Now to setup the setting for LanmanWorkstation, be sure to set the Setting Type to Script and Data Type to Boolean. Setup the compliance rule to equal Zero (0), turn on remediation and report non-compliance if setting instance is not found. We need to setup the first setting for LanmanServer, be sure to set the Setting Type to Script and Data Type to Integer In your environment, you might want to disable SMB on these versions, just keep in mind, anything prior to Vista only has SMBv1, meaning it will break SMB functionality on those machines. In my lab, I am removing All Windows XP, and Server 2003 variants. We need to remove the operating systems that we know this will break. We need to create a new configuration item, and give it a name that aligns with a naming convention and can easily be identified. Now to take the scripts and plug them into Compliance Settings. Restart-Service -Name LanmanWorkstation -Force
$Win10 = ( Get-WmiObject -Class Win32_OperatingSystem ). $SMBServer = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
For 2012/8+ we need to gather the SMB 1 feature for windows. įirst, we need to create the detection and remediation scripts for both LanmanServer and LanmanWorkstation.įor LanmanServer pre-2012/8 is straight forward as we only need to find a single registry key. A friend of mine in the consulting side of services, Ralph Kyttle, put together instructions for DSC, leveraging a DSC tool he help build, called the Desired State Configuration Environment Analyzer (DSCEA). You can also do this with Desired State Configuration (DSC). The instructions, along with some really good information on the ransomware attack can be found here. You can also do this with group policy preferences, keep in mind, group policy does not have a reporting system built into it. Below are the detailed instructions on how setup, configure and deploy these settings.įirst, all the documentation on how to disable SMBv1 can be found here. Using compliance settings makes rolling out this change a breeze and allows you to update your security teams with reports to show the progress of the roll out. One of the easy ways to deploy this out, while also having reports to confirm the settings are set correctly, is the use of Configuration Managers Compliance Settings, also known as Desired Configuration Management (DCM). One of the mitigations to keep the attack from spreading is disabling SMBv1 on all your Windows workstation and servers.
There has been lots of buzz over the recent ransomware attacks. NOTE: I have updated this blog to remove SMB1 LanmanServer from 2012/8+. First published on TECHNET on May 22, 2017
0 kommentar(er)
