Smb protocol windows 10. How to open access to a computer over a network
Today we will tell you how to open a folder for local network(popularly "share") and give other computers access to your files. Instructions on the example of Windows 10.
Shared folder
1. Settings on the tab General access
To create a network resource on a Windows 10 computer, create a folder or select an existing one, right-click on it and call Properties:
Go to the tab General access.
Select Advanced setup:
Check box Share this folder.
Click the button Permissions:
Set up permissions for different users or groups. In most cases here you need to allow read for the group All. In our example, we allowed full access to a network folder: both for reading and for writing.
After setting, click OK:
2. Settings on the tab Safety
Go to the tab Safety.
Click the button Change:
Here you need to specify which users are allowed access at the level of NTFS rights. Again, in most cases, you should allow it to everyone. To do this, click the button Add:
Enter the word "All" with capital letter in the box and click OK:
Now the band All appeared on the list. Click Save:
Now, in order to have access not only to the folder itself, but also to subfolders and files, you need to change the NTFS settings.
Click Additionally:
Check box Replace all permission entries of the child object with those inherited from this object.
Click OK:
Click Yes:
Wait until the rights are applied to all nested objects. How more files and folders within this directory, the longer the application process may take.
Attention! An error may occur while applying the parameters:
If you encounter it, read about how to fix it.
3. Set sharing options
On Windows 10, click Start - Options and select Network and Internet:
Select an item Change advanced sharing options:
In Windows 7 and 8.1, it's best to right-click on the network icon next to the clock, select Network and Sharing Center:
Expand Section Private.
Turn on file and printer sharing:
Now expand the section All networks.
Set the switch to Disable password protected sharing.
4. Firewall settings
In order to be able to connect to a PC over the network, you must allow incoming connections in the Windows Firewall.
Here you have two options:
- disable it completely (which is NOT recommended);
- create a rule that allows network traffic (in a separate article)
Hello! For those who are not in the subject, I will start from afar. On computers and laptops installed Windows there is a separate "Network" tab in the explorer. This tab displays devices from Network Neighborhood. That is, by opening the "Network" tab, we can observe computers, network storage (NAS), multimedia devices (DLNA), flash drives and external drives that are connected to the router and are set to be shared. Simply put, those devices that are connected through one router (are on the same network) and that have network discovery enabled (devices that can be discovered on the local network). Our router can also be displayed there. (section "Network infrastructure") and other devices.
Now I will explain what and how, and why I decided to write this article at all. I have an ASUS router that I connected to USB flash drive, and set up shared access to this flash drive for all devices on the network. And what do you think, this network drive appeared in the "Network" section on all computers (it shows up as "Computer"), but it didn't show up on my computer. That is, my computer did not see a USB flash drive connected to the router, nor other computers on this network. But the DLNA server was displayed running on the same router. But this does not change anything, since I need normal network access to the drive.
Also, I could not access the flash drive when I typed its address //192.168.1.1 in the explorer. Immediately this address opened through the browser. And I was unable to mount this drive as network drive. It simply was not in the list of available devices in network environment.
Such a problem when Windows 7, Windows 8, or Windows 10 does not see network devices is not uncommon. It doesn't have to be a flash drive, or external HDD, which you connected to your router, as in my case. Most often, they set up sharing between computers on a local network. And in the same way they face the problem when the computers are connected to the same network (to one router), the sharing settings are set correctly, and the "Network" tab is empty. Or, only the router and your computer are displayed.
Since there can be many reasons and, accordingly, solutions, I will probably start with the simplest ones. (which did not help me) and at the end of this article I will share the solution that helped in my case. As a result, my laptop still saw all the devices on the network. Including a network drive and another computer that is also connected to this network.
But this does not mean that you have the same case. Therefore, I advise you to check all the settings in order.
Checking sharing settings
We will consider two cases:
- When computers do not see each other on the local network.
- Shared access to the network drive. We can have a flash drive, or HDD which is connected to the router, or a separate drive (aka NAS).
First case
For computers to see each other and appear in File Explorer under Network, they must be connected through the same router. Or connected directly (cable or Wi-Fi). Simply put, they must be on the same local network.
Further, on all computers (I don't know how many there are), it is desirable to assign the network status "Home" (private). How to do this in Windows 10, I wrote in the article. In Windows 7, just go to the "Network and Sharing Center" and change the status of the current connection there.
If after that the computer still does not detect other computers (or vice versa), then let's check the sharing settings.
To do this, in the "Network and Sharing Center" window (if you do not know how to open it in Windows 10, then see the article), click on the "Change advanced sharing settings" item.
