By now most of the world has heard about the WannaCry malware put together from purported NSA exploit "tools".
The simplest thing to do is to disable or remove SMBv1 on our networks: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Microsoft Support).
Dealing with SMBv1
On Windows 7:
First, we need the following put into a text file:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
pause
shutdown -r -t 0 -f
In Notepad click File then Save As and name exactly as follows:
"Windows7 SMBv1 DISABLE.BAT"
NOTE: The quotes " are necessary
Right click on the resulting BATCH file and Run As Administrator:
An administrator's username and password will be required for this step. A local admin or domain account would work.
A status window will show:
NOTE: Windows 7 should show SUCCESS for both steps
As the message says, press any key to continue.
NOTE: The script automatically reboots the machine so make sure users save and close before running.
On Windows 10:
- Click Start and type PowerShell
- Right click on the result and Run as Administrator
- Remove-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
That fully removes the problematic component in Windows.
Windows Server
Open an elevated PowerShell window:
Remove-WindowsFeature –Name FS-SMB1
Backup & Restore
For users that almost exclusively work from their computer over server or cloud based resources with no local backup it's important that they back up their machines daily! They should have at least three 2.5" USB3 fast disk drives in rotation.
We use ShadowProtect Desktop by StorageCraft to back up our client's endpoints.
A critical component in the backup regime is an air-gap. Just as it is for the entire organization's server infrastructure.
Windows XP and Server 2003
Get the Security Updates ASAP and install them!
The files may be able to be set up to be delivered via your favourite patching mechanism. Please check that out to get these patches out to as many systems as is possible.
Windows Firewall
One mitigation step would be to set up a Group Policy object that denies File & Print (445) Inbound from any system but necessary such as servers and/or domain controllers.
Malware Mitigation
As always, the best form of mitigation is a well trained user. Patch and train the human is the best methodology going.
A a small plug, our xD mail sanitation and continuity service flags and renders inert links that say one thing but point to another location. This has put link shortening services like Bit.Ly at a disadvantage but we're willing to pay that price to keep our users sage. Just ask us how!
Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
copier SMB ports will need to be changed, This will break scanning
ReplyDeleteIdeas?
Yes, we've since discovered that older copiers run SMBv1 for their scan-to-folder setups. If possible, disable SMBv1 in the copier's console.
ReplyDeleteIf not, make sure all systems are up to date as Microsoft released the SMBv1 patches a few months ago.