Hi Igor.Ilyin,
Due to COVID issue, Hope you and your family are very safe in china.
I am safe and working from home. Take care.
Please help me to generate a report for SMB1 event id.
Thanks you.
Hi mcsebala,
Thank you, I'm quite safe.
Let's talk a bit around the topic. Microsoft recommends to get rid of SMB1 on all machines. To check the usage of this protocol in runtime you can use sniffers like WireShark or the command "Get-SmbConnection". To check if version 1 even installed, you can use the command "Get-SmbServerConfiguration | Select EnableSMB1Protocol". And if the version is installed, you can disable it with the command "Set-SmbServerConfiguration -EnableSMB1Protocol $False", but only on modern Windows versions, not on down-level. From the point of Windows events I'm aware only about event ID 5168. The logging of event 5168 could indicate either a configuration issue or a malicious authentication attempt, but I doubt it is mapped to SMB1 usage. Do you mean this event or do you have any other method of catching SMB1 activity?
Hi mcsebala,
Thank you, I'm quite safe.
Let's talk a bit around the topic. Microsoft recommends to get rid of SMB1 on all machines. To check the usage of this protocol in runtime you can use sniffers like WireShark or the command "Get-SmbConnection". To check if version 1 even installed, you can use the command "Get-SmbServerConfiguration | Select EnableSMB1Protocol". And if the version is installed, you can disable it with the command "Set-SmbServerConfiguration -EnableSMB1Protocol $False", but only on modern Windows versions, not on down-level. From the point of Windows events I'm aware only about event ID 5168. The logging of event 5168 could indicate either a configuration issue or a malicious authentication attempt, but I doubt it is mapped to SMB1 usage. Do you mean this event or do you have any other method of catching SMB1 activity?
