Is it safe to disable SMB v2/v3 in Windows 10?

Question

I don't use my Windows 10 machine to share or retrieve files, connect to printers, or connect to other hosts via serial port in my home network. Given the history of security flaws in the SMB protocol, the latest being published this week, I would like to disable it. However, the same page that details how to disable it, does not recommend doing so permanently:

We recommend that you do not disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

Can I safely ignore that recommendation? Why is it there? Are there security or other non-filesharing features of leaving it enabled that I'm missing? For example, when the Advanced Troubleshooting page says

In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):

• Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
• Scale Out – concurrent access to shared data on all file cluster nodes
• Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
• SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
• Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
• Directory Leasing - Improves application response times in branch offices through caching
• Performance Optimizations - optimizations for small random read/write I/O

does that apply to non-filesharing traffic, encryption, and local I/O as well?

Answer 1

It would make no reasonable sense to disable SMB across the board. You would likely disable several critical Windows functions that reference \\localhost\C$ for functionality, as dumb as that is.

Leave it on. If you have a security concern, handle it via Windows Firewall to block all outbound/inbound traffic to the local system other than local system traffic requests over SMB via port blocking.

If you do wish to proceed, I highly advise a full review of the following link to understand exactly what you are disabling.

https://docs.microsoft.com/en-us/windows-server/storage/file-server/file-server-smb-overview

In Windows 10, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012, disabling SMBv3 deactivates the following functionality:

Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover

Scale Out - concurrent access to shared data on all file cluster nodes

Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server

SMB Direct - adds RDMA networking support for high performance, with low latency and low CPU use

Encryption - Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks

Directory Leasing - Improves application response times in branch offices through caching

Performance Optimizations - optimizations for small random read/write I/O

And more. Check the link for the full list.

Answer 2

There is a new Cumulative Update out just this evening (March 12, 2020) that addresses (amongst other things) corrections SMB 3.1.1 .

While I do understand your concern, SMB is much embedded into things Windows 10 does (including all forms of sharing).

So I would recommend keeping Windows 10 up to date rather than permanently disabling SMB .

There is a fairly technical article below above the impact of disabling SMBv3. It is better and easier, in my opinion, to keep Windows 10 up to date

https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3