Community FAQ
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ChrisParr1
Engaged Sweeper III

We've got SMBv1 Auditing enabled on our domain and SMBv1 disabled on everything including the Lansweeper scan servers.

We're seeing event log entries on our DCs from both of our scan servers like the one below. Nothing else is generating these events, just the scan servers. Judging by the timings it looks like it's IP range scanning that is triggering it.

--------------------------

Log Name: Microsoft-Windows-SMBServer/Audit
Source: Microsoft-Windows-SMBServer
Date: 5/30/2023 7:10:10 AM
Event ID: 3000
Task Category: None
Level: Information
Keywords:
User: N/A
Computer: DC01.Domain.Local
Description:
SMB1 access

Client Address: SCANServer01

--------------------------

Is there any way we can prevent scans from triggering this?

10 REPLIES 10
Glenn_Gagne
Engaged Sweeper III

Hi, we are facing the same situation here. While Microsoft Windows SMBv1 auditing is enable (Set-SmbServerConfiguration -AuditSmb1Access $true), we are observing Lansweeper scan server try to access entire assets using them via SMBv1 protocol instead using SMBv2/3.

Technically, even if the SMB Client on a Lansweeper scan server could have SMBv1 enable... the SMB client should handshake the SMB protocol using the highest security first. He will try SMBv3, if fail goes to SMBv2, if fail then SMBv1... Then knowning our scanned assets are correctly scanned and things collected via shares access are OK also... And SMBv1 protocol is also disable on the SMBServer side (Tell me Lansweeper scan can reach without issue my asset using SMBv2/3) why Lansweeper still try a SMBv1 connection through my assets ?

We know some security tools like VDR scan, NMAP, etc can be used to force a SMBv1 procotol where the goal is to test SMBv1 vulnerabilities. Why Lansweeper try this protocol also ? Does Lansweeper try to inventory SMBv1 vulnerabilities also ? Can we force Lansweeper scanner to don't try that ? In other way, does Lansweeper offer a comprehensive report of those assets are responding with success to SMBv1 ?

 

TomaszHolderny
Engaged Sweeper

Did you resolve the issue? We have constant SMB1 logon attempts from scan server blocked on our QNAP system and i don't know how to stop scan servers from using SMB1.

You can create fw rule on ther LS server to block LS scan remote SMB port of the QNAP system.

No, I review the logs occasionally, but as the only thing generating those events is the the scan servers I've just started ignoring them, which isn't exactly best practice. 😞

ChrisParr1
Engaged Sweeper III

Hi @Mister_Nobody ,

Sorry, I wasn't clear. I'm not picking up the events in Lansweeper, I'm seeing them as part of our general security monitoring processes. 

If possible I want to prevent the scan process from generating SMBv1 connections in the first place. Partly just to reduce the noise in our SIEM system, but also because it makes me nervous that anything is apparently trying to use the very insecure SMBv1 at all.

You have to read about Windows Audit Policy to Enable or Disable Security Events Audit

I know how to enable or disable the audit events, that's why I'm getting them in the first place. I want to see events when something tries to make SMBv1 connections so we can monitor for insecure systems, I just want to know if I can stop Lansweeper from doing so.

We're not using a Workgroup scanning target so I don't think that's relevant.

Product Discussions

Share feedback, exchange ideas and find answers to Lansweeper product questions.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now