with minimal drama. Each one includes what the output means and the decision you make from it.
Mix-and-match depending on whether you own Windows servers, Samba, or a NAS.

Task 1: Check SMB dialect and features negotiated (Windows client)

cr0x@server:~$ powershell -NoProfile -Command "Get-SmbConnection | Select-Object ServerName,ShareName,Dialect,NumOpens,SigningRequired,Encrypted | Format-Table -Auto"
ServerName ShareName Dialect NumOpens SigningRequired Encrypted
---------- --------- ------ -------- ---------------- ---------
NAS01      data      3.1.1  24       True             False
FS01       profiles  3.0    6        True             True

Meaning: Dialect shows what was actually negotiated. If you see 1.5 or “1.0” (SMB1), you’ve got a policy gap.
Decision: If any SMB1 appears, identify the client/server pair and disable SMB1 where appropriate. If encryption is on unexpectedly, expect CPU impact.

Task 2: Confirm SMB1 server is disabled (Windows Server)

cr0x@server:~$ powershell -NoProfile -Command "Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol,EnableSMB2Protocol | Format-List"
EnableSMB1Protocol : False
EnableSMB2Protocol : True

Meaning: This is the effective SMB server setting.
Decision: If EnableSMB1Protocol is True, disable it in a change window and monitor for legacy device complaints (then fix the devices).

Task 3: Disable SMB1 server (Windows Server)

cr0x@server:~$ powershell -NoProfile -Command "Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force"

Meaning: SMB1 server support is turned off.
Decision: Schedule a restart only if required by your OS build/policy; validate new connections negotiate SMB2/3; watch event logs for failed negotiations.

Task 4: Check whether SMB1 client feature is installed (Windows)

cr0x@server:~$ powershell -NoProfile -Command "Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol | Select-Object FeatureName,State"
FeatureName  State
-----------  -----
SMB1Protocol Enabled

Meaning: SMB1 client components are present.
Decision: Disable/remove SMB1 on clients unless you have an isolated exception. This reduces accidental fallback and attack surface.

Task 5: Remove SMB1 client feature (Windows)

cr0x@server:~$ powershell -NoProfile -Command "Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart"
Path          :
Online        : True
RestartNeeded : True

Meaning: Feature removal queued; reboot required.
Decision: Coordinate with endpoint management for reboot scheduling. After reboot, validate access to file shares and ensure no SMB1 dialect appears.

Task 6: Identify SMB server sessions and dialects (Windows Server)

cr0x@server:~$ powershell -NoProfile -Command "Get-SmbSession | Select-Object ClientComputerName,ClientUserName,Dialect,NumOpens | Sort-Object Dialect | Format-Table -Auto"
ClientComputerName ClientUserName     Dialect NumOpens
------------------ --------------     ------ --------
WS043              CORP\j.singh       3.1.1  18
WS019              CORP\finance.svc   3.0    4

Meaning: You see what clients are actually using.
Decision: If any sessions show SMB1, you can hunt the client immediately. If dialect is SMB2/3 but performance is poor, move to latency/credits/encryption checks.

Task 7: Samba: check effective SMB protocol floor/ceiling

cr0x@server:~$ testparm -s 2>/dev/null | egrep -i "server min protocol|server max protocol|client min protocol|client max protocol"
server min protocol = SMB2_02
server max protocol = SMB3_11
client min protocol = SMB2_02
client max protocol = SMB3_11

Meaning: Samba won’t negotiate below SMB2_02 and can negotiate up to SMB3_11.
Decision: If you see NT1 (SMB1) anywhere, raise the minimum. If max is too low, update Samba or adjust config to allow SMB3.

Task 8: Samba: actively see connected clients and negotiated dialect

cr0x@server:~$ smbstatus -S
Service      pid     Machine       Connected at                     Encryption   Signing
------------------------------------------------------------------------------------------
data         1842    10.40.12.77    Tue Feb  5 09:21:44 2026 UTC    -            SMB2
profiles     1920    10.40.10.31    Tue Feb  5 09:24:11 2026 UTC    AES-128-GCM  SMB3_11

Meaning: Samba reports per-session signing/encryption state (varies by version).
Decision: If encryption unexpectedly appears on a heavy share, measure CPU. If signing shows SMB2 while you expect SMB3_11, you may have client capability or policy issues.

