Disable SMBv1 in your environments with Configuration Manager Compliance Settings


There has been lots of buzz over the recent ransomware attacks. One of the mitigations to keep the attack from spreading is disabling SMBv1 on all your Windows workstation and servers. One of the easy ways to deploy this out, while also having reports to confirm the settings are set correctly, is the use of Configuration Managers Compliance Settings, also known as Desired Configuration Management (DCM). Using compliance settings makes rolling out this change a breeze and allows you to update your security teams with reports to show the progress of the roll out. Below are the detailed instructions on how setup, configure and deploy these settings.

First, all the documentation on how to disable SMBv1 can be found here.

You can also do this with group policy preferences, keep in mind, group policy does not have a reporting system built into it. The instructions, along with some really good information on the ransomware attack can be found here.

You can also do this with Desired State Configuration (DSC). A friend of mine in the consulting side of services, Ralph Kyttle, put together instructions for DSC, leveraging a DSC tool he help build, called the Desired State Configuration Environment Analyzer (DSCEA). The instructions can be found here. The DSCEA tool can be found here.

 

Let’s begin!

 

First, we need to create the detection and remediation scripts for both LanmanServer and LanmanWorkstation.

For LanmanServer this is straight forward as we only need to find a single registry key.

## LANMANSERVER
## Detection
$SMBServer = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters”
$SMBServer.SMB1 

 

We grab the Property of all items in the LanmanServer\Parameters key and return the SMB1 value to the compliances settings agent. If SMB1 is disabled, it will return a 0, anything else means its enabled.

For remediation, it’s just as simple. This will force the value of SMB1 to 0 and restart the service so the change becomes immediate.

## Remediation 
 Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 –Force
 Restart-Service -Name LanmanServer -Force

 

For LanmanWorkstation this scenario is not as straight forward as we have REG_MULTI_STRING we need to evaluate and ensure the value for SMBv1 is not present. We also need to ensure the SMBv1 service is not running. This means we need to add some logic to the detection script.

## LanmanWorkstation
## Detection
$SMBClient = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" 
$SMBv1Status = $(Get-Service -Name mrxsmb10 -ErrorAction SilentlyContinue).Status
IF (($SMBClient.DependOnService -contains "MRxSmb10") -or ($SMBv1Status -eq "Running")) {$false} ELSE {$true}

 

This reads the value of the DependOnService property and verifies MRxSmb10 is not in the list. MRxSmb10 is the SMBv1 service found in Windows where SMBv1 is still on by default. In this case I am using reverse logic, I am checking for the state that I don’t want the services to be in. If we find the services are in their default state, we return a Boolean $false, which will represent a non-compliant machine and will be the trigger for running the remediation script.

For remediation, we will configure the services to no longer depend on SMBv1 and disabled the SMBv1 service. We will then restart the services and stop the SMBv1 service. This will ensure the changes will take effect immediately.

## Remediation
Invoke-Command {cmd /c sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi}
Invoke-Command {cmd /c sc.exe config mrxsmb10 start= disabled}
Restart-Service -Name LanmanWorkstation -Force
Stop-Service -Name mrxsmb10 -Force  

 

Now to take the scripts and plug them into Compliance Settings.

We need to create a new configuration item, and give it a name that aligns with a naming convention and can easily be identified.

We need to remove the operating systems that we know this will break. In my lab, I am removing All Windows XP, and Server 2003 variants. In your environment, you might want to disable SMB on these versions, just keep in mind, anything prior to Vista only has SMBv1, meaning it will break SMB functionality on those machines.

We need to setup the first setting for LanmanServer, be sure to set the Setting Type to Script and Data Type to Integer

Copy in the detection script

Copy in the remediation script

Setup the compliance rule to equal Zero (0), turn on remediation and report non-compliance if setting instance is not found.

Now to setup the setting for LanmanWorkstation, be sure to set the Setting Type to Script and Data Type to Boolean.

Copy in the detection script

Copy in the remediation script

Setup the compliance rule to equal true and turn on remediation.

Finish out the wizard.

Now we need to create the baseline, and add the CI

Create the collection for deployment

Deploy the Baseline.

