SMBv1 Solutions

WannaCry
WannaCry

It’s been weeks since the #WannaCry #WannaCrypt exploited thousands of computers across the internet. If you have been regularly patching your systems you would have been covered by the March 2017 update. The vulnerability used the legacy protocol SMB version 1 to propagate across the network once a machine was infected. Security experts and even Microsoft have been calling for the disabling and or removal of the SMBv1 protocol from Windows environments for quite some time.

A Little History

Introduced with Windows XP, the SMBv1 protocol has been installed and enabled by default on all Windows operating systems for backwards compatibility. SMB version 2 was introduced with Windows Vista/Windows Server 2008 adding additional security and performance. SMB version 3 was introduced with Windows 8/Windows Server 2012 adding even more performance and availability options.

But First…

Disabling SMBv1 across an enterprise is no small feat. There’s a process to follow, and there’s research that needs to be done ahead of time. There are basically three hang-ups that can keep you from disabling SMBv1 across the board:

  • Windows XP and Windows Server 2003 boxes still hanging around the network. You REALLY need to get rid of them.
  • Linux servers, appliances, or devices that share or access data over SMBv1. Check with your vendors on supporting SMB 2.
  • Network scanners or multi-function printers that scan to file servers using SMBv1. See if they can be reconfigured or updated to support SMB 2.

Do the work to identify these gotchas so that you can know where you can and can’t proceed with disabling the legacy protocol.

Tip

Note that when disabling the SMBv1 protocol you need to disable both the server-side (I’m sharing files with you) and client-side (you’re sharing files with me) of the protocol.

Get It Done!

You route to disabling SMBv1 depends on the tools at your disposal.

1. Batch files and psexec

 

2. Group Policyhttps://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

or

https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

3. SCCMhttps://alexpooleyblog.wordpress.com/2017/03/09/disabling-smb1-via-configmgr-desired-state-configuration-dsc/

I wrote a PowerShell tool to gather the SMB protocols that are enable/disabled on a Windows computer called Get-SmbStatus. You can use this tool for discovery before and/or after you make your changes.

Example:

You can pick up the PowerShell function Get-SmbStatus at the Technet Script Repository.

Test-ADUser

Have you ever wanted to know if a user was valid, disabled, or expired? I created a tool to validate a username against Active Directory called Test-ADUser.

Example 1: Valid User Output

Example 2: An Expired User

Example 3:
Test-ADUser -username disableduser

Example 4:
Test-ADUser -username invaliduser

Get your copy today at the PowerShell gallery (Install-Module MrAADAdministration).

It’s Patch Tuesday: Do you know where your patches are?

Now with with 10% real code.
Patch Rollups: Now with with 10% real code.

Starting tomorrow, October 11, Microsoft will change the way they deploy updates (and consequently so will you). Each month they will provide a single update containing all the security patches for that month and will be distributed via SCCM and WSUS only. In addition, they will publish a security plus fixes “quality” rollup update containing all of the current and previous months’ security updates as well as all previous non-security fixes. Both of them will be classified as security updates. Microsoft doesn’t really want us to approve both, but if you do it will (probably) work. IT professionals need to make a decision as to approve the security-only update or rollup or both. I typically deploy both security and critical updates where “critical” is the classification of update not the severity.

Critical Updates Classification from WSUS
Critical Updates Classification from WSUS

The critical update classification typically means a non-security fix. I’m trying to find out if the security plus fixes rollup means these critical updates that I normally approve. If that is the case then I will probably just go with the rollup update, especially since this is what Microsoft is recommending. Note that we will continue to have separate Internet Explorer and .NET framework rollups, as well as Office updates. Also bear in mind that this new process may provide “different” results for compliance tools (i.e. Nessus) since these two updates contain the same security updates and may report differently depending on the order in which they were installed if both were approved.

Thanks Mary Jo Foley for bringing this back to my attention.

Read More:

https://blogs.technet.microsoft.com/windowsitpro/2016/05/17/simplifying-updates-for-windows-7-and-8-1/

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1

https://blogs.technet.microsoft.com/enterprisemobility/2016/10/07/configuration-manager-and-simplified-windows-servicing-on-down-level-operating-systems/?utm_content=buffer410e6&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

10 Immutable Laws of Security and JEA

Sleeping Security GuardI came across a list of the ten immutable laws of security on Twitter last week written by Scott Culp back in November 2000, and I found it both profound and amusing. I found the list profound because the laws truly are still the same and still apply. I found the list amusing because of the mitigations and examples provided show us how far we have come (most of us kicking and screaming). For example it talks about setting your antivirus to update silently once a week using “push” methodology.  I’m reminded of the difficulty managing antivirus products used to be. Antivirus vendors have been challenged with providing robust manageability while building additional protection mechanisms to the point where we just call it endpoint protection nowadays. I’m sure years from now we will look back and laugh at how we are currently managing our ever-growing, always-connected, disparate collection of devices (i.e. Internet of Things).  Even the name Internet of Things may sound like the Information Superhighway or Cyberspace in just a few years from now.

One of the ways PowerShell can help us take our security to the next level is the Just Enough Administration. The goal of JEA is to move away from granting users administrative access to servers by giving them PowerShell constrained endpoints to allow them to do the jobs and tasks required with the minimum amount of privilege necessary. The JEA toolkit is still in development, but here’s to hoping it becomes the standard of granting access in the near future (more).

10 Immutable Laws of Security:
Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea

Source

Certificate Keys: Size Matters

Keys

When issuing SSL certificates you can specify the key size (or length). The larger the key size the more secure the certificate, however higher key sizes also increase CPU load for encryption/decryption. When issuing certificates for your web servers the current recommendation is to use at least 2048 or higher.  Certificates with key sizes less than 2048 (i.e. 1024 or 512) are considered vulnerable and should be replaced as soon as possible. Check your SSL certificates key sizes to ensure they are using an securable key size.

 

PowerShell Certificate Health Module

Certificates and Algorithms

binary

When an SSL certificate is issued it uses a cryptographic hash algorithm (read: hard math) to ensure your private information stays private. There are a number of hash algorithms, also known as signature algorithms, used in certificates in the past and present. Security researchers and scientists are constantly evolving the algorithms as the bad guys are always trying to break the encryption in the never-ending arm’s race of cryptography. When an algorithm is known to shown to be weak and vulnerable to cracking, it is deprecated. The mainstream browsers begin to warn and eventually not accept certificates using these vulnerable algorithms.  Currently certificates using the MD5 algorithm are no longer considered secure, and now SHA1 certificates are being deprecated. All your new certificates should be signed using the SHA256 or higher which should now be the default on your Windows systems.

You can check your certificate’s algorithm health using the PowerShell Certificate Health Module.

Who’s Watching Your SSL Certificates

SSL Certificate Lock Symbol

Every business needs SSL certificates for encrypting their traffic. Typically we see SSL certificates being used for encrypting our http web traffic, but certificates are also used for securing LDAP (Active Directory), SMTP, IMAP, POP3, and so many more protocols. Certificates can also be using for authentication on your domain or on the web. When you purchase a certificate you typically choose to pay for the certificate to be valid for a year or more. After the certificate is processed, you install it and then your work is done. Except one year or so from now something breaks, and you realized that your certificate has expired.

Keep an eye on your certificates with the PowerShell Certificate Health Module.