Task 9: Samba: set minimum protocol to SMB2 (disable SMB1) and reload

cr0x@server:~$ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
cr0x@server:~$ sudo bash -lc 'printf "\n[global]\n   server min protocol = SMB2_02\n   server max protocol = SMB3_11\n" >> /etc/samba/smb.conf'
cr0x@server:~$ sudo systemctl reload smbd

Meaning: Samba will refuse SMB1 negotiations after reload.
Decision: Monitor logs for rejected clients; if something breaks, it’s telling you which device needs replacement or isolation.

Task 10: Check Samba logs for dialect negotiation failures

cr0x@server:~$ sudo journalctl -u smbd --since "1 hour ago" | egrep -i "protocol|SMB1|NT1|negotiate|reject" | tail -n 20
Feb 05 09:44:10 nas01 smbd[2112]: negotiate_protocol: No compatible protocol. Client offered: NT1
Feb 05 09:44:10 nas01 smbd[2112]: Failed to negotiate protocol with client 10.40.50.19

Meaning: A client is trying SMB1 (NT1) and is being rejected.
Decision: Identify the device at that IP and decide: upgrade firmware, replace device, or isolate it behind a legacy gateway share with strict controls.

Task 11: Check if SMB encryption is enabled on a Windows share

cr0x@server:~$ powershell -NoProfile -Command "Get-SmbShare -Name data | Select-Object Name,EncryptData,CachingMode | Format-List"
Name        : data
EncryptData : False
CachingMode : Manual

Meaning: Encryption at the share level is off.
Decision: If the share crosses an untrusted network boundary, consider enabling encryption. If performance is already tight, benchmark before/after.

Task 12: Enable SMB encryption on a specific Windows share (surgical, not blanket)

cr0x@server:~$ powershell -NoProfile -Command "Set-SmbShare -Name data -EncryptData $true"

Meaning: Clients must use SMB3 encryption to access that share.
Decision: Roll this out per share, not globally. Validate client OS support and watch server CPU and throughput after enabling.

Task 13: Verify SMB signing requirements on Windows Server

cr0x@server:~$ powershell -NoProfile -Command "Get-SmbServerConfiguration | Select-Object RequireSecuritySignature,EnableSecuritySignature | Format-List"
RequireSecuritySignature : True
EnableSecuritySignature  : True

Meaning: Signing is enabled and required.
Decision: If performance is poor, check CPU and network first. If the server is underpowered, you may need better hardware or offload strategies—not disabling signing casually.

Task 14: Linux client: show negotiated SMB dialect for a mounted share

cr0x@server:~$ mount | grep -i cifs
//nas01/data on /mnt/data type cifs (rw,relatime,vers=3.1.1,sec=krb5,cache=strict,username=CORP\\j.singh,uid=1000,gid=1000)

Meaning: The Linux client is using SMB 3.1.1. Good.
Decision: If you see vers=1.0 or vers=2.0 unexpectedly, adjust mount options and ensure the server supports newer dialects.

Task 15: Linux client: force SMB3 and fail fast if server can’t do it

cr0x@server:~$ sudo mount -t cifs //nas01/data /mnt/data -o vers=3.1.1,sec=krb5,seal,username=CORP\\j.singh
mount error(95): Operation not supported

Meaning: The server or client stack doesn’t support the requested feature set (here: SMB3.1.1 + encryption).
Decision: Decide whether to upgrade Samba/kernel, adjust to a supported dialect, or move the workload. Don’t “fix” it by enabling SMB1.

