Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, July 3, 2017 12:22 PM
Dear Experts,
I hope you're doing well. I have been searching all over the web for 12+ hours trying to find a working script where I can take list of computer names and query them to see if SMBv1 is enabled. (or disabled)
I can turn it off altogether using Group Policy per this article, " Use GPO" , but require a report first. I have been read that NMAP can do it but that's way too complex, as well as another overly complex utility from GitHub that begins with a "D". I can run the below on an individual machine, but we have 150+ PCs and would like to do this as easily and quick as possible.
Any help would be greatly appreciated. In return, for the "Best Answer", I am willing to PayPal $40 to you!
From Microsoft:
In parallel to applying the patch, you should disable SMBv1 use on your network. You can do this by running these commands in Power Shell on each system. Further information on how to disable SMBv1 on other systems are available here.
- Check for SMBv1
- Get-SmbServerConfiguration | Select EnableSMB1Protocol
- To disable SMBv1 on the SMB server
• Set-SmbServerConfiguration -EnableSMB1Protocol $false
All replies (14)
Monday, July 3, 2017 12:37 PM
If you read the article carefully it states that "if you cannot apply the patch then disable SMBv1. The patch was deployed last March and works as needed.
The article also shows you how too use Group Policy to disable the protocol if you cannot apply the patch..
You do NOT need both.
\(ツ)_/
Monday, July 3, 2017 12:39 PM
Here is an exact copy of that section of the latest from MSRC:
We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. If for some reason you cannot apply the update, we recommend a possible workaround to reduce the attack surface: disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547. In addition, consider implementing techniques like network segmentation and least privileged accounts that will further limit the impact of these types of malware attacks. For those using Windows 10, leverage capabilities like Device Guard to lock down devices and allow only trusted applications, effectively preventing malware from running. Finally, consider leveraging Windows Defender Advanced Threat Protection, which automatically detects behaviors used by this new ransomware.
https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/
\(ツ)_/
Monday, July 3, 2017 4:53 PM
Here is an exact copy of that section of the latest from MSRC:
We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. If for some reason you cannot apply the update, we recommend a possible workaround to reduce the attack surface: disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547. In addition, consider implementing techniques like network segmentation and least privileged accounts that will further limit the impact of these types of malware attacks. For those using Windows 10, leverage capabilities like Device Guard to lock down devices and allow only trusted applications, effectively preventing malware from running. Finally, consider leveraging Windows Defender Advanced Threat Protection, which automatically detects behaviors used by this new ransomware.
https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/
\(ツ)_/
I'm sorry, I'm not understanding. I know how to mitigate the problem, I have no idea how to actually report which machines are affected. Or are you implying that I hop on our WSUS server and find out what machines did or did not embrace that particular patch?
Thanks
Monday, July 3, 2017 5:12 PM
Hi,
I was also looking for solution to find the number of devices with SMB1 Protocol setting enabled, i found the below article very useful.
https://www.techwhisperer.ca/2017/03/04/disable-smb1-with-powershell-and-sccm/
If you are using SCCM then using configuration baseline we can find the list of devices with SMB1 protocol enabled. and can re-mediate those devices
Hope this will help.
Saturday, July 22, 2017 7:54 PM
Hello,
I was having the same issue but came to the realization that seeing if it was enabled was not enough. I needed to know if it was being used, by who, on what and needed to be able to review the data across all workstations centrally. I posted a solution that uses PowerShell to record the active SMB connections less than version 2 and stores them in WMI where they can be inventoried by SCCM.
Hope this helps,
https://gallery.technet.microsoft.com/scriptcenter/SMBv1-Logging-Active-8aa60772
Saturday, July 22, 2017 7:57 PM
If you have the latest patches installed then it is disabled.
\(ツ)_/
Wednesday, July 26, 2017 2:17 PM
Please list your OS' and you'll get a script that you can deploy as domain start script that will do its reporting to a logfile. Honestly, I wonder what this would be good for, since SMBv1 will be on everywhere - it is on by default, if you had deactivated it before, you should know. If your plan is to deactivate it, just do that, no check needed.
Wednesday, July 26, 2017 2:53 PM
The patch for SMBv1 was released by Microsoft in March and applies to all OSs including XP. Post in Security forum for current info and KB articles discussing this.
\(ツ)_/
Wednesday, July 26, 2017 3:47 PM
Good Day
Just to check the status of the SMB Protocol you can try this
First get a list of all the servers and put them on a TXT file
Get-Content '.\Servers.txt' | ForEach-Object {
$Server = $_
$SNMB1 = (Get-SmbServerConfiguration).EnableSMB1Protocol
$SNMB2 = (Get-SmbServerConfiguration).EnableSMB2Protocol
$output = New-Object PSObject
$output | Add-Member NoteProperty "Server Name" $Server
$output | Add-Member NoteProperty "Enable SNMB1 Protocol" $SNMB1
$output | Add-Member NoteProperty "Enable SNMB2 Protocol" $SNMB2
Write-Output $output }
If thats not enough you can validate if the server has the updates mentioned by doing a
$OS = (Get-WmiObject -Class Win32_OperatingSystem).Caption
if ($OS -eq 'Microsoft Windows Server 2012 R2 Standard') {
Get-HotFix | Where-Object { $_.HotfixID -eq 'KB4012216' -or $_.HotfixID -eq 'KB4012214' -or $_.HotfixID -eq 'KB4012213' -or $_.HotfixID -eq 'KB4012217'}
}
Elseif ($OS -eq 'Microsoft Windows Server 2008 R2 Standard') {
Get-HotFix | Where-Object { $_.HotfixID -eq 'KB4012212' -or $_.HotfixID -eq 'KB4012215'}
}
Just replace the OS with the one you have
Hope this can help you
Regards
Wednesday, July 26, 2017 4:06 PM
@jrv's "If you have the latest patches installed then it is disabled."
Seems some people are confusing "smbv1 is patched (=no current threat, but future threats possible)" with "SMBv1 is disabled (=no current threat, no future threats)".
Wednesday, July 26, 2017 4:22 PM
The major reason for disabling SMBv1 is to avoid the known exploits. This was posted as part of the KB for the fix and recommended as a workaround for systems that did not have a patch available.
The KB recommends using the patch.
To Disable just add the registry value dword set to 0 or:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
\(ツ)_/
Wednesday, July 26, 2017 4:27 PM
To report use the CmdLet:
Get-AdComputer -Filter * | %{Get-SmbServerConfiguration -CimSession $_.Name} | select PsComputerName, EnableSMB1Protoco
I should also note that SMBv1 can be disabled via a GPO.
\(ツ)_/
Wednesday, July 26, 2017 5:08 PM
you can disable them in the registry and using a command prompt you will need all the 150 computer address
to use that command
or you can uninstall the SMB v1 using the add and remove windows features on all 150 machine no easy way for this action maybe if you go to the SCRIPTING CENTER and ask one of the guru's there they will write one for a small fee
Wednesday, July 26, 2017 5:37 PM
you can disable them in the registry and using a command prompt you will need all the 150 computer address
to use that command
or you can uninstall the SMB v1 using the add and remove windows features on all 150 machine no easy way for this action maybe if you go to the SCRIPTING CENTER and ask one of the guru's there they will write one for a small fee
It can be done with GP in about 10 clicks.
\(ツ)_/