YouAreHere
New Member
- Joined
- Oct 3, 2019
I have installed a fresh copy of Windows 10 Home 1903 which was obtained from the Microsoft site.
After installation I noticed these entries in the SMB Server Event Viewer log:
This Event Viewer entry can be found at Applications and Services Logs > Microsoft > Windows > SMB Server > Operational
I went to Control Panel > Programs > Programs and Features > Turn Windows features on or off and removed SMB 1.0 support. This did not stop the activity in the SMB Event Log.
If I look at the XML version of the SMB Event Viewer log it says "EventData xmlns="Smb2Namespace". Does that mean I have SMB version 2.0 installed somewhere on Windows 10?
I added custom outbound rules to the Windows firewall to block ports 137-139 and 445. After doing that the log entries for SMB Server have stopped.
Do you folks also have these SMB Server entries in your Event Viewer?
After installation I noticed these entries in the SMB Server Event Viewer log:
One or more named pipes or shares have been marked for access by anonymous users. This increases the security risk of the computer by allowing unauthenticated users to connect to this server.
Registry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
Registry Values: NullSessionPipes, NullSessionShares
Default Value: Empty (or not present)
Current Value: Non-empty
Guidance:
You should expect this event when modifying the default values of NullSessionShares and NullSessionPipes. On a typical file server, these settings do not exist or do not contain values, which is the most secure configuration. By default, domain controllers populate the NullSessionShares entry with netlogon, samr, and lsarpc to allow legacy access methods.
This Event Viewer entry can be found at Applications and Services Logs > Microsoft > Windows > SMB Server > Operational
I went to Control Panel > Programs > Programs and Features > Turn Windows features on or off and removed SMB 1.0 support. This did not stop the activity in the SMB Event Log.
If I look at the XML version of the SMB Event Viewer log it says "EventData xmlns="Smb2Namespace". Does that mean I have SMB version 2.0 installed somewhere on Windows 10?
I added custom outbound rules to the Windows firewall to block ports 137-139 and 445. After doing that the log entries for SMB Server have stopped.
Do you folks also have these SMB Server entries in your Event Viewer?