Task 16: Network reality check from the client (latency and loss hints)

cr0x@server:~$ ping -c 5 nas01
PING nas01 (10.40.10.20) 56(84) bytes of data.
64 bytes from 10.40.10.20: icmp_seq=1 ttl=63 time=1.12 ms
64 bytes from 10.40.10.20: icmp_seq=2 ttl=63 time=12.9 ms
64 bytes from 10.40.10.20: icmp_seq=3 ttl=63 time=1.05 ms
64 bytes from 10.40.10.20: icmp_seq=4 ttl=63 time=1.09 ms
64 bytes from 10.40.10.20: icmp_seq=5 ttl=63 time=1.08 ms

--- nas01 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.05/3.45/12.9/4.73 ms

Meaning: No packet loss, but jitter spikes to 12.9 ms.
Decision: SMB hates jitter. Investigate congestion, NIC offloads, bad Wi‑Fi, or overloaded virtual switches before blaming “the NAS.”

Task 17: Quick throughput sanity check (storage vs network suspicion)

cr0x@server:~$ dd if=/dev/zero of=/mnt/data/smb-test.bin bs=16M count=64 conv=fdatasync status=progress
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 18.4 s, 58.4 MB/s
17179869184 bytes (17 GB, 16 GiB) copied, 292 s, 58.8 MB/s
64+0 records in
64+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 18.4 s, 58.4 MB/s

Meaning: Writes are ~58 MB/s. On a healthy 1 GbE network you might expect closer to ~90–110 MB/s for sequential writes, depending on overhead and encryption/signing.
Decision: If this is far below link expectations, check client CPU (encryption/signing), NIC negotiation, and server disk latency. If it’s near expected, look at app-level small I/O patterns.

Task 18: Windows: check NIC speed/duplex (yes, it still bites)

cr0x@server:~$ powershell -NoProfile -Command "Get-NetAdapter | Select-Object Name,Status,LinkSpeed | Format-Table -Auto"
Name        Status LinkSpeed
----        ------ ---------
Ethernet0   Up     1 Gbps
Ethernet1   Up     100 Mbps

Meaning: One NIC is at 100 Mbps. That’s not “a little slower,” that’s a different decade.
Decision: Fix cabling/switch port/autonegotiation. If SMB multichannel is enabled, the slow NIC can drag performance or cause odd behavior depending on policy.

Fast diagnosis playbook

SMB issues are rarely “just SMB.” They’re usually one of four things: negotiation/policy mismatch, network quality, server CPU (crypto/signing),
or storage latency. The trick is to find which one in minutes, not hours.

First: confirm the dialect and security mode

  • On Windows client: Get-SmbConnection and look at Dialect, SigningRequired, Encrypted.
  • On Windows server: Get-SmbSession for client dialects.
  • On Samba: smbstatus -S (dialect/signing/encryption depends on version).

If anything is negotiating SMB1, stop diagnosing performance. You’re diagnosing a policy failure. Fix that first.

Second: decide if it smells like network, CPU, or disk

  • Network smell: jittery ping, packet loss, Wi‑Fi clients, VPN paths, asymmetric routing, ECMP weirdness.
  • CPU smell: performance tanks only when encryption/signing is on; server CPU rises with file copy load.
  • Disk smell: SMB is fine for one client but collapses with many; storage latency spikes; metadata-heavy workloads (lots of small files) crawl.

Third: measure one thing at a time

  1. Client-to-server RTT/jitter: quick ping is fine for a hint, then use OS tooling for deeper checks.
  2. Single-stream throughput: a controlled write/read test to isolate gross caps.
  3. Concurrency behavior: SMB2/3 uses credits; issues often appear under parallel operations.
  4. CPU vs disk latency: watch server CPU and storage latency during the same test window.

A practical triage rule

If a single large file copy is fast but opening folders with many files is slow, you’re looking at metadata/latency behavior.
If large file copy is slow and CPU is pegged, look at signing/encryption.
If performance is inconsistent and spikes correlate with network jitter, it’s the network even if nobody wants it to be.

Three corporate mini-stories from the trenches

Mini-story 1: The incident caused by a wrong assumption

A mid-size company had a “legacy carve-out” for a few manufacturing devices. The assumption was simple: those devices were on their own VLAN,
so allowing SMB1 “just for that network” was safe. The file server team enabled SMB1 on a central Windows file server because it was faster than
building a dedicated gateway.

