Tag: domain controller

What is SMB1 and What Does It Do?

Server Message Block Version 1 (SMB1) is an older protocol that facilitates file and printer sharing over a network. Widely used in Windows systems, it allows devices on a network to share data with each other.
However, due to security vulnerabilities, more modern and secure alternatives are recommended.

Advantages:

• Compatible with older hardware.
• Simplifies file and printer sharing over a network.

Disadvantages:

• Prone to security issues and more vulnerable to ransomware attacks.
• May have lower performance.

Finding SMB1 Access on Domain Controllers

To locate SMB1 access on Domain Controller (DC) servers, the first step is to ensure that the Audit-SMB1Access feature is enabled. This feature collects SMB1 access control logs, making them available for analysis.
These logs focus on specific periods (e.g., the last 10 days).

 

 

Enabling the Audit Feature
To enable SMB1 access logging on Domain Controller servers, use the following PowerShell command:

# Get Domain Controllers

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

# Checking SMBServerConfiguration AuditSmb1Access

foreach ($DC in $DomainControllers) {

    try {

        # Set-SmbServerConfiguration

        $AuditSmb1Access = Invoke-Command -ComputerName $DC -ScriptBlock {

            Set-SmbServerConfiguration -AuditSmb1Access $true -Force

        }

        Write-Host ("Audit SMB1 Access on {0}: {1}" -f $DC, $true) -ForegroundColor Green

    } catch {

        Write-Host ("Failed to enable Audit SMB1 Access on {0}: {1}" -f $DC, $_.Exception.Message) -ForegroundColor Red

    }

}

To check SMB1 access logging on Domain Controller servers, use the following PowerShell command:

# Get Domain Controller

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

# Checking SMBServerConfiguration AuditSmb1Access

foreach ($DC in $DomainControllers) {

    try {

        # Get-SmbServerConfiguration

        $AuditSmb1Access = Invoke-Command -ComputerName $DC -ScriptBlock {

            Get-SmbServerConfiguration | Select-Object -ExpandProperty AuditSmb1Access

        }

        Write-Host ("Audit SMB1 Access on {0}: {1}" -f $DC, $AuditSmb1Access) -ForegroundColor Green

    } catch {

        Write-Host ("Failed to check Audit SMB1 Access on {0}: {1}" -f $DC, $_.Exception.Message) -ForegroundColor Red

    }

}

Exporting SMB1 Audit Logs

To analyze SMB1 access logs on Domain Controller servers, use PowerShell to deduplicate this data and review activities over the last 10 days.

$DCList = Get-ADDomainController -Filter *

# Calculate the date 10 days ago

$CutOffDate = (Get-Date).AddDays(-10)

foreach ($DC in $DCList) {

    $DCname = $DC.HostName

    Write-Host "Processing domain controller: $DCname"

    Write-Host "---------------------------------------"

    # HashTable to store unique entries (IP as key, latest timestamp as value)

    $UniqueEntries = @{}

    # Retrieve SMB1 audit logs

    $SMB1Audits = Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit -ComputerName $DCname

    # Process each log message

    $SMB1Audits | Where-Object { $_.TimeCreated -ge $CutOffDate } | ForEach-Object {

        $eventTime = $_.TimeCreated # Get the event timestamp

        $text = $_.Message.ToString().Split([Environment]::NewLine)

        $client = $text | Where-Object {$_ -like "Client*"}

        if ($client) {

            # Extract and clean the IP address

            $clientIP = $client.Trim()

            # Update the hashtable with the latest event time for the IP

            if ($UniqueEntries.ContainsKey($clientIP)) {

                if ($eventTime -gt $UniqueEntries[$clientIP]) {

                    $UniqueEntries[$clientIP] = $eventTime

                }

            } else {

                $UniqueEntries[$clientIP] = $eventTime

            }

        }

    }

    # Write unique entries to the output file

    $OutputPath = "C:\Scripts\SMB1Analysis\$DCname.txt"

    $UniqueEntries.GetEnumerator() | ForEach-Object {

        "$($_.Value) - $($_.Key)"

    } | Set-Content -Path $OutputPath

    Write-Host "Unique client entries (last 10 days) saved to: $OutputPath"

}

Addressing Security Concerns

• Identify Security Vulnerabilities: SMB1 has inherent security vulnerabilities and, as an older protocol, is more susceptible to ransomware attacks and network threats. Analyze SMB1 logs to identify potential security risks and breaches.
• Remediation and Updates: If critical security flaws are found in devices using SMB1, it is essential to update them with security patches. Additionally, consider disabling SMB1 or migrating these devices to a more secure SMB version (SMB2 or SMB3).

Protocol Transition and Reconfiguration

• Transition from SMB1 to SMB2 or SMB3: To close security gaps associated with SMB1 and enhance overall network security, transition all devices from SMB1 to a more modern and secure SMB version (SMB2 or SMB3). This transition can also improve network performance.
• Configuration Changes: Adjust Domain Controller settings to disable SMB1 access. This can be done via PowerShell or Group Policy.

Updating Network Security Policies

• Firewall Rules: SMB1 should only be used on trusted networks, with firewall rules restricting SMB1 access. If necessary, SMB1 should not be accessible to the outside world.
• Monitoring and Auditing: Continuously monitor and audit SMB1 access on all network devices to detect security breaches early. Regularly review audit logs and address any issues promptly.

User Awareness and Training

• Limit SMB1 Usage: Educate users about the security risks associated with SMB1 and discourage its use. Provide guidance and training to migrate users to more secure alternatives like SMB2 or SMB3.
• Documentation: Maintain detailed documentation on changes made and security measures taken. This will serve as a reference in case of similar situations in the future and can be used as a resource for network management.

Periodic Checks and Maintenance

• Regular Checks: SMB1 usage and security audits should be performed regularly. Periodically check SMB1 logs and network security settings to enhance overall network security and quickly identify potential issues.
• Security Updates and Patching: Regularly update devices with security patches to protect against new vulnerabilities. This is particularly critical for older hardware.

These steps summarize the fundamental processes needed to enhance your network’s security and resilience against potential threats.

Have a nice day !