And for the current profile (usually it is "Private"), set the parameters as in the screenshot below.
Doing it on all computers in the local network.
Articles on this topic:
As a rule, these tips solve all problems with discovering computers on the local network.
Second case
When you have problems accessing your NAS. As in my case. Windows 10 did not see USB stick, which was connected to the ASUS router. Now many routers have a USB port for connecting drives and other devices, so the topic is relevant.
You need to make sure that this drive is defined in the router settings, and sharing is enabled. It is clear that on different routers, this is done in different ways. On the ASUS routers for example, it looks like this:
Related articles:
Do not confuse sharing settings with FTP settings. The FTP server settings on the router have nothing to do with it in this case.
Well, if other devices see the NAS and have access to it, but there is no access to it on a particular computer, then the problem is not on the side of the router. Go through the settings of the "problem" PC in this article.
Antivirus or firewall may be blocking network devices
If your antivirus, or firewall (firewall), which is installed on your computer, did not like something, then it can easily make it so that neither you can see other devices in the network environment, nor can anyone detect you.
True, after disabling the firewall built into the antivirus, the problem was not solved for me. (so it probably isn't the problem), but everything seems to me exactly that in my case it was not without the participation of the antivirus.
Therefore, try to stop the antivirus completely for a while, or at least disable the firewall built into it. (firewall). In NOD 32, this is done like this:
You need to do this to check on all computers that will participate in the local network.
It is possible that you have some other programs installed that can monitor the network and manage network connections.
If it turns out that the problem is in the antivirus, then you need to add your network to the exceptions. Prevent the firewall from blocking the network itself, or network devices.
If you do not have an antivirus, then you can experiment with disabling / enabling the firewall built into Windows.
Working group
The workgroup must be the same on all devices. As a rule, it is. But it's good to check. To do this, open the properties of the computer "System" and go to "Advanced system settings".
It will say "Working Group". To change it, you need to click on the "Edit" button.
Once again: the workgroup name must be the same on all computers.
If you have a problem accessing your NAS (to a flash drive through a router), then in the sharing settings on the same ASUS router, it is also indicated working group. You can see the screenshot above in the article. It should be the same as on the computer.
Problem with accessing a shared network folder via SMB1 in Windows 10 (my solution)
Let's get back to my problem. Everything that I described above, I checked and rechecked already 10 times. I did it a couple of times, but Windows 10 never saw other computers on the network, and most importantly, the shared folder in the form of a flash drive connected to the router did not appear in the explorer. And on other devices on the network, everything was determined without problems. Including my laptop.
Somewhere I read that you can try to open the shared folder through the "Run" window. Pressed the key combination Win + R, entered the address of the network folder //192.168.1.1 (aka router address).
I did not get access to the drive, but an interesting error appeared:
You cannot connect to the shared folder because it is not secure. This shared folder uses the legacy SMB1 protocol, which is insecure and can expose your system to attack.
Your system needs to use SMB2 or later.
This is already interesting. At least something.
SMB (Server Message Block) - network protocol, which is responsible for sharing files, printers, and other network devices.
Began to search. And it turns out that Windows 10 abandoned the SMB1 protocol. Because of security. And the Samba software package installed on my router seems to work using the SMB1 protocol. Therefore, Windows 10 does not see it. But other computers that also work on Windows 10 also did not appear on the "Network" tab for me.
Since I could not update the protocol to SMB2 in the router settings, I decided that I needed to somehow enable SMB1 support in Windows 10. And as it turned out, this can be done without any problems. As a result, after connecting the "SMB 1.0/CIFS Client" component, everything worked for me. The system saw shared folders on computers on the network and a network folder configured on the router itself.
How to enable SMB1 in Windows 10?
Through the search, find and open the old "Control Panel".
Switch to "Small Icons" and open "Programs and Features".
Open "Turn Windows features on or off". We find the item "Support for file sharing SMB 1.0 / CIFS". Open it and check the box next to "SMB 1.0/CIFS Client". Click Ok.
If the computer prompts you to restart, then restart it. If there is no prompt window, then reboot manually.
After the reboot, on the "Network" - "Computer" tab, all available devices on your network should appear.
I would be glad if this article is useful to someone and helps to solve the problem. Do not forget to write in the comments about the results. Or ask a question, where without them 🙂
Due to the recent epidemic WannaCry ransomware, exploiting the SMB v1 vulnerability, tips on disabling this protocol have again appeared on the network. Moreover, Microsoft strongly recommended disabling the first version of SMB back in September 2016. But such a shutdown can lead to unexpected consequences, up to oddities: I personally encountered a company where, after fighting SMB, they stopped playing wireless speakers Sonos.
