СHRISTMAS
WHEEL OF FORTUNE

Tap the button and win a guaranteed prize right now!

By registering, you are signing up to receiving e-mails.
JT
April 25 2023
Updated April 25 2023

Protect setup for SMB traffic

Networks Security Windows

Introduction

What is one of the most dangerous things on this planet for the corporate network? Perhaps, if one of these mechanisms detail was destroyed, the offender would run a DDoS attack on your server or an employee misconfigured systemю However, a more global problem conclusion in the system itself. Protocols are an essential part of it. They set rules of transmission packet data units, which remember the blood in the organism. Any infection and virus contribute via this liquid. Absolutely the same thing with protocol!

The SMB, or Server Message Block, is a protocol developed for file transferring via the network. Its purpose is to facilitate sharing of files, printers, and other resources between computers connected to a network. The significance of this set of rules is quite remarkable. Different OS got the opportunity to communicate without restrictions, such as Mac OS, Linux, and Windows.

Therefore, it is used in corporate networks quite often and unfortunately, vulnerability is a big problem!

Analyze: check your protocols

Let's take a first look at the version of the protocol you use:

  1. hold down the keyboard shortcut Win+R and write “powershell”;
  2. then enter the command below into the CLI.
sc.exe qc lanmanworkstationе

Find raw with “Dependencies” and check parameters, which are opposite:

pic1
Screenshot №1 — Check the SMB version

This indicates that your SMB client supports the appropriate protocol version:

  • smb1 — "mrxsmb10.sys ";
  • smb2 — "mrxsmb20.sys ";
  • smb3 — "mrxsmb30.sys ".

If by unlucky chance you have the protocol of the first version or you want to be sure that it will not disturb you for sure, then I advise you to turn it off with the commands below:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

The line above turns on dependencies of SMB2/3.

sc.exe config mrxsmb10 start= disabled

And this command disables the first version protocol. All these actions are due to SMB1 does not have a strong encryption algorithm, therefore which will be a problem for the confidentiality, integrity and availability of a network.

Action: protection steps

If you have a second or third version of the protocol, so you need complete two actions to save information security: configure firewall rules, which will allow you to delimit the network by a specific port and enable encryption, which will avoid interception and decryption.

Add Firewall rules

There are a few cases of network architecture in which people use SMB out of their LAN, however, it is a very small percentage. Then SMB, maybe, а tasty morsel for attackers. You need to write rules for incoming and outgoing connections for your firewall. Block TCP-port with number 445:

Firewall block port
Screenshot №2 — Firewall block port
Application of the rules
Screenshot №3 — Application of the rules

And you need to make similar actions for outgoing rules.

Turn on encryption

In Windows Server you have default settings for SMB: turn off encryption. This problem has a quick solution. On the server side, open an elevated command prompt and type the following command:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMBEncryption" /t REG_DWORD /d 1 /f

And for the client write follow line:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "RequireSecureNegotiate" /t REG_DWORD /d 1 /f

Here is a breakdown of the command and its attributes:

  • /v "SMBEncryption" — This attribute specifies the name of the value that will be added;
  • /t REG_DWORD — This attribute specifies the type of data that will be stored in the value. In this case, it will be a 32-bit binary value (a DWORD);
  • /d 1 — This attribute specifies the data that will be stored in the value. In this case, it sets the value to 1, which enables SMB encryption;
  • /f — This attribute tells the reg command to force the operation without prompting for confirmation. If this attribute is omitted, the command will prompt you to confirm before making any changes.

Overall, this command adds a new value to the Windows Registry that enables SMB encryption on the server or client, depending on which command is used.

Conclusion

I strongly recommend applying to cancel culture to SMB1 due to the lack of encryption.  Use a newer version of that protocol SMB2/3 or turn off them if you don't need them. Turn on encryption and add firewall rules for TCP-port 445.

You may be also interested in

Vote:
4 out of 5
Аverage rating : 4.5
Rated by: 2
33145 North Miami, FL 2520 Coral Way apt 2-135
+1 302 425-97-76
700 300
ITGLOBAL.COM CORP
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.