Organizations around the world are still cleaning up the devastation left behind by Petya and the WannaCry ransomware, with damage ranging from minor inconvenience to complete shutdowns of company operations. Hackers are taking the lessons learned from Petya and to create new variants that improve the ability to move undetected between devices using the EternalBlue exploit, or in other words, the vulnerability in the Server Message Block( SMB) 1.0 file sharing protocol that Microsoft patched in March this year.
SMB 1.0 is a legacy protocol that’s in all versions of Windows for the purposes of backward compatibility. Microsoft has recently updated its security baseline defines for Windows to include Group Policy templates that make it easy for system administrators to disable SMBv1.
The Windows 10 Fall Creators Update will disable the SMBv1 WannaCry server component for clean installs out-of-the-box, and SMBv1 will be completely removed from Enterprise and Education SKUs.
The easiest route to disable SMBv1 in your organization is to download the Security Compliance Toolkit 1.0 from Microsoft’s website here. As part of the kit, you’ll find documentation listing all the recommended security defines, and Group Policy Object( GPO) backups for speedily creating GPOs in Active Directory to apply the recommended security sets. It’s important that you test the settings to ensure they don’t break any critical functionality. There is also an ADMX template( MS Security Guide) that offer three additional Group Policy defines that administrators can use to disable. The three defines are :
1. Configure SMB v1 server
2. Configure SMB v1 client driver
3. Configure SMB v1 client( extra setting needed for pre-Win8. 1/2012 R2)
The first setting, Configure SMB v1 server, should be set to Disabled. This turns off the SMBv1 server component. Configure SMB v1 client driver should be set to Enabled, and then Disable driver selected from the drop-down menu. The third setting is only for Windows 7 and Windows Servers 2008, 2008 R2 and 2012, which require an extra setting to disable the SMBv1 client driver. Configure SMB v1 client( extra setting needed for pre-Win8. 1/2012 R2) should be set to Enabled, and the following 3 lines of text entered in the Configure LanmanWorkstation dependencies text box 😛 TAGEND
Once the defines have been applied, any devices in the scope of the GPO must be rebooted for the settings to take effect.
Disabling SMBv1 can reduce the likelihood of malware like Petya infecting your systems. But it is by no means the only measure you should take. Removing administrative privileges from users, implementing application control, securing management tools, ensuring that systems and apps are patched in a timely manner, and defenses such as the Microsoft Office Trust Center and Windows Defender, all have an important role to play.
If your computer is having any of these symptoms of WannaCry consider having a Tune-Up from Best Computer Repair. Book your FREE no obligation quote today!
My normal service area is Bridgend area, however, I also cover Swansea, Port Talbot, Brynthethin, Sarn, Ogmore Vale, Maesteg, Bridgend, Llantwit Magor, Cowbridge, Barry, Penarth, Dinas Powys and Cardiff. With competitive rates and a friendly, professional service that can’t be beaten.