There has been lots of buzz over the recent ransomware attacks. One of the mitigations to keep the attack from spreading is disabling SMBv1 on all your Windows workstation and servers. One of the easy ways to deploy this out, while also having reports to confirm the settings are set correctly, is the use of Configuration Managers Compliance Settings, also known as Desired Configuration Management (DCM). Using compliance settings makes rolling out this change a breeze and allows you to update your security teams with reports to show the progress of the roll out. Below are the detailed instructions on how setup, configure and deploy these settings.
First, all the documentation on how to disable SMBv1 can be found here.
You can also do this with group policy preferences, keep in mind, group policy does not have a reporting system built into it. The instructions, along with some really good information on the ransomware attack can be found here.
You can also do this with Desired State Configuration (DSC). A friend of mine in the consulting side of services, Ralph Kyttle, put together instructions for DSC, leveraging a DSC tool he help build, called the Desired State Configuration Environment Analyzer (DSCEA). The instructions can be found here. The DSCEA tool can be found here.
Let’s begin!
First, we need to create the detection and remediation scripts for both LanmanServer and LanmanWorkstation.
For LanmanServer this is straight forward as we only need to find a single registry key.
## LANMANSERVER ## Detection $SMBServer = Get-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” $SMBServer.SMB1
We grab the Property of all items in the LanmanServerParameters key and return the SMB1 value to the compliances settings agent. If SMB1 is disabled, it will return a 0, anything else means its enabled.
For remediation, it’s just as simple. This will force the value of SMB1 to 0 and restart the service so the change becomes immediate.
## Remediation Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” SMB1 -Value 0 –Force Restart-Service -Name LanmanServer -Force
For LanmanWorkstation this scenario is not as straight forward as we have REG_MULTI_STRING we need to evaluate and ensure the value for SMBv1 is not present. We also need to ensure the SMBv1 service is not running. This means we need to add some logic to the detection script.
## LanmanWorkstation ## Detection $SMBClient = Get-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanWorkstation" $SMBv1Status = $(Get-Service -Name mrxsmb10 -ErrorAction SilentlyContinue).Status IF (($SMBClient.DependOnService -contains "MRxSmb10") -and ($SMBv1Status -eq "Running")) {$false} ELSE {$true}
This reads the value of the DependOnService property and verifies MRxSmb10 is not in the list. MRxSmb10 is the SMBv1 service found in Windows where SMBv1 is still on by default. In this case I am using reverse logic, I am checking for the state that I don’t want the services to be in. If we find the services are in their default state, we return a Boolean $false, which will represent a non-compliant machine and will be the trigger for running the remediation script.
For remediation, we will configure the services to no longer depend on SMBv1 and disabled the SMBv1 service. We will then restart the services and stop the SMBv1 service. This will ensure the changes will take effect immediately.
## Remediation Invoke-Command {cmd /c sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi} Invoke-Command {cmd /c sc.exe config mrxsmb10 start= disabled} Restart-Service -Name LanmanWorkstation -Force Stop-Service -Name mrxsmb10 -Force
Now to take the scripts and plug them into Compliance Settings.
We need to create a new configuration item, and give it a name that aligns with a naming convention and can easily be identified.
We need to remove the operating systems that we know this will break. In my lab, I am removing All Windows XP, and Server 2003 variants. In your environment, you might want to disable SMB on these versions, just keep in mind, anything prior to Vista only has SMBv1, meaning it will break SMB functionality on those machines.
We need to setup the first setting for LanmanServer, be sure to set the Setting Type to Script and Data Type to Integer
Copy in the detection script
Copy in the remediation script
Setup the compliance rule to equal Zero (0) and turn on remediation.
Now to setup the setting for LanmanWorkstation, be sure to set the Setting Type to Script and Data Type to Boolean.
Copy in the detection script
Copy in the remediation script
Setup the compliance rule to equal true and turn on remediation.
Finish out the wizard.
Now we need to create the baseline, and add the CI
Create the collection for deployment
Deploy the Baseline.
I recommend manually running some of the scripts on a few machines and drop in a few machines that are not compliant before turning remediation on, in the deployment. This will allow you to test the logic. Once you are comfortable with your testing, start rolling out this slowly to machines and/or servers. Remember just because the OS can communicate over SMBv2/3 doesn’t mean your applications are programmed to allow the OS to handle the communication. Some applications may have SMBv1 hardcoded, so be sure to test this in your environment.
Hope this helps!
Cameron