STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.

DISA Rule

SV-226049r569184_rule

Vulnerability Number

V-226049

Group Title

SRG-OS-000095-GPOS-00049

Rule Version

WN12-00-000160

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Run "Windows PowerShell" with elevated privileges (run as administrator).
Enter the following:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Alternately:
Search for "Features".
Select "Turn Windows features on or off".
De-select "SMB 1.0/CIFS File Sharing Support".

The system must be restarted for the changes to take effect.

Check Contents

This requirement applies to Windows 2012 R2, it is NA for Windows 2012 (see V-73519 and V-73523 for 2012 requirements).

Different methods are available to disable SMBv1 on Windows 2012 R2. This is the preferred method, however if V-73519 and V-73523 are configured, this is NA.

Run "Windows PowerShell" with elevated privileges (run as administrator).
Enter the following:
Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol

If "State : Enabled" is returned, this is a finding.

Alternately:
Search for "Features".
Select "Turn Windows features on or off".

If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.

Vulnerability Number

V-226049

Documentable

False

Rule Version

WN12-00-000160

Severity Override Guidance

Check Content Reference

Target Key

4217

The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments