cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Hout
Engaged Sweeper II
Hi,

I created a deployment with the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

Now I am looking for a way to create a report that shows me the computers in the network that didnt run the script.

The script deployed should make sure that the workstation service does not depent on SMBv1 because I would like to shutdown SMBv1 according to the articles below.


https://community.spiceworks.com/topic/1995592-disabling-smb1-stops-domain-authentication

https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/
1 ACCEPTED SOLUTION
SouthySuper
Engaged Sweeper III
There is a registry change reflective of the protocol deactivation. I think that is your best bet for verifying your script worked. You could also go old school and have the script append to a log file on your network as each system completed the script. You can use computername and timestamp for your log entries, but that's a matter of trust vs. verify.

I think this should help with the verification part:
MS Article How to enable/disable SMB

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Lansweeper Article on custom registry scans
https://www.lansweeper.com/kb/18/report-based-on-registry-keys.html

View solution in original post

3 REPLIES 3
SouthySuper
Engaged Sweeper III
Following this article: MS Article

Some systems maybe lose forward or revers network share capability. Ultimately unchecking the "client for microsoft networks" from the nic and disabling/re-enabling the nic (or reboot) fixes this and the issue does not return. We implemented a GPO that sets these registry entries and does not re-apply them. This resolves many of the vulnerabilities that the wannacry patches address. Please note that cif share access where the share source does not support smb2/3 you will lose to connectivity to the share (like outdated data domain and cifs shares hosted from a vnx).
Hout
Engaged Sweeper II
Thank you so much!

I created the costum registry scan and after that I created the report below and it works perfect:

The report will show al assets with SMBv1 still active.


Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Firstseen,
tblAssets.Lastseen,
tblAssets.Lasttried,
TsysLastscan.Lasttime As LastRegistryScan,
Case
When TsysLastscan.Lasttime < GetDate() -
1 Then
'Last registry scan more than 24 hours ago! Scanned registry information may not be up-to-date. Try rescanning this machine.' End As Comment,
Case
When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <>
'' Then 'Yes' Else 'No' End As ValuenameFound,
SubQuery1.Regkey,
SubQuery1.Valuename,
SubQuery1.Value,
SubQuery1.Lastchanged
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' And
tblRegistry.Valuename = 'SMB1') SubQuery1 On SubQuery1.AssetID =
tblAssets.AssetID
Where SubQuery1.Value = 1 And tblAssetCustom.State = 1 And
TsysWaittime.CFGname = 'registry'
Order By tblAssets.Domain,
tblAssets.AssetName
SouthySuper
Engaged Sweeper III
There is a registry change reflective of the protocol deactivation. I think that is your best bet for verifying your script worked. You could also go old school and have the script append to a log file on your network as each system completed the script. You can use computername and timestamp for your log entries, but that's a matter of trust vs. verify.

I think this should help with the verification part:
MS Article How to enable/disable SMB

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Lansweeper Article on custom registry scans
https://www.lansweeper.com/kb/18/report-based-on-registry-keys.html

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now