Months later, an unrelated project connected a test workstation to the manufacturing VLAN “temporarily” to run diagnostics. The workstation was
domain-joined, under-patched, and had broad east-west access nobody remembered existed. It picked up malware through a drive-by download.
The malware didn’t need genius; it just needed reach.

SMB1 was reachable. The file server had shares with permissive ACL inheritance because “that’s how it’s always been.” The attack moved laterally
and started encrypting shared folders. The team initially chased permissions and backup jobs because they didn’t want to believe a VLAN leak mattered.

The post-incident fix wasn’t exotic. They disabled SMB1 on the central server, built a tiny isolated SMB gateway for the manufacturing devices,
and tightened routing so “temporary” connections required explicit approvals. The real correction was cultural: assumptions about isolation were
treated as hypotheses to be tested, not truths to be repeated.

Mini-story 2: The optimization that backfired

A different org rolled out SMB encryption broadly because a security audit flagged “unencrypted file shares.” The storage team complied quickly:
enable encryption at the share level for everything and call it a win. It passed the audit. It also quietly changed the physics of the system.

Two weeks later, the helpdesk got “slow network drive” complaints. Then the VDI team piled on: login storms were taking longer, profile loads were
timing out, and the blame ping-ponged between network, storage, and “Windows being Windows.”

The real cause was mundane: the file servers were virtual machines with limited CPU headroom. Encryption pushed them into CPU contention during
peak. SMB didn’t fail; it slowed. That’s worse, because it looks like everything is “kind of working” while user productivity drains away.

The fix was not “turn off security.” They scoped encryption to the shares that crossed less-trusted boundaries and the ones with sensitive data,
then resized a few servers and spread load. The bigger lesson: security controls have performance costs, and the cost shows up right where the
business notices—logins and file opens—unless you plan capacity.

Mini-story 3: The boring but correct practice that saved the day

A global company had a policy: before any protocol deprecation, they inventory real usage for 30 days, then implement a block with logging,
then remove the legacy option. It’s not glamorous. It’s the kind of thing people mock until it saves them.

When they targeted SMB1 removal, they didn’t start by flipping a global switch. They first turned on logging at the edge and on file servers,
capturing which clients attempted SMB1 negotiation. A handful of devices showed up: a warehouse scanner, an old multifunction printer,
and a long-forgotten Linux box mounting shares with vers=1.0.

They fixed the Linux mount options, updated firmware where possible, and for the warehouse scanner they built a dedicated, isolated share path.
Then they disabled SMB1 broadly and watched the logs. Nothing screamed. No surprise outages. No “urgent executive exception” drama.

Two months later, a pen test tried SMB1-based tricks against internal segments. There was nothing listening. The report was short.
The team had done the dull work, and dull work is what reliability looks like on a good day.

Common mistakes: symptom → root cause → fix

1) “We disabled SMB1, but something still negotiates it”

Symptom: You still see SMB1/NT1 in logs or sessions.

Root cause: Disabled on the server but still enabled on a different server; or client has SMB1 feature installed and is connecting to an old NAS that only speaks SMB1.

Fix: Inventory negotiated dialects using Get-SmbSession/Get-SmbConnection or smbstatus. Disable SMB1 on both ends. Replace or isolate the SMB1-only device.

2) “File copies are slow after we enabled encryption”

Symptom: Throughput drops; CPU spikes on the file server; users complain during peak hours.

Root cause: SMB3 encryption is CPU-expensive; VM sizing or NAS CPU can’t keep up.

Fix: Enable encryption only on sensitive shares or untrusted segments; add CPU capacity; consider hardware with AES acceleration; test before wide rollout.

3) “Small file operations are painfully slow, big files are okay”

Symptom: Opening folders with many files is slow; application scanning directories crawls.

Root cause: Metadata operations are latency-sensitive; network jitter, overloaded domain controllers (auth delays), or storage latency on metadata-heavy datasets.

