“WannaCrypt”–Patch first and then verify depreciation of SMBv1

Due to ongoing “WannaCrypt” attacks highly recommended to review if you rely on SMBv1, this feature is installed by default but mostly not in use anymore. WannaCrypt threat uses publicly available exploit code for the patched SMB vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. The exploit code used is designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this exploit attack. The said vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017

image

image

“WannaCrypt” Attacks – If you have automatic updates enabled or have installed the update, your systems are protected against this attack. We encourage to install the update as soon as possible

Please check out below guidelines:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/

MS17-010 for Windows 2012 R2 – KB4012216 direct download here

MS17-010 for Windows 2016 – KB4013429 direct download here

You can verify what SMB version your servers are using with “Get-SmbConnection | fl Servername,Dialect”

if you want to uninstall SMBv1 you can do this by running below command but you should verify first

Get-WindowsFeature | where {$_.Name -match "FS-SMB1"} | Remove-WindowsFeature

if you want to remove that on a bunch of servers a.e. in a cluster you do something like this

Here is some more guidance on how to enable/disable a specific SMB version –> https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/

Stay secured!

Ramazan

Advertisements

Tags: , , ,

Any further thoughts? Let me know here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: