Disabling SMB1 via ConfigMgr Desired State Configuration (DSC)

Standard

EDIT – Since I posted this MS have provided a method via GPO using some new admx:

https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

I would now recommend using the admx approach to disable it, but then deploy the below baselines in monitor mode only so you have some reporting on if your GPO is working.

 

Put simply you should stop using SMB1 right away.  If you regularly scan your systems using something like Tenable Nessus you may have noticed that SMB1 being enabled is marked as a “Critical” and without disabling it you are likely to fail your compliance for systems which should meet standards such as PCI.

Ned Pyle at Microsoft posted an excellent article on why SMB1 is no longer safe or appropriate.  You can read it here.

Once you have read this your next step is going to be to disable it and remove it (Server 2012 R2+/8.1+) or disable it (Server 2012/2008/7).  If you are worried about what might break here are some things to check first:

  • Are you using any MFDs with ancient firmware which use features such as scan to share or offer a share to upload content for print?  If so check for firmware updates or within the systems to see if you can enable at least SMB2
  • If your shared storage is based on something like NetApp Data ONTAP make sure that your storage admins have enabled at least SMB2.  ONTAP 8.2 and later support SMB3 so if you can enable this too you should see some benefits for your Windows 10 clients
  • If you still have any XP or Server 2003 clients get rid of them, they only support SMB1

Sadly there is no GPO option to disable SMB1 client or server, and the method to disable it differs across the versions.  In order to disable it and be able to report it on I am using DSC within ConfigMgr.

Configuration Items Required

We’re going to need four configuration items in our baseline:

  1. Disable SMB1 on Windows 8 / Server 2012 and above
  2. Remove SMB1 on Windows 8.1 / Server 2012 R2 and above
  3. Disable SMB1 Client on Windows 7 / 2008 R2
  4. Disable SMB1 Server on Windows 7 / 2008 R2

Disable SMB1 on Windows 8 / Server 2012 and above

Create the new configuration item and select only the Supported Platforms of:

dsc platforms

In the Settings tab make a new setting of the type “Script” called “SMB1 Disabled”.

For your discovery script use:


$smbenabled = Get-SmbServerConfiguration | Select EnableSMB1Protocol
echo $smbenabled.EnableSMB1Protocol

 

For your remediation script use:


Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

Move onto the “Compliance Rules” tab and create a new rule as follows:

compliance rules

Hit OK and close and that’s your first one done.

Remove SMB1 on Windows 8.1 / Server 2012 R2 and above

Create another configuration item as before, this time your supported platforms should be as follows:

smb1remvplat

Create the new setting with the following Discover and Remediation scripts:

Discovery


$smb1 = Get-WindowsOptionalFeature -Online -FeatureName smb1protocol
echo $smb1.State

Remediation


Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -Norestart

Note that here I have added -norestart to prevent the systems from rebooting immediately.  At the next scheduled reboot SMB1 will be fully removed.

Create the compliance rule as follows:

smb1remvreule

Two down, two to go.

Disable SMB1 Client on Windows 7 / 2008 R2

No need to teach you how to suck eggs so this time create a configuration item with Supported Platforms of Windows 7 and Windows 2008 (this covers 2008 R2 also if you tick the box at the top level).

This one is slightly more tricky.  Whilst disabling the SMB client is the small matter of running a couple of sc.exe commands detecting the status is more difficult.  In order disable the SMB1 client we remove the dependency of “SMB 1.x MiniRedirector” from the Workstation service and then disable it.  Before starting, in the GUI it looks like this:

win7smb1

We need to discover if the “SMB 1.x MiniRedirector” has been removed from the dependencies and we want to do it with PowerShell.


$smb1 = Get-Service -name LanManWorkstation -RequiredServices | where { $_.Name -eq "MrxSmb10"}

echo $smb1

If the “SMB 1.x MiniRedirector” has not been removed from the Workstation service the command will return this:

psdetect

If it has been removed then the command will return nothing.

By simply adding an if statement we can test for the null value and return a true/false result to ConfigMgr


$smb1 = Get-Service -name LanManWorkstation -RequiredServices | where { $_.Name -eq "MrxSmb10"}

if ($smb1 -eq $null)
{$Compliant = "True"}
else
{$Compliant = "False"}
echo $Compliant

This will be our discovery script.  The compliance settings will be that the value returned by the above script returns True:
truesbm1
Our remediation script will run the two sc.exe commands provided in the Microsoft guidance for removing SMB1:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

This can be specified as a PowerShell script as calling sc from PowerShell is fine provided we use sc.exe.  sc is an alias for Set-Content in PowerShell.

This does need a reboot to take effect but once again we’ll assume that you are happy to wait until your next scheduled restart rather than forcing it.  If you need to force any of these just add a Restart-Computer command to the end of your remediation script.  You may also want to add a Write-Eventlog command to add something to the event log to show why the computer was restarted.

 

Disable SMB1 Server on Windows 7 / 2008 R2

Use the same supported platforms as in the previous item.

This time for your settings you want a registry rule as follows:

smb1reg

The required compliance rules are as follows:

smb1regrem

Ensure that you have ticked the “remediate noncompliant rules when supported” box for your SMB Equals 0 rule.

Create and deploy our Baseline

With the four configuration items in place create a baseline and add the four conditions to it:

baseline.png

Deploy this to a collection and enable remediation and all your SMB1 problems will disappear!

 

 

 

 

 

Advertisements

16 thoughts on “Disabling SMB1 via ConfigMgr Desired State Configuration (DSC)

  1. t6181

    >>In the Settings tab make a new setting of the type “Script” >>called “SMB1 Disabled”.

    For three of the 4 Configuration Item settings that are of the type ‘script’ – what is the Data type? String? Boolean?

    Like

  2. For your discovery script for Windows 8.1/Server 2012+, you don’t need to echo out the value, just use select -expand like this:
    Get-SmbServerConfiguration | Select -Expand EnableSMB1Protocol

    Like

  3. Thanks, this looks great.
    I created a Baseline only for Windows 10 OS, used your script for disable SMBv1.
    Deployed the Baseline to a collection with 5 test machines… they stay in Unknown all the time… I have it to run every 5 minutes… followed your steps and used Boolean. Any ideas what is missing?

    Like

  4. Have you seen cases where systems that have had the workstation service dependency on SMB1 disabled changing the startup type for workstation service to disabled? We’ve seen more than one since we introduced this in our environment on a limited basis.

    Like

Leave a Reply to t6181 Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s