Fix: Reduce jitter; verify DNS/DC responsiveness; check storage latency and IOPS; consider tiering metadata to faster media; avoid WAN SMB without acceleration.

4) “Random disconnects, authentication prompts, or ‘network path not found’”

Symptom: Sessions drop intermittently; reconnects prompt for credentials; mapped drives go red.

Root cause: Middleboxes timing out stateful sessions; MTU/fragmentation issues; flaky NIC offloads; bad Wi‑Fi; asymmetric routing plus multichannel.

Fix: Validate MTU end-to-end; test with offloads adjusted; ensure stable wired connectivity for critical systems; review multichannel design and routing symmetry.

5) “We required signing and now performance is terrible on one server”

Symptom: One file server is slow, others are fine; server CPU is high during SMB load.

Root cause: That server is older, under-provisioned, or running additional workloads; signing overhead tips it over.

Fix: Move workloads; add CPU; separate roles. Don’t disable signing globally because one box is weak.

6) “Linux clients can mount, but Windows clients can’t (or vice versa)”

Symptom: Mixed OS behavior; errors like “operation not supported” or authentication failures.

Root cause: Dialect mismatch (vers=), security mode mismatch (sec=), or Samba config conflicting with AD/Kerberos expectations.

Fix: Align dialects (SMB3.1.1 where possible), standardize auth (Kerberos for domain), and verify Samba’s server min protocol and identity mapping.

Checklists / step-by-step plan

Step 1: Find SMB1 usage without breaking anything (inventory phase)

  1. On Windows file servers, list sessions and dialects with Get-SmbSession.
  2. On Windows clients (sample set), list connections with Get-SmbConnection.
  3. On Samba, check logs for NT1 offers and use smbstatus.
  4. Build a list: device/IP, owner, business function, replacement/upgrade path.

Step 2: Disable SMB1 in a controlled sequence

  1. Disable SMB1 server-side on general-purpose file servers first.
  2. Disable SMB1 client-side via endpoint management next.
  3. For the few true holdouts, provide a contained workaround: isolated VLAN + dedicated gateway share + minimal ACLs.

Step 3: Harden SMB2/3 intentionally (don’t cargo-cult)

  • Signing: require it where your risk model demands it; ensure servers are sized for it.
  • Encryption: enable on sensitive shares and untrusted segments; verify CPU headroom.
  • Auth: prefer Kerberos; reduce legacy NTLM where feasible; kill guest access.
  • Auditing: keep logs for negotiation failures and access anomalies.

Step 4: Performance validation checklist

  • Test a large sequential transfer and a many-small-files workload.
  • Validate negotiated dialect stays at SMB3.x for modern clients.
  • Check server CPU during peak copying with signing/encryption enabled.
  • Check client NIC speed and stability; avoid Wi‑Fi for heavy SMB workflows when possible.
  • Confirm storage latency under load; SMB will faithfully transmit your storage problems to users.

Step 5: Exception handling (the part everyone tries to skip)

  • Every SMB1 exception needs: owner, justification, network isolation, monitoring, and a removal date.
  • If you can’t isolate it, you don’t have an exception—you have a vulnerability.

FAQ

1) Is SMB1 ever okay on an internal network?

No, not as a default. “Internal” is not a security boundary; it’s a routing description. If you must keep SMB1 for a device, isolate it and time-box it.

2) If I disable SMB1, will Windows clients automatically use SMB2/3?

Modern Windows will negotiate SMB2/3 if the server supports it. If something breaks, it’s usually because the server (or NAS) only supports SMB1,
or because a client is ancient or misconfigured.

3) What’s the practical difference between SMB2 and SMB3 for most shops?

SMB3 adds encryption and more advanced performance features (multichannel, SMB Direct). If you don’t need those, SMB2 is still a big step up from SMB1.
In practice you’ll want SMB3 for modern Windows fleets and security posture.

4) Does SMB encryption replace the need for signing?

