ut simply you should stop using SMB1 right away. If you regularly scan your systems using something like Tenable Nessus you may have noticed that SMB1 being enabled is marked as a “Critical” and without disabling it you are likely to fail your compliance for systems which should meet standards such as PCI.
Ned Pyle at Microsoft posted an excellent article on why SMB1 is no longer safe or appropriate. You can read it here.
Once you have read this your next step is going to be to disable it and remove it (Server 2012 R2+/8.1+) or disable it (Server 2012/2008/7). If you are worried about what might break here are some things to check first:
- Are you using any MFDs with ancient firmware which use features such as scan to share or offer a share to upload content for print? If so check for firmware updates or within the systems to see if you can enable at least SMB2
- If your shared storage is based on something like NetApp Data ONTAP make sure that your storage admins have enabled at least SMB2. ONTAP 8.2 and later support SMB3 so if you can enable this too you should see some benefits for your Windows 10 clients
- If you still have any XP or Server 2003 clients get rid of them, they only support SMB1
Sadly there is no GPO option to disable SMB1 client or server, and the method to disable it differs across the versions. In order to disable it and be able to report it on I am using DSC within ConfigMgr.
Configuration Items Required
We’re going to need four configuration items in our baseline:
- Disable SMB1 on Windows 8 / Server 2012 and above
- Remove SMB1 on Windows 8.1 / Server 2012 R2 and above
- Disable SMB1 Client on Windows 7 / 2008 R2
- Disable SMB1 Server on Windows 7 / 2008 R2
Disable SMB1 on Windows 8 / Server 2012 and above
Create the new configuration item and select only the Supported Platforms of:
In the Settings tab make a new setting of the type “Script” called “SMB1 Disabled”.
For your discovery script use:
1
2
| $smbenabled = Get-SmbServerConfiguration | Select EnableSMB1Protocolecho $smbenabled.EnableSMB1Protocol |
For your remediation script use:
1
| Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force |
Move onto the “Compliance Rules” tab and create a new rule as follows:
Hit OK and close and that’s your first one done.
Remove SMB1 on Windows 8.1 / Server 2012 R2 and above
Create another configuration item as before, this time your supported platforms should be as follows:
Create the new setting with the following Discover and Remediation scripts:
Discovery
1
2
| $smb1 = Get-WindowsOptionalFeature -Online -FeatureName smb1protocolecho $smb1.State |
Remediation
1
| Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -Norestart |
Note that here I have added -norestart to prevent the systems from rebooting immediately. At the next scheduled reboot SMB1 will be fully removed.
Create the compliance rule as follows:
Two down, two to go.
Disable SMB1 Client on Windows 7 / 2008 R2
No need to teach you how to suck eggs so this time create a configuration item with Supported Platforms of Windows 7 and Windows 2008 (this covers 2008 R2 also if you tick the box at the top level).
This one is slightly more tricky. Whilst disabling the SMB client is the small matter of running a couple of sc.exe commands detecting the status is more difficult. In order disable the SMB1 client we remove the dependency of “SMB 1.x MiniRedirector” from the Workstation service and then disable it. Before starting, in the GUI it looks like this:
We need to discover if the “SMB 1.x MiniRedirector” has been removed from the dependencies and we want to do it with PowerShell.
1
2
3
| $smb1 = Get-Service -name LanManWorkstation -RequiredServices | where { $_.Name -eq "MrxSmb10"}echo $smb1 |
If the “SMB 1.x MiniRedirector” has not been removed from the Workstation service the command will return this:
If it has been removed then the command will return nothing.
By simply adding an if statement we can test for the null value and return a true/false result to ConfigMgr
1
2
3
4
5
6
7
| $smb1 = Get-Service -name LanManWorkstation -RequiredServices | where { $_.Name -eq "MrxSmb10"}if ($smb1 -eq $null){$Compliant = "True"}else{$Compliant = "False"}echo $Compliant |
This will be our discovery script. The compliance settings will be that the value returned by the above script returns True:
Our remediation script will run the two sc.exe commands provided in the Microsoft guidance for removing SMB1:
1
2
| sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsisc.exe config mrxsmb10 start= disabled |
This can be specified as a PowerShell script as calling sc from PowerShell is fine provided we use sc.exe. sc is an alias for Set-Content in PowerShell.
This does need a reboot to take effect but once again we’ll assume that you are happy to wait until your next scheduled restart rather than forcing it. If you need to force any of these just add a Restart-Computer command to the end of your remediation script. You may also want to add a Write-Eventlog command to add something to the event log to show why the computer was restarted.
Disable SMB1 Server on Windows 7 / 2008 R2
Use the same supported platforms as in the previous item.
This time for your settings you want a registry rule as follows:
The required compliance rules are as follows:
Ensure that you have ticked the “remediate noncompliant rules when supported” box for your SMB Equals 0 rule.
Create and deploy our Baseline
With the four configuration items in place create a baseline and add the four conditions to it:
Deploy this to a collection and enable remediation and all your SMB1 problems will disappear!
Source: https://alexpooleyblog.wordpress.com/2017/03/09/disabling-smb1-via-configmgr-desired-state-configuration-dsc/
Great article, the screenshots are very useful, easy to adapt to newer version of SCCM. Thanks!
ReplyDelete