← Back to Controls
ISM-1962

SMB version 1 is not used on networks

View Related Post →
If SMBv1 is supported, an attacker with network access may exploit legacy protocol weaknesses to move laterally or execute code, resulting in loss of confidentiality, integrity, and availability across connected systems.

Example Requirement

The system shall not support or negotiate SMB version 1 for any inbound or outbound network communications.

Implementation Requirements

  • Ensure SMBv1 feature is not installed
  • Ensure SMB server and client cannot negotiate SMBv1
  • Confirm no fallback behavior exists
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

Test Cases

Test ID Requirement Test Type Method Expected Result Evidence
SMB-V-01 SMBv1 not supported Verification Windows feature inspection SMBv1 not installed Screenshot
SMB-V-02 SMBv1 disabled Verification PowerShell capability check SMBv1 = False Script output
SMB-V-03 No SMBv1 negotiation Validation Legacy SMBv1 client test Connection fails Logs
SMB-V-04 No downgrade Validation Forced SMBv1 negotiation Negotiation rejected Network capture

Test Evidence Examples

Test ID Result Evidence
SMB-V-01 ✅ COMPLIANT
Windows feature inspection showing SMBv1 not installed

Windows feature inspection showing SMBv1 not installed
SMB-V-02 ✅ COMPLIANT
PowerShell capability check output showing SMBv1 disabled - Test Passed

PowerShell capability check output showing SMBv1 disabled - Test Passed

PS C:\users\pretengineer\Desktop> .\ISM-1962-Test-Script.ps1
=== ISM-1962 SMBv1 Compliance Check ===
SMB1 Server Enabled: False
SMB1 Feature State: Disabled
SMB1 Client Enabled: (Not exposed on this OS build)
RESULT: COMPLIANT with ISM-1962
PS C:\users\pretengineer\Desktop>
SMB-V-03 ✅ COMPLIANT 
┌──(pretengineer㉿wick)-[~/Documents]
└─$ smbclient -m NT1 -L //10.0.0.132 -U pretengineer
do_connect: Connection to 10.0.0.132 failed (Error NT_STATUS_IO_TIMEOUT)
MS17-010 ✅ NOT VULNERABLE 
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.0.0.100:4444 
[*] 10.0.0.132:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[-] 10.0.0.132:445        - Rex::ConnectionTimeout: The connection with (10.0.0.132:445) timed out.
[*] 10.0.0.132:445        - Scanned 1 of 1 hosts (100% complete)
[-] 10.0.0.132:445 - The target is not vulnerable.

Verification and Validation

Methods:

SMB protocol configuration checks

Evidence or Artifacts:

PowerShell output, screenshot

Validation:

  • Attempt an SMBv1 connection
  • Observe failure

Expected Outcome:

  • SMBv1 connection fails
  • Events logged

Test Script

Write-Host "=== ISM-1962 SMBv1 Compliance Check ==="

# Check SMB Server Configuration
$serverConfig = Get-SmbServerConfiguration
Write-Host "SMB1 Server Enabled:" $serverConfig.EnableSMB1Protocol

# Check Windows Feature State
$feature = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Write-Host "SMB1 Feature State:" $feature.State

# Check SMB Client Configuration (only if property exists)
$clientConfig = Get-SmbClientConfiguration
$clientProp = $clientConfig.PSObject.Properties['EnableSMB1Protocol']
$clientSMB1 = if ($clientProp) { $clientProp.Value } else { $null }

if ($null -eq $clientSMB1) {
    Write-Host "SMB1 Client Enabled: (Not exposed on this OS build)" -ForegroundColor Yellow
} else {
    Write-Host "SMB1 Client Enabled:" $clientSMB1
}

# Compliance Result
$clientCompliant  = if ($null -eq $clientSMB1) { $feature.State -eq "Disabled" } else { $clientSMB1 -eq $false }
$featureCompliant = @("Disabled","DisabledWithPayloadRemoved") -contains $feature.State

if (
    $serverConfig.EnableSMB1Protocol -eq $false -and
    $clientCompliant -and
    $featureCompliant
) {
    Write-Host "RESULT: COMPLIANT with ISM-1962" -ForegroundColor Green
} else {
    Write-Host "RESULT: NON-COMPLIANT with ISM-1962" -ForegroundColor Red
}