Especially to minimize the likelihood of a “shot in the foot”, I want to recall the features of SMB and consider in detail what the ill-conceived shutdown of its old versions threatens.
SMB(Server Message Block) - a network protocol for remote access to files and printers. It is he who is used when connecting resources through \servername\sharename. The protocol originally worked over NetBIOS using UDP ports 137, 138 and TCP 137, 139. With the release of Windows 2000, it began to work directly using TCP port 445. SMB is also used for logging into a domain Active Directory and work in it.
In addition to remote access to resources, the protocol is also used for interprocessor communication through "named streams" - named pipes . The process is accessed along the path \.\pipe\name.
The first version of the protocol, also known as CIFS (Common Internet File System), was created back in the 1980s, but the second version appeared only with Windows Vista, in 2006. The third version of the protocol was released with Windows 8. In parallel with Microsoft, the protocol was created and updated in its open Samba implementation.
In each new version protocol, various improvements were added to increase speed, security and support for new functions. But at the same time, support for older protocols remained for compatibility. Of course, there were and are enough vulnerabilities in older versions, one of which is exploited by WannaCry .
Under the spoiler you will find a summary table of changes in SMB versions.
| Version | Operating system | Added, compared to the previous version |
| SMB2.0 | Windows Vista/2008 | Changed the number of protocol commands from 100+ to 19 |
| Possibility of "conveyor" work - sending additional requests before receiving a response to the previous one | ||
| Support for symbolic links | ||
| HMAC SHA256 message signing instead of MD5 | ||
| Increase cache and write / read blocks | ||
| SMB 2.1 | Windows 7/2008R2 | Performance improvement |
| Larger MTU support | ||
| Support for the BranchCache service - a mechanism that caches requests in global network in the local network | ||
| SMB3.0 | Windows 8/2012 | Ability to build a transparent failover cluster with load balancing |
| Direct memory access (RDMA) support | ||
| Management via Powershell cmdlets | ||
| VSS support | ||
| AES-CMAC signature | ||
| AES-CCM encryption | ||
| Ability to use network folders for storage virtual machines HyperV | ||
| Ability to use network folders for storage Microsoft bases SQL | ||
| SMB 3.02 | Windows 8.1/2012R2 | Security and performance improvements |
| Automatic balancing in a cluster | ||
| SMB 3.1.1 | Windows 10/2016 | Support for AES-GCM encryption |
| Integrity check before authentication using SHA512 hash | ||
| Mandatory secure negotiation when working with SMB 2.x and higher clients |
We count conditionally victims
Viewing the protocol version currently in use is quite simple, we use the cmdlet for this Get-SmbConnection:
Cmdlet output when network resources are open on servers with different versions of Windows.
The output shows that a client that supports all versions of the protocol uses the highest possible version supported by the server to connect. Of course, if the client only supports the old version of the protocol, and it is disabled on the server, the connection will not be established. Enable or disable support for older versions in modern systems Windows, you can use the cmdlet Set–SmbServerConfiguration, and see the state like this:
Get–SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
Disable SMBv1 on a server running Windows 2012 R2.
Result when connecting with Windows 2003.
Thus, if you disable the old, vulnerable protocol, you can lose the network with old clients. At the same time, in addition to Windows XP and 2003, SMB v1 is also used in a number of software and hardware solutions (for example, a NAS on GNU\Linux using the old version of samba).
Under the spoiler, I will give a list of manufacturers and products that will completely or partially stop working when SMB v1 is disabled.
| Manufacturer | Product | Comment |
| Barracuda | SSL VPN | |
| Web Security Gateway backups | ||
| Canon | Scan to network share | |
| Cisco | WSA/WSAv | |
| WAAS | Versions 5.0 and older | |
| F5 | RDP client gateway | |
| Microsoft Exchange Proxy | ||
| Forcepoint (Raytheon) | "Some Products" | |
| HPE | ArcSight Legacy Unified Connector | Old versions |
| IBM | NetServer | Version V7R2 and older |
| QRadar Vulnerability Manager | Versions 7.2.x and older | |
| Lexmark | Firmware eSF 2.x and eSF 3.x | |
| Linux Kernel | CIFS Client | From 2.5.42 to 3.5.x |
| McAfee | Web Gateway | |
| Microsoft | Windows | XP/2003 and older |
| MYOB | Accountants | |
| Netapp | ONTAP | Versions prior to 9.1 |
| NetGear | ReadyNAS | |
| Oracle | Solaris | 11.3 and older |
| Pulse Secure | PCS | 8.1R9/8.2R4 and older |
| PPS | 5.1R9/5.3R4 and older | |
| QNAP | All storage devices | Firmware older than 4.1 |
| redhat | RHEL | Versions prior to 7.2 |
| Ricoh | MFP Scan to Network Share | In addition to some models |
| RSA | Authentication Manager Server | |
| Samba | Samba | Older than 3.5 |
| Sonos | Wireless speakers | |
| Sophos | Sophos UTM | |
| Sophos XG firewall | ||
| Sophos Web Appliance | ||
| SUSE | SLES | 11 and older |
| Synology | Disk Station Manager | Control only |
| Thomson Reuters | CS Professional Suite | |
| Tintri | Tintri OS, Tintri Global Center | |
| VMware | Vcenter | |
| ESXi | Older than 6.0 | |
| Worldox | GX3 DMS | |
| Xerox | MFP Scan to Network Share | Firmware without ConnectKey Firmware |
The list is taken from the Microsoft website, where it is updated regularly.
