Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-30-2017 10:40 AM
Hi,
I created a deployment with the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Now I am looking for a way to create a report that shows me the computers in the network that didnt run the script.
The script deployed should make sure that the workstation service does not depent on SMBv1 because I would like to shutdown SMBv1 according to the articles below.
https://community.spiceworks.com/topic/1995592-disabling-smb1-stops-domain-authentication
https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/
I created a deployment with the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Now I am looking for a way to create a report that shows me the computers in the network that didnt run the script.
The script deployed should make sure that the workstation service does not depent on SMBv1 because I would like to shutdown SMBv1 according to the articles below.
https://community.spiceworks.com/topic/1995592-disabling-smb1-stops-domain-authentication
https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/
Solved! Go to Solution.
Labels:
- Labels:
-
Report Center
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-06-2017 05:32 PM
There is a registry change reflective of the protocol deactivation. I think that is your best bet for verifying your script worked. You could also go old school and have the script append to a log file on your network as each system completed the script. You can use computername and timestamp for your log entries, but that's a matter of trust vs. verify.
I think this should help with the verification part:
MS Article How to enable/disable SMB
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Lansweeper Article on custom registry scans
https://www.lansweeper.com/kb/18/report-based-on-registry-keys.html
I think this should help with the verification part:
MS Article How to enable/disable SMB
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Lansweeper Article on custom registry scans
https://www.lansweeper.com/kb/18/report-based-on-registry-keys.html
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-29-2017 10:36 PM
Following this article: MS Article
Some systems maybe lose forward or revers network share capability. Ultimately unchecking the "client for microsoft networks" from the nic and disabling/re-enabling the nic (or reboot) fixes this and the issue does not return. We implemented a GPO that sets these registry entries and does not re-apply them. This resolves many of the vulnerabilities that the wannacry patches address. Please note that cif share access where the share source does not support smb2/3 you will lose to connectivity to the share (like outdated data domain and cifs shares hosted from a vnx).
Some systems maybe lose forward or revers network share capability. Ultimately unchecking the "client for microsoft networks" from the nic and disabling/re-enabling the nic (or reboot) fixes this and the issue does not return. We implemented a GPO that sets these registry entries and does not re-apply them. This resolves many of the vulnerabilities that the wannacry patches address. Please note that cif share access where the share source does not support smb2/3 you will lose to connectivity to the share (like outdated data domain and cifs shares hosted from a vnx).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-07-2017 11:19 AM
Thank you so much!
I created the costum registry scan and after that I created the report below and it works perfect:
The report will show al assets with SMBv1 still active.
I created the costum registry scan and after that I created the report below and it works perfect:
The report will show al assets with SMBv1 still active.
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Firstseen,
tblAssets.Lastseen,
tblAssets.Lasttried,
TsysLastscan.Lasttime As LastRegistryScan,
Case
When TsysLastscan.Lasttime < GetDate() -
1 Then
'Last registry scan more than 24 hours ago! Scanned registry information may not be up-to-date. Try rescanning this machine.' End As Comment,
Case
When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <>
'' Then 'Yes' Else 'No' End As ValuenameFound,
SubQuery1.Regkey,
SubQuery1.Valuename,
SubQuery1.Value,
SubQuery1.Lastchanged
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' And
tblRegistry.Valuename = 'SMB1') SubQuery1 On SubQuery1.AssetID =
tblAssets.AssetID
Where SubQuery1.Value = 1 And tblAssetCustom.State = 1 And
TsysWaittime.CFGname = 'registry'
Order By tblAssets.Domain,
tblAssets.AssetName
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-06-2017 05:32 PM
There is a registry change reflective of the protocol deactivation. I think that is your best bet for verifying your script worked. You could also go old school and have the script append to a log file on your network as each system completed the script. You can use computername and timestamp for your log entries, but that's a matter of trust vs. verify.
I think this should help with the verification part:
MS Article How to enable/disable SMB
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Lansweeper Article on custom registry scans
https://www.lansweeper.com/kb/18/report-based-on-registry-keys.html
I think this should help with the verification part:
MS Article How to enable/disable SMB
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Lansweeper Article on custom registry scans
https://www.lansweeper.com/kb/18/report-based-on-registry-keys.html
