Prevent Petya and other Ransomware attacks by disabling SMBv1

Russell Smith by   08.02.2017   Ransomware

Prevent Petya and Other Ransomware Attacks by Disabling SMBv1
Organizations around the world are still cleaning up the devastation left behind by Petya and the WannaCry ransomware, with damage ranging from minor inconvenience to complete shutdowns of company operations. Hackers are taking the lessons learned from Petya and WannaCry to create new variants that improve the ability to move undetected between devices using the EternalBlue exploit, or in other words, the vulnerability in the Server Message Block (SMB) 1.0 filesharing protocol that Microsoft patched in March this year.

SMB 1.0 is a legacy protocol that’s in all versions of Windows for the purposes of backwards compatibility. Microsoft has recently updated its security baseline settings for Windows to include Group Policy templates that make it easy for system administrators to disable SMBv1. And the Windows 10 Fall Creators Update will disable the SMBv1 server component for clean installs out-of-the-box, and SMBv1 will be completely removed from Enterprise and Education SKUs.

The easiest way to disable SMBv1 in your organization is to download the Security Compliance Toolkit 1.0 from Microsoft’s website here. As part of the kit, you’ll find documentation listing all the recommended security settings, and Group Policy Object (GPO) backups for quickly creating GPOs in Active Directory to apply the recommend security settings. It’s important that you test the settings to ensure they don’t break any critical functionality. There is also an ADMX template (MS Security Guide) that provides three additional Group Policy settings that administrators can use to disable SMBv1. The three settings are:

1. Configure SMB v1 server

2. Configure SMB v1 client driver

3. Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)

The first setting, Configure SMB v1 server, should be set to Disabled. This turns off the SMBv1 server component. Configure SMB v1 client driver should be set to Enabled, and then Disable driver selected from the dropdown menu. The third setting is only for Windows 7 and Windows Servers 2008, 2008R2 and 2012, which require an extra setting to disable the SMBv1 client driver. Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2) should be set to Enabled, and the following 3 lines of text entered in the Configure LanmanWorkstation dependencies text box:

Bowser
MRxSmb20
NSI

Once the settings have been applied, any devices in scope of the GPO must be rebooted for the settings to take effect.

Disabling SMBv1 can reduce the likelihood of malware like Petya infecting your systems. But it is by no means the only measure you should take. Removing administrative privileges from users, implementing application control, securing management tools, ensuring that systems and apps are patched in a timely manner, and other defenses, such as the Microsoft Office Trust Center and Windows Defender, all have an important role to play.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.