Encryption protects confidentiality (and integrity of encrypted payloads), but signing is still part of how SMB prevents tampering in various modes and policies.
Treat them as related controls, not strict substitutes.

5) Why is SMB sometimes fast for one user and slow for many?

Concurrency exposes server CPU limits (signing/encryption), storage IOPS/latency limits, and SMB credit behavior. Single-user tests can lie.
Always test under realistic parallel load when validating changes.

6) Should I enable SMB multichannel everywhere?

Only if your network design supports it cleanly (multiple NICs, stable routing, consistent MTU, no weird middleboxes).
Multichannel can boost throughput, but it can also amplify misconfigurations into flaky sessions.

7) We have a NAS appliance. Do the same rules apply?

Yes. The knobs may be in a GUI, but the risks and failure modes are the same. Ensure the NAS firmware supports SMB3.x, disable SMB1,
and validate negotiated dialects from clients.

8) What about Linux clients mounting SMB shares—what should we standardize?

Standardize on SMB3.1.1 where possible, use Kerberos (sec=krb5) in domain environments, and avoid permissive fallbacks.
Make mounts explicit rather than relying on defaults that vary by distro and kernel.

9) If I disable SMB1, how do I handle old printers/scanners that can only do SMB1?

Put them on an isolated network segment, give them a dedicated drop share with tight permissions, and plan replacement.
If the business refuses replacement, document the risk and contain it aggressively.

10) How do I prove to leadership that disabling SMB1 is worth it?

Show them evidence: which devices still negotiate SMB1, what that exposure enables, and how exceptions can be isolated.
Then present a removal plan with minimal business disruption and clear owners.

Conclusion: next steps that don’t waste your weekend

SMB1 is not “legacy support.” It’s a liability that shows up as security incidents and as weird reliability problems you’ll never fully fix.
SMB2/3 are not perfect, but they’re built for the world you actually operate: busy networks, virtualized servers, and adversaries who scan everything.

Practical next steps:

  1. Inventory negotiated SMB dialects across your environment (clients and servers). Find the SMB1 talkers.
  2. Disable SMB1 server-side on general file servers. Then remove SMB1 client feature fleet-wide.
  3. For holdouts, isolate and time-box. No exceptions without containment and a removal date.
  4. Validate SMB2/3 performance with two tests: big sequential copies and many-small-files operations.
  5. Tune security intentionally: signing per policy, encryption per share where it reduces real risk, and capacity-plan for the CPU cost.

The goal isn’t to win a protocol purity contest. The goal is boring file shares: fast enough, secure enough, and not the reason you miss dinner.

← Previous
Docker: ‘It Works on My Machine’ — The Image Tag Rule That Ends the Drama
Next →
Fix the “Your Device Is Missing Important Security and Quality Fixes” Loop
Similar articles
Fix “The specified network name is no longer available” on SMB Turn Off the Risky Windows Features Attackers Love (Safely) Slow Copies to NAS: The SMB Tweaks That Actually Matter Automatically Map SMB Drives Per User at Login ZFS SMB: Fixing “Windows Copy Is Slow” for Real Ubuntu 24.04: CIFS is painfully slow — the mount options that usually fix throughput (case #22)

Related articles

Fix “The specified network name is no longer available” on SMB February 26, 2026 Turn Off the Risky Windows Features Attackers Love (Safely) February 15, 2026 Slow Copies to NAS: The SMB Tweaks That Actually Matter February 14, 2026 Automatically Map SMB Drives Per User at Login February 7, 2026 ZFS SMB: Fixing “Windows Copy Is Slow” for Real December 31, 2025 Ubuntu 24.04: CIFS is painfully slow — the mount options that usually fix throughput (case #22) November 15, 2025 Office VPN File Sharing: Stable SMB Between Offices Without Constant Disconnects October 15, 2025 MTU Problems: The Hidden Cause of “Some Sites Don’t Load” February 26, 2026 Map a Network Drive That Stays Mapped (Even After Reboot) February 26, 2026 Fix DNS on Windows: Stop Using “Flushdns” Like a Ritual February 25, 2026

Leave a comment