I recommend manually running some of the scripts on a few machines and drop in a few machines that are not compliant before turning remediation on, in the deployment. This will allow you to test the logic. Once you are comfortable with your testing, start rolling out this slowly to machines and/or servers. Remember just because the OS can communicate over SMBv2/3 doesn’t mean your applications are programmed to allow the OS to handle the communication. Some applications may have SMBv1 hardcoded, so be sure to test this in your environment.

 

Hope this helps!

Cameron

 

 

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use


Comments (17)

  1. dann23 says:

    Very interesting, but, wouldn’t it be simpler using Set-SmbServerConfiguration -EnableSMB1Protocol $false?

    1. Cameron Cox says:

      Hi Dann23,

      While using Set-SmbServerConfiguration -EnableSMB1Protocol $false would be easier, but their still several companies that do not upgrade Windows Management Framework on their machines. Meaning they are not able to leverage that specific cmdlet. I wanted to provide a solution that can be used across the board for all versions of Windows and PowerShell versions.

  2. Jeff says:

    This is great stuff! But the images for half the article are not displaying properly. . .

    1. Cameron Cox says:

      Sorry about that Jeff, I will try and fix them soon.

  3. Dana says:

    Windows 7 does not have the key SMB1 at HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Properties

    1. Cameron Cox says:

      Correct, if the SMB1 = 0 is not present, it is enabled and allowed. The Set-ItemProperty with a -Force will write that property and its value for us because the Path to the key is present.

  4. Jordan says:

    Hello, first of all, thanks for this! On our systems here it appears that the MRxSmb10 service requirement was not present. I ended up changing the workstation detection script to: IF (($SMBClient.DependOnService -contains “MRxSmb10”) -or ($SMBv1Status -eq “Running”)) {$false} ELSE {$true}

    1. Cameron Cox says:

      Good call out, I altered my script as well. If either condition is true, we want to make sure the service is disabled and not a dependency.

  5. sanjit hayer says:

    Hi – Great article. In your final screenshot I see you run the compliance evaluation schedule every 5 days. Does this mean that the machine could be vulnerable for up to 5 days before being checked? if I were to use every hour would you foresee any issues other than additional processing? Regards,

    1. Cameron Cox says:

      Hello Sanjit,
      Good question, One thing that is not talked about in Compliance Settings is the launch conditions and random schedule delay options in the Site Control File of ConfigMgr. I tell my customers don’t go below 2 hours, because the CCM_Scheduler may delay the execution up to 2 hours, due to the random 2 hours delay. So if you are running every 2 hours, you will be outside of the delay and should see execution at least every 2 hours, provided the launch conditions are met. While I selected 5 days, in my lab, I believe most situations in an enterprise are different, and customers should set this value how they see fit.

      See the explanation of Launch Conditions here. The default launch conditions of baselines by default is set to 10.

  6. jklight says:

    For some reason this is not working for me 🙁 The LanmanServer – SMB1 is coming back as compliant when the reg key does not exist so then the remediation is not running. We have SCCM 1702 and i am checking win 7 and win 10 clients.
    I could modify the compliance check script but i don’t know why it is not working as is.

    1. Cameron Cox says:

      For the compliance rule, check the Report Noncompliance with setting instance is not found.

  7. Scott says:

    Hi, could you please advise.

    In your remediation:
    ## Remediation
    Invoke-Command {cmd /c sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi}
    Invoke-Command {cmd /c sc.exe config mrxsmb10 start= disabled}
    Restart-Service -Name LanmanWorkstation -Force
    Stop-Service -Name mrxsmb10 -Force

    Is there a typo in the first line, i.e. should ‘bowser’ be ‘browser’?

    Thank you

    1. Cameron Cox says:

      This is no mistake 🙂 That is how it is set in windows.

  8. Scott M says:

    May I inquire as to why ‘Report noncompliance if this setting is not found’ is checked for the Lanman Server compliance rule?

    If it is not installed, you would get a Null return and this should be fine, shouldn’t it?

    Regards,
    Scott

    1. Cameron Cox says:

      You are correct, the problem is with Windows 7-8.1/Server 2008 R2-2012 R2 that have it enabled by default but the setting is not present. Either way adding SMB1 = 0, you ensure if SMBv1 does get added, it still wont work.

Skip to main content