Monthly Archives: May 2017

Disabling SMB1 after WannaCry? Make Sure SMB2 is enabled

Published / by Rens Hollanders / 1 Comment on Disabling SMB1 after WannaCry? Make Sure SMB2 is enabled

After recent events in the online world, everybody is in a frenzy patching their servers, disabling SMB1, removing the feature from Windows 10 and Windows Server 2012 R2 (after It should have been done way way before). So was I. This week’s priority at the customer I’m working for is entirely dedicated to patching servers (if they weren’t patched prior to WannaCry, which was a small percentage nevertheless) and disabling and removing the SMB1 feature on all the machines.

A lot has been written about WannaCry and how to deal with it. The two most helpfull articles come from big MS itself: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server and WannaCrypt attacks: guidance for Azure customers.

After patching and removing the feature (directly instead of just disabling it first) on a Windows 2012R2 Server, I discovered I couldn’t browse to the server any longer. Each time I did a: “\\sctxps-01\d$” (which is a Citrix Provisioning Services Server) I got a message the server couldn’t be reached:

After hitting some key phrases on Google and finding the recommendations of Microsoft, it struck me. The Set-Command: “Set-SmbServerConfiguration -EnableSMB1Protocol $false” which configures SMB to be turned off, can also be partially used as a Get-Command to see it’s current states. And look what we found:

It appeared SMB1 Protocol was still turned on, however due to the removal of the feature entirely from the Server, the machine wasn’t reachable any longer through UNC, IP and even localhost. After hitting the command: “Set-SmbServerConfiguration -EnableSMB2Protocol $true” the server could be reached again.

It appeared someone had configured SMB1 before and turned of SMB2. Due to the removal now the servers SMB shares couldn’t be approached any longer over the network.

So please check your SMB status with: Get-SMBServerConfiguration before doing something drastic like removing SMB features. Of-course in an ideal world this would all be planned, risk, impact and analysis etc. But in an ideal world their wouldn’t be any Cryptolockers either.

Cheers! Rens