Disable SMBv1 in your environments with Configuration Manager Compliance Settings


There has been lots of buzz over the recent ransomware attacks. One of the mitigations to keep the attack from spreading is disabling SMBv1 on all your Windows workstation and servers. One of the easy ways to deploy this out, while also having reports to confirm the settings are set correctly, is the use of Configuration Managers Compliance Settings, also known as Desired Configuration Management (DCM). Using compliance settings makes rolling out this change a breeze and allows you to update your security teams with reports to show the progress of the roll out. Below are the detailed instructions on how setup, configure and deploy these settings.

First, all the documentation on how to disable SMBv1 can be found here.

You can also do this with group policy preferences, keep in mind, group policy does not have a reporting system built into it. The instructions, along with some really good information on the ransomware attack can be found here.

You can also do this with Desired State Configuration (DSC). A friend of mine in the consulting side of services, Ralph Kyttle, put together instructions for DSC, leveraging a DSC tool he help build, called the Desired State Configuration Environment Analyzer (DSCEA). The instructions can be found here. The DSCEA tool can be found here.

 

Let’s begin!

 

First, we need to create the detection and remediation scripts for both LanmanServer and LanmanWorkstation.

For LanmanServer this is straight forward as we only need to find a single registry key.

## LANMANSERVER
## Detection
$SMBServer = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters”
$SMBServer.SMB1 

 

We grab the Property of all items in the LanmanServer\Parameters key and return the SMB1 value to the compliances settings agent. If SMB1 is disabled, it will return a 0, anything else means its enabled.

For remediation, it’s just as simple. This will force the value of SMB1 to 0 and restart the service so the change becomes immediate.

## Remediation 
 Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 –Force
 Restart-Service -Name LanmanServer -Force

 

For LanmanWorkstation this scenario is not as straight forward as we have REG_MULTI_STRING we need to evaluate and ensure the value for SMBv1 is not present. We also need to ensure the SMBv1 service is not running. This means we need to add some logic to the detection script.

## LanmanWorkstation
## Detection
$SMBClient = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" 
$SMBv1Status = $(Get-Service -Name mrxsmb10 -ErrorAction SilentlyContinue).Status
IF (($SMBClient.DependOnService -contains "MRxSmb10") -or ($SMBv1Status -eq "Running")) {$false} ELSE {$true}

 

This reads the value of the DependOnService property and verifies MRxSmb10 is not in the list. MRxSmb10 is the SMBv1 service found in Windows where SMBv1 is still on by default. In this case I am using reverse logic, I am checking for the state that I don’t want the services to be in. If we find the services are in their default state, we return a Boolean $false, which will represent a non-compliant machine and will be the trigger for running the remediation script.

For remediation, we will configure the services to no longer depend on SMBv1 and disabled the SMBv1 service. We will then restart the services and stop the SMBv1 service. This will ensure the changes will take effect immediately.

## Remediation
Invoke-Command {cmd /c sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi}
Invoke-Command {cmd /c sc.exe config mrxsmb10 start= disabled}
Restart-Service -Name LanmanWorkstation -Force
Stop-Service -Name mrxsmb10 -Force  

 

Now to take the scripts and plug them into Compliance Settings.

We need to create a new configuration item, and give it a name that aligns with a naming convention and can easily be identified.

We need to remove the operating systems that we know this will break. In my lab, I am removing All Windows XP, and Server 2003 variants. In your environment, you might want to disable SMB on these versions, just keep in mind, anything prior to Vista only has SMBv1, meaning it will break SMB functionality on those machines.

 

We need to setup the first setting for LanmanServer, be sure to set the Setting Type to Script and Data Type to Integer

 

Copy in the detection script

Copy in the remediation script

 

Setup the compliance rule to equal Zero (0), turn on remediation and report non-compliance if setting instance is not found.

Now to setup the setting for LanmanWorkstation, be sure to set the Setting Type to Script and Data Type to Boolean.

Copy in the detection script

 

Copy in the remediation script

 

Setup the compliance rule to equal true and turn on remediation.

Finish out the wizard.

Now we need to create the baseline, and add the CI

Create the collection for deployment

 

Deploy the Baseline.

I recommend manually running some of the scripts on a few machines and drop in a few machines that are not compliant before turning remediation on, in the deployment. This will allow you to test the logic. Once you are comfortable with your testing, start rolling out this slowly to machines and/or servers. Remember just because the OS can communicate over SMBv2/3 doesn’t mean your applications are programmed to allow the OS to handle the communication. Some applications may have SMBv1 hardcoded, so be sure to test this in your environment.

 

Hope this helps!

Cameron

 

 

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use


Comments (28)

  1. dann23 says:

    Very interesting, but, wouldn’t it be simpler using Set-SmbServerConfiguration -EnableSMB1Protocol $false?

    1. Cameron Cox says:

      Hi Dann23,

      While using Set-SmbServerConfiguration -EnableSMB1Protocol $false would be easier, but their still several companies that do not upgrade Windows Management Framework on their machines. Meaning they are not able to leverage that specific cmdlet. I wanted to provide a solution that can be used across the board for all versions of Windows and PowerShell versions.

  2. Jeff says:

    This is great stuff! But the images for half the article are not displaying properly. . .