The list of products that use the old version of the protocol is quite large - before disabling SMB v1, you should definitely think about the consequences.
Still turning it off
If there are no programs and devices using SMB v1 on the network, then, of course, it is better to disable the old protocol. However, if shutdown on SMB Windows server 8/2012 is done using the Powershell cmdlet, then for Windows 7/2008 you will need to edit the registry. This can also be done with Powershell Help:
Set–ItemProperty –Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 –Type DWORD –Value 0 –Force
Or in any other convenient way. However, a reboot is required to apply the changes.
To disable SMB v1 support on a client, just stop the service responsible for its operation and fix the dependencies of the lanmanworkstation service. This can be done with the following commands:
sc.exe config lanmanworkstation depend=bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start=disabled
For the convenience of disabling the protocol throughout the network, it is convenient to use group policies, in particular Group Policy Preferences. With the help of them, you can conveniently work with the registry.
Creating a registry entry through group policies.
To disable the protocol on the server, just create the following setting:
- value: 0.
path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters;
new parameter: REG_DWORD named SMB1;
Create a registry setting to disable SMB v1 on the server through group policies.
To disable SMB v1 support on clients, you need to change the value of two settings.
First, disable the SMB v1 protocol service:
- value: 4.
path: HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb10;
parameter: REG_DWORD named Start;
Update one of the parameters.
Then we fix the dependency of the LanmanWorkstation service so that it does not depend on SMB v1:
- value: three lines - Bowser, MRxSmb20 and NSI.
path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation;
parameter: REG_MULTI_SZ named DependOnService;
And we replace another.
After you apply Group Policy, you must restart your organization's computers. After a reboot, SMB v1 will no longer be used.
Works - don't touch
Oddly enough, this old commandment is not always useful - ransomware and trojans can start up in a rarely updated infrastructure. However, inadvertently shutting down and updating services can paralyze an organization just as much as a virus can.
Tell us, have you already disabled SMB of the first version? Were there many victims?
If you from Windows 10 cannot open network folders on other network devices (NAS, Samba Linux servers) or on computers with older versions of Windows (Windows 7/ XP / 2003), the problem is most likely due to the fact that your new version of Windows 10 has disabled support for obsolete and insecure versions of the SMB protocol (used in Windows to access shared network folders and files). So, starting with Windows 10 1709, the SMBv1 protocol and anonymous (guest) access to network folders via the SMBv2 protocol were disabled.
Microsoft is systematically disabling old and insecure versions of the SMB protocol in all latest versions Windows. Starting with Windows 10 1709 and Windows Server 2019 (both in Datacenter and Standard) in the default operating system (remember the attack, which was just implemented through a hole in SMBv1).
The specific steps you need to take depend on the error that appears in Windows 10 when accessing a shared folder and on the settings of the remote SMB server where the shared folders are stored.
You can't guest access a shared folder without authentication
Starting with Windows 10 version 1709 (Fall Creators Update) Enterprise and Education, users began to complain that when trying to open a network folder on a neighboring computer, an error began to appear:
You can't access this share because your organization's security policies block unauthenticated guest access. These policies help protect your computer from unsafe or malicious devices on the network. An error occurred while reconnecting Y: to \\nas1\share Microsoft Windows Network: You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
At the same time, on other computers with older versions of Windows 8.1/7 or on Windows 10 with builds up to 1709, the same network directories open normally. This problem is due to the fact that in modern Windows versions 10 (starting from 1709) by default, network access to network folders under the guest is denied account via SMBv2 protocol (and below). Guest (anonymous) access means access to a network folder without authentication. When accessing under a guest account via the SMBv1/v2 protocol, traffic protection methods such as SMB signing and , are not applied, which makes your session vulnerable to MiTM (man-in-the-middle) attacks.
