This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SMBv1 From Scan Servers?

ChrisParr1
Engaged Sweeper III

‎05-30-2023 06:36 PM - last edited on ‎06-14-2023 08:01 PM by Community Manager

We've got SMBv1 Auditing enabled on our domain and SMBv1 disabled on everything including the Lansweeper scan servers.

We're seeing event log entries on our DCs from both of our scan servers like the one below. Nothing else is generating these events, just the scan servers. Judging by the timings it looks like it's IP range scanning that is triggering it.

--------------------------

Log Name: Microsoft-Windows-SMBServer/Audit
Source: Microsoft-Windows-SMBServer
Date: 5/30/2023 7:10:10 AM
Event ID: 3000
Task Category: None
Level: Information
Keywords:
User: N/A
Computer: DC01.Domain.Local
Description:
SMB1 access

Client Address: SCANServer01

--------------------------

Is there any way we can prevent scans from triggering this?

0 Kudos
9 REPLIES 9
TomaszHolderny
Engaged Sweeper

2 weeks ago

Did you resolve the issue? We have constant SMB1 logon attempts from scan server blocked on our QNAP system and i don't know how to stop scan servers from using SMB1.

0 Kudos
Mister_Nobody
Honored Sweeper II
In response to TomaszHolderny

2 weeks ago

You can create fw rule on ther LS server to block LS scan remote SMB port of the QNAP system.

0 Kudos
ChrisParr1
Engaged Sweeper III
In response to TomaszHolderny

2 weeks ago

No, I review the logs occasionally, but as the only thing generating those events is the the scan servers I've just started ignoring them, which isn't exactly best practice. 😞

0 Kudos
ChrisParr1
Engaged Sweeper III

‎05-31-2023 11:30 AM

Hi @Mister_Nobody ,

Sorry, I wasn't clear. I'm not picking up the events in Lansweeper, I'm seeing them as part of our general security monitoring processes. 

If possible I want to prevent the scan process from generating SMBv1 connections in the first place. Partly just to reduce the noise in our SIEM system, but also because it makes me nervous that anything is apparently trying to use the very insecure SMBv1 at all.

0 Kudos
Mister_Nobody
Honored Sweeper II
In response to ChrisParr1

‎05-31-2023 11:44 AM

You have to read about Windows Audit Policy to Enable or Disable Security Events Audit

0 Kudos
ChrisParr1
Engaged Sweeper III
In response to Mister_Nobody

‎05-31-2023 12:28 PM

I know how to enable or disable the audit events, that's why I'm getting them in the first place. I want to see events when something tries to make SMBv1 connections so we can monitor for insecure systems, I just want to know if I can stop Lansweeper from doing so.

0 Kudos
Mister_Nobody
Honored Sweeper II
In response to ChrisParr1

‎05-31-2023 12:48 PM - edited ‎05-31-2023 12:51 PM

No, you can not.

https://community.lansweeper.com/t5/scanning-your-network/scanning-with-a-workgroup-scanning-target/...

0 Kudos
ChrisParr1
Engaged Sweeper III
In response to Mister_Nobody

‎05-31-2023 05:29 PM

We're not using a Workgroup scanning target so I don't think that's relevant.

0 Kudos
Mister_Nobody
Honored Sweeper II

‎05-31-2023 07:16 AM

You can exclude such events from scanning

https://community.lansweeper.com/t5/scanning-your-network/excluding-events-from-scanning/ta-p/64348

0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now