    1. Cameron Cox says:

      Sorry about that Jeff, I will try and fix them soon.

  3. Dana says:

    Windows 7 does not have the key SMB1 at HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Properties

    1. Cameron Cox says:

      Correct, if the SMB1 = 0 is not present, it is enabled and allowed. The Set-ItemProperty with a -Force will write that property and its value for us because the Path to the key is present.

  4. Jordan says:

    Hello, first of all, thanks for this! On our systems here it appears that the MRxSmb10 service requirement was not present. I ended up changing the workstation detection script to: IF (($SMBClient.DependOnService -contains “MRxSmb10”) -or ($SMBv1Status -eq “Running”)) {$false} ELSE {$true}

    1. Cameron Cox says:

      Good call out, I altered my script as well. If either condition is true, we want to make sure the service is disabled and not a dependency.

  5. sanjit hayer says:

    Hi – Great article. In your final screenshot I see you run the compliance evaluation schedule every 5 days. Does this mean that the machine could be vulnerable for up to 5 days before being checked? if I were to use every hour would you foresee any issues other than additional processing? Regards,

    1. Cameron Cox says:

      Hello Sanjit,
      Good question, One thing that is not talked about in Compliance Settings is the launch conditions and random schedule delay options in the Site Control File of ConfigMgr. I tell my customers don’t go below 2 hours, because the CCM_Scheduler may delay the execution up to 2 hours, due to the random 2 hours delay. So if you are running every 2 hours, you will be outside of the delay and should see execution at least every 2 hours, provided the launch conditions are met. While I selected 5 days, in my lab, I believe most situations in an enterprise are different, and customers should set this value how they see fit.

      See the explanation of Launch Conditions here. The default launch conditions of baselines by default is set to 10.

  6. jklight says:

    For some reason this is not working for me 🙁 The LanmanServer – SMB1 is coming back as compliant when the reg key does not exist so then the remediation is not running. We have SCCM 1702 and i am checking win 7 and win 10 clients.
    I could modify the compliance check script but i don’t know why it is not working as is.

    1. Cameron Cox says:

      For the compliance rule, check the Report Noncompliance with setting instance is not found.

  7. Scott says:

    Hi, could you please advise.

    In your remediation:
    ## Remediation
    Invoke-Command {cmd /c sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi}
    Invoke-Command {cmd /c sc.exe config mrxsmb10 start= disabled}
    Restart-Service -Name LanmanWorkstation -Force
    Stop-Service -Name mrxsmb10 -Force

    Is there a typo in the first line, i.e. should ‘bowser’ be ‘browser’?

    Thank you

    1. Cameron Cox says:

      This is no mistake 🙂 That is how it is set in windows.

  8. Scott M says:

    May I inquire as to why ‘Report noncompliance if this setting is not found’ is checked for the Lanman Server compliance rule?

    If it is not installed, you would get a Null return and this should be fine, shouldn’t it?

    Regards,
    Scott

    1. Cameron Cox says:

      You are correct, the problem is with Windows 7-8.1/Server 2008 R2-2012 R2 that have it enabled by default but the setting is not present. Either way adding SMB1 = 0, you ensure if SMBv1 does get added, it still wont work.

      1. The remediation of lanmanserver fails for me. I noticed if SMB1 does not exist, it does not create. But if it exist and it has a value different than “0”, it sets it to “0”. It has got to be related to how SCCM executes the script because if I copy the exact same script and execute locally on a test endpoint, it works. Any thoughts on why my CI/CB cannot create a new registry item but can only modify?

        1. Cameron Cox says:

          In my testing, adding the -force switch creates the property SMB1 and sets the value to 0. I would check the CI provider to see if it has any good information, if not, I would recommend enabling client verbose/debug logging.

      2. Moses says:

        Hi Cameron Cox, my question is how can you find the systems that can be impacted by disabling smb versions in your environment especially if you are managing a huge environment.

        1. Cameron Cox says:

          I know of ways to detect Apps/accounts that leverage NTLM but I have not seen a way to log the use of SMB1 (Not saying their is not a way but I do not know of one). Your best bet is to start rolling out the changes to LanmanWorkstation. This prevents clients and servers to talk over SMB but leaves the ability for servers to receive SMB1 connections. This is how Windows 10 and Server 2016 are setup by default.

  9. Ben says:

    Most of the images on this site are broken.

    1. Cameron Cox says:

      I will fix this soon, thanks!

  10. Kaz says:

    This is great and I have created everything as per your instructions. However, I am getting Setting Instance Not Found from the LanmanServer settings and remediation doesn’t appear to be taking place. The Workstation settings do not appear to be executed. Is there a log that I can check to see what is going on – other than the deployment status.

  11. Ken says:

    What is the back out for this? If something breaks from using this to disable SMB1 will simply removing this from sccm compliance manager re-enable it?

    1. Cameron Cox says:

      The back out is to add the values back, in most cases the only thing you will need to do is set the lanmanserver SMB1 value to 1, then build and exclude collection to drop that machine into.

  12. MuhammadM says:

    Hi Cameron

    I’ve set this up, but it seems like the remediation script isn’t running on my test collection.

    1. Cameron Cox says:

      Which remediation script has not ran?

Skip to main content