Skip to main content

Server Message Block (SMB) is a network communication protocol used share access to files, printers, etc across devices in a network.



SMBv1 was first designed and used 30 years ago and in no longer adequate in providing security in today’s modern network infrastructure, where the complexity is only rivaled by that of the malicious code looking to exploit it.



Frankly, using, or having SMB1 enabled is unacceptable in today’s world as you lose key protections offered by later SMB protocol versions





  • Pre-authentication Integrity


  • Secure Dialect Negotiation


  • Encryption


  • Insecure guest auth blocking, Protects against MiTM attacks.


  • Better message signing




Additionally, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above . All they need to do is block SMB2+ on themselves and answer to your server’s name or IP



Automox recommends that you disable SMB1 across all of your Windows devices. Below is the Worklet code needed to evaluate against if SMB1 is enabled, or disabled. If evaluation finds SMB1 enabled, is will exist with a “1”, and remediate. The remediation code, as you could guess, will disable SMB1 on the devices.



You can use the same code for Windows 10 and 8.1. I have also provided the Worklet for Windows 7.



Windows 10 and 8.1 Worklet



Evaluation:



$smb1 = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol | ForEach-Object State





if ($smb1 -eq "Disabled")


    {exit 0


    }


else


    {exit 1


    }


Remediation:



Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart


Windows 7 Worklet



Evaluation:



$smb1 = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters').SMB1





if ($smb1 = 1)


    {exit 1}


else


    {exit 0}


Remediation:



Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force


NOTE: You may need to reboot the device for it to fully take affect. Currently the Worklet will not reboot the device. You can perform the reboot on the devices once you apply the Worklet. You can use the Worklet: Predictable Reboot Notifications for Windows to send reboot notification to the end-user, and reboot the device.



-Adam

Be the first to reply!

Reply


Terms & ConditionsCookie settings