Worklet: Disabling SMBv1 across Windows Devices

  • 14 July 2020
  • 0 replies
  • 99 views
AdamW-Automox
Userlevel 5
Badge

Server Message Block (SMB) is a network communication protocol used share access to files, printers, etc across devices in a network.


SMBv1 was first designed and used 30 years ago and in no longer adequate in providing security in today’s modern network infrastructure, where the complexity is only rivaled by that of the malicious code looking to exploit it.


Frankly, using, or having SMB1 enabled is unacceptable in today’s world as you lose key protections offered by later SMB protocol versions



  • Pre-authentication Integrity

  • Secure Dialect Negotiation

  • Encryption

  • Insecure guest auth blocking, Protects against MiTM attacks.

  • Better message signing


Additionally, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above . All they need to do is block SMB2+ on themselves and answer to your server’s name or IP


Automox recommends that you disable SMB1 across all of your Windows devices. Below is the Worklet code needed to evaluate against if SMB1 is enabled, or disabled. If evaluation finds SMB1 enabled, is will exist with a “1”, and remediate. The remediation code, as you could guess, will disable SMB1 on the devices.


You can use the same code for Windows 10 and 8.1. I have also provided the Worklet for Windows 7.


Windows 10 and 8.1 Worklet


Evaluation:


$smb1 = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol | ForEach-Object State



if ($smb1 -eq "Disabled")

    {exit 0

    }

else

    {exit 1

    }

Remediation:


Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

Windows 7 Worklet


Evaluation:


$smb1 = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters').SMB1



if ($smb1 = 1)

    {exit 1}

else

    {exit 0}

Remediation:


Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

NOTE: You may need to reboot the device for it to fully take affect. Currently the Worklet will not reboot the device. You can perform the reboot on the devices once you apply the Worklet. You can use the Worklet: Predictable Reboot Notifications for Windows to send reboot notification to the end-user, and reboot the device.


-Adam

0 replies

Be the first to reply!

Reply


Terms & ConditionsCookie settings