Using PowerShell to disable or remove SMB1
source link: https://www.powershell.no/security/2017/05/16/disable-remove-smb1.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Using PowerShell to disable or remove SMB1
May 16, 2017
Background
Following the previous article about Using PowerShell to test whether hotfixes is installed,
another challenge these days is to lower the attack surface as much as possible.
There are many ways to do this, such as restricting what firewall ports is open, having a good
systems in place for patch management, and so on.
One mitigation related to the WannaCrypt attacks
, which is a relevant topic these days, is to disable the SMB 1 protocol on as many systems as possible.
Version 1.0 of the protocol is only needed by operating systems which is no longer supported by Microsoft:
- SMB 1.0 – Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2
- SMB 2.0 – Windows Vista and Windows Server 2008
- SMB 2.1 – Windows 7 and Windows Server 2008 R2
- SMB 3.0 – Windows 8 and Windows Server 2012
- SMB 3.02 – Windows 8.1 and Windows Server 2012 R2
- SMB 3.1.1 – Windows 10 and Windows Server 2016
On all other systems, it is a good idea to consider either disabling or removing the SMB 1.0 protocol.
Ned Pyle, who is the owner of the SMB protocol in Microsoft, has written a great article about why this is a good idea.
Quote from the article:
The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists
Microsoft also have a great article on how to do this: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
Examples on how to remove SMB 1 using PowerShell
There are some excellent examples in the mentioned article on how to disabling and removing SMB 1 using PowerShell, but I wanted to show some additional techniques on how to remove it. Before showing that I would like to highlight the recommended steps to go through first:
- Step 1 - Identify what systems in your organization you can safely remove SMB1 from
- Step 2 - In a test environment, verify that removing or disabling SMB1 does not have any impact on applications or services in use
- Step 3 - Remove or disable SMB 1
Here is some examples on how (and where) to remove SMB 1 using PowerShell:
# Suggestion 1: Define in PowerShell DSC configurations for target systems that SMB 1 should be absent configuration HyperV {
Import-DscResource -ModuleName PSDesiredStateConfiguration
node localhost {
WindowsFeature SMB1 {
Ensure = 'Absent' Name = 'FS-SMB1'
} }
}
# Suggestion 2: Uninstall SMB 1 from base images so that new machines is not created with SMB 1 enabled. This is an example on how to do it using offline servicing. Uninstall-WindowsFeature -Vhd 'D:\VM Templates\WS2016Base.vhdx' -Name FS-SMB1 -Remove
# Suggestion 3: Identify target systems you can safely remove SMB 1 from. # The below example is targeting Hyper-V hosts, which you can safely remove SMB 1 from.
# Get all Hyper-V servers from System Center Virtual Machine Manager (Nano Server is being excluded since SMB 1 is already absent) Import-Module -Name VirtualMachineManager
$HyperVHosts = Get-SCVMHost | Select-Object -Property *,@{name='VMMAgentVersion';e={$_.Agent.AgentVersion.ToString()}} | Where-Object { $_.VirtualizationPlatform -eq 'HyperV' -and $_.VMMAgentVersion -NotLike "10.*" -and $_.CommunicationStateString -eq 'Responding' } | Sort-Object Name
$SMB1StatusBefore = Invoke-Command -ComputerName $HyperVHosts.Name -ScriptBlock {Get-WindowsFeature -Name FS-SMB1} | Select-Object Name,Installed,PSComputerName
$Removal = Invoke-Command -ComputerName $HyperVHosts.Name -ScriptBlock { if ((Get-WindowsFeature -Name FS-SMB1).Installed) { Uninstall-WindowsFeature -Name FS-SMB1 } }
$SMB1StatusAfter = Invoke-Command -ComputerName $HyperVHosts.Name -ScriptBlock {Get-WindowsFeature -Name FS-SMB1} | Select-Object Name,Installed,PSComputerName
# Inspect changes Compare-Object -ReferenceObject $SMB1StatusBefore -DifferenceObject $SMB1StatusAfter -Property Installed -IncludeEqual
# Do note that a reboot is required after uninstalling SMB 1 from a running system
Summary
By removing old and insecure protocols, we can significantly lower the attack surface in our organizations. For example, if the above example of removing SMB 1 was performed on as many systems as possible before the Wannacrypt Attacks, the vulnerability would not have been applicable to those systems. In this article we have seen examples on how to define that SMB 1 should be absent in the PowerShell DSC configuration management system, how to remove SMB 1 from base images as well as how to uninstall it from existing systems by using PowerShell.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK