Last active
September 7, 2020 15:08
-
-
Save Diegus83/d074171ad6367e2fb8a7ae25156afb50 to your computer and use it in GitHub Desktop.
Disable SMBv3 server support in macOS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set your macOS server to deny SMB 3 connections | |
Validate negotiate requests are an SMB 3 feature that clients initiate. To prevent clients from making these requests, you can set your macOS server to accept only SMB 2 connections. A bit-field in server preferences controls Server Dialect. The keyword for this bit-field is ProtocolVersionMap. It uses only three bits: | |
Value Meaning | |
1 Support SMB 1 | |
2 Support SMB 2 | |
4 Support SMB 3 | |
To support multiple dialects, combine bits. | |
This example sets ProtocolVersionMap to allow SMB 2. To do this, it sets the ProtocolVersionMap to "2": | |
sudo scutil --prefs com.apple.smb.server.plist | |
get / | |
d.add ProtocolVersionMap # 2 | |
set / | |
commit | |
apply | |
quit | |
Disable validate negotiate requests on your client | |
If you disable validate negotiate, you will increase susceptibility to man-in-the-middle attacks. You should disable validate negotiate requests only if both client and server are on a secured network. | |
To set the value of the validate_neg_off setting in the nsmb.conf file in the /etc directory, use a text editor or Terminal. For more client side SMB configuration options, see the man page for nsmb.conf. | |
When you configure an nsmb.conf to disable validate negotiate requests, here's what it looks like: | |
[default] | |
validate_neg_off=yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment