Introduction
What is one of the most dangerous things on this planet for the corporate network? Perhaps, if one of these mechanisms detail was destroyed, the offender would run a DDoS attack on your server or an employee misconfigured systemю However, a more global problem conclusion in the system itself. Protocols are an essential part of it. They set rules of transmission packet data units, which remember the blood in the organism. Any infection and virus contribute via this liquid. Absolutely the same thing with protocol!
The SMB, or Server Message Block, is a protocol developed for file transferring via the network. Its purpose is to facilitate sharing of files, printers, and other resources between computers connected to a network. The significance of this set of rules is quite remarkable. Different OS got the opportunity to communicate without restrictions, such as Mac OS, Linux, and Windows.
Therefore, it is used in corporate networks quite often and unfortunately, vulnerability is a big problem!
Analyze: check your protocols
Let's take a first look at the version of the protocol you use:
- hold down the keyboard shortcut Win+R and write “powershell”;
- then enter the command below into the CLI.
Find raw with “Dependencies” and check parameters, which are opposite:
This indicates that your SMB client supports the appropriate protocol version:
- smb1 — "mrxsmb10.sys ";
- smb2 — "mrxsmb20.sys ";
- smb3 — "mrxsmb30.sys ".
If by unlucky chance you have the protocol of the first version or you want to be sure that it will not disturb you for sure, then I advise you to turn it off with the commands below:
The line above turns on dependencies of SMB2/3.
And this command disables the first version protocol. All these actions are due to SMB1 does not have a strong encryption algorithm, therefore which will be a problem for the confidentiality, integrity and availability of a network.
Action: protection steps
If you have a second or third version of the protocol, so you need complete two actions to save information security: configure firewall rules, which will allow you to delimit the network by a specific port and enable encryption, which will avoid interception and decryption.
Add Firewall rules
There are a few cases of network architecture in which people use SMB out of their LAN, however, it is a very small percentage. Then SMB, maybe, а tasty morsel for attackers. You need to write rules for incoming and outgoing connections for your firewall. Block TCP-port with number 445:
And you need to make similar actions for outgoing rules.
Turn on encryption
In Windows Server you have default settings for SMB: turn off encryption. This problem has a quick solution. On the server side, open an elevated command prompt and type the following command:
And for the client write follow line:
Here is a breakdown of the command and its attributes:
- /v "SMBEncryption" — This attribute specifies the name of the value that will be added;
- /t REG_DWORD — This attribute specifies the type of data that will be stored in the value. In this case, it will be a 32-bit binary value (a DWORD);
- /d 1 — This attribute specifies the data that will be stored in the value. In this case, it sets the value to 1, which enables SMB encryption;
- /f — This attribute tells the reg command to force the operation without prompting for confirmation. If this attribute is omitted, the command will prompt you to confirm before making any changes.
Overall, this command adds a new value to the Windows Registry that enables SMB encryption on the server or client, depending on which command is used.
Conclusion
I strongly recommend applying to cancel culture to SMB1 due to the lack of encryption. Use a newer version of that protocol SMB2/3 or turn off them if you don't need them. Turn on encryption and add firewall rules for TCP-port 445.