When trying to open a network folder under the guest using the SMB2 protocol, an error is fixed in the log of the SMB client (Microsoft-Windows-SMBClient):
Source: Microsoft-Windows-SMBClient Event ID: 31017 Rejected an insecure guest logon.
In most cases, this problem can be encountered when using older versions of the NAS (usually, for ease of setup, they include guest access) or when accessing network folders on older versions of Windows 7/2008 R2 or Windows XP / 2003 with configured (guest) access ( see in different versions Windows).
In this case, Microsoft recommends changing the settings to remote computer or a NAS device that distributes network folders. It is advisable to switch the network resource to SMBv3 mode. And if only the SMBv2 protocol is supported, configure access with authentication. This is the most correct safe way fix the problem.
Depending on the device on which the network folders are stored, you must disable guest access on them.
There is another way - to change the settings of your SMB client and allow access from it to network folders under the guest account.
To allow guest access from your computer, open the editor group policies(gpedit.msc) and navigate to: Computer Configuration -> Administrative Templates -> Network -> Work station Lanman ( Computer Configuration ->Administrative templates -> Network -> Lanman Workstation). Enable policy Enable insecure guest logons.
Those. the error message clearly shows that the network share only supports the SMBv1 access protocol. In this case, you should try to reconfigure the remote SMB device to support at least SMBv2 (the correct and safe way).
If the network shares are shared by Samba on Linux, you can specify the minimum supported version of SMB in the smb.conf file like this:
Server min protocol = SMB2_10 client max protocol = SMB3 client min protocol = SMB2_10 encrypt passwords = true restrict anonymous = 2
On Windows 7/Windows Server 2008 R2, you can disable SMBv1 and allow SMBv2 like so:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol"
Set-SmbServerConfiguration –EnableSMB2Protocol $true
If your network device(NAS, Windows XP, Windows Server 2003), only supports the SMB1 protocol, on Windows 10 you can enable a separate SMB1Protocol-Client component. But this is not recommended!!!
Launch a PowerShell console and check that SMB1Protocol-Client is disabled (State: Disabled):
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client
Enable SMBv1 protocol support (reboot required):
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client
You can also enable/disable additional Windows components 10 (including SMBv1) from optionalfeatures.exe menu -> SMB 1.0/CIFS File Sharing Support
On Windows 10 1709 and above, the SMBv1 client is automatically removed if it has not been used for more than 15 days (this is the responsibility of the SMB 1.0/CIFS Automatic Removal component).
In this example, I have only enabled the SMBv1 client. Do not enable the SMB1Protocol-Server component unless your computer is being used by legacy clients as a server for storing public folders.
After installing the SMBv1 client, you should be able to connect to a network share or printer without any problems. However, you need to understand that the use of this workaround is not recommended, because. puts your system at risk.
Latest large-scale virus attacks distributed using the holes and shortcomings of the old SMB1 protocol. For one of the minor reasons, the operating room Windows system still allows it to work by default. This old version protocol is for sharing files on the local network. Its newer versions 2 and 3 are more secure and should be left enabled. How do you use the new operating system at number 10 or the previous one - 8 or even already obsolete - 7, you must disable this protocol on your PC.
It's only included because some other users are running older applications that haven't been updated in time to work with SMB2 or SMB3. Microsoft has compiled a list of them. If necessary, find it and view it on the Internet.
If you keep all your programs installed on your computer up to date (up to date), you most likely need to disable this protocol. This will increase the security of your operating system and confidential data by one step. By the way, even the experts of the corporation itself recommend turning it off, if necessary.
Are you ready to make a change? Then let's continue.
SMB1
Open the Control Panel, where go to the "Programs" section and select the "Turn Windows features on / off" subsection.
In the list, find the option "Support for SMB 1.0/CIFS file sharing", uncheck it and click the "OK" button.
Reboot the operating system, after saving all your previously edited files, such as documents, etc.
FOR WINDOWS 7
This is where editing can help. system registry. It is a powerful system tool and if incorrect data is entered into it, it can lead to unstable operation of the OS. Use it with care, be sure to create backup for rollback.
Open the editor by pressing the Win + R key combination on your keyboard and typing “regedit” in the input field. Then follow the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
create a new 32-bit DWORD value and name it "SMB1" with value "0". Reboot the system.
Attention! These methods work to disable the protocol only on one PC, but not on the entire network. Refer to the official Microsoft documentation for the information you are interested in.
