Securing SMB (Read Note in Description) [Windows Server 2019]

Поділитися
Вставка
  • Опубліковано 1 лис 2024

КОМЕНТАРІ • 26

  • @sassankarai550
    @sassankarai550 3 роки тому +1

    Good. Touchpoint for smb v1 are often old fileshare servers in use running windows server 2003 which in return requires new Windows 10 clients to have sm 1.0 back enabled.

  • @Jeeeee-in6hi
    @Jeeeee-in6hi 2 роки тому +2

    I was stuck on SMB Null popping up for my homework. Your video literally explained so much of what I am doing right now with setting up group policies on my network and in an understatement you helped me so much by explaining this.
    Thank you.

    • @OsbornePro
      @OsbornePro  2 роки тому

      Right on thanks for watching!

  • @RichardGailey
    @RichardGailey Рік тому

    This was a fantastically explained video and very much what I am currently working on.
    Thank you for this and definitely subscribing for more of the same

    • @OsbornePro
      @OsbornePro  Рік тому

      Thanks for watching! Appreciate the support. I will have more coming out soon and plan to get back into this again

  • @sassankarai550
    @sassankarai550 3 роки тому +1

    btw I like what you have done with the curtain back there :)

  • @websupport-b1s
    @websupport-b1s 16 днів тому +1

    Very insightful! I'm stuck right now with trying to access a network share from server 2019 to a chromebook. Do you have any sugesstions or resources on this?

    • @OsbornePro
      @OsbornePro  15 днів тому

      @@websupport-b1s thanks for watching! I don’t have any experience with Chromebooks honestly. I think they are designed to be website based only so I am not sure how they handle file server communication

  • @stevendcole
    @stevendcole Рік тому +1

    Nice job, question do you have a powershell script to enable smb signing, disable llmnr and nbtns? that would be awesome

    • @OsbornePro
      @OsbornePro  Рік тому

      Thanks for watching! I have that in a script I put together for hardening Windows 10. I pasted those parts below for you.
      Write-Output '[*] Disabling SMB version 1'
      Set-SmbServerConfiguration -EnableSMB1Protocol $False -Force
      Write-Output '[*] Enabling SMBv2 and SMBv3'
      Set-SmbServerConfiguration -EnableSMB2Protocol $True -Force
      Write-Output '[*] Enabling SMB Signing'
      New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Parameters" -Name RequireSecuritySignature -Value 1 -Force -ErrorAction SilentlyContinue | Out-Null
      New-Item -Path "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters" -Name EnableSecuritySignature -Value 1 -Force -ErrorAction SilentlyContinue | Out-Null
      New-Item -Path "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters" -Name RequireSecuritySignature -Value 1 -Force -ErrorAction SilentlyContinue | Out-Null
      New-Item -Path "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters" -Name EnableSecuritySignature -Value 1 -Force -ErrorAction SilentlyContinue | Out-Null
      Write-Output "[*] Disabling SMBv3 Compression"
      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name DisableCompression -Value 1 -ItemType DWORD -Force
      # DNS
      Write-Output "[*] Enabling DNS over HTTPS for all Windows applications"
      New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" -Name EnableAutoDOH -PropertyType DWORD -Value 2 -Force
      Write-Output "[*] Disable the use of the LMHOSTS File"
      Invoke-CimMethod -Namespace root/CIMV2 -ClassName Win32_NetworkAdapterConfiguration -MethodName EnableWINS -Arguments @{ DNSEnabledForWINSResolution = $False; WINSEnableLMHostsLookup = $False }
      Write-Output "[*] Disabling the use of NetBIOS"
      $CIMInstance = Get-CimInstance -Namespace "root/CIMV2" -ClassName "Win32_NetworkAdapterConfiguration"
      $CIMInstance | Invoke-CimMethod -MethodName SetTcpipNetbios -Arguments @{TcpipNetbiosOptions=2} | Out-Null

  • @patrickhein2172
    @patrickhein2172 8 місяців тому +1

    Thank you for your great work

    • @OsbornePro
      @OsbornePro  5 місяців тому

      Thanks for watching! Glad you it was helpful for ya!

  • @noname54
    @noname54 9 місяців тому +1

    you have a mistake in your notes "New-Item -Path "HKLM:\System\CurrentControlSet\Services\LanmanServer\Paraeters" -Force -ErrorAction SilentlyContinue | Out-Null" Paraeters is missing a "m"

    • @OsbornePro
      @OsbornePro  5 місяців тому

      Thanks for watching and thanks for pointing that out much appreciated!

  • @wiwlarue4097
    @wiwlarue4097 Рік тому

    I've been reading an article on what setting should be enabled in the gpo security options and it says signing doesn't happen when both the server and the clent don't require it. Thus according to the article the "server policy for "digitally sign communications setting (if client agrees) should not be enabled for the reason that a remote client could exploit this when set to enabled by not agreeing to sign because if both do not require "only if client agrees" then signing does not happen. Is this correct? Am I missing something?

    • @OsbornePro
      @OsbornePro  Рік тому

      Thanks for watching! Sounds right. They can either require signing or allow signing when possible. If the server (or device with SMB open) requires signing for the connection, you won’t be able to connect via SMB without signing. When (if client agrees) is set on the server, the client if not capable of signing (doesn’t present signing algorithm), will be able to connect without signing.

  • @markschumacher3157
    @markschumacher3157 3 роки тому +1

    I'm getting relentlessly attacked, and remoted into. I've tried so many different things probably watched about 1000 videos. Replaced my router , wiped windows on every machine 30-40 times. Changed the Group policys, registry, security settings, and lastly I've run your script.
    Do you do one on one consulting ? I would love a second set of eyes on this.

    • @OsbornePro
      @OsbornePro  3 роки тому

      Thanks for watching! If you changed your group policy settings it sounds like you have a Windows 10 Pro or Windows 10 Enterprise license. I prefer either of those to Home because they offer Group Policy which allows you to add more protections to your device.
      RDP ACCESS: To give you some info on remotely accessing a device, only one person is able to be logged into your device without special licensing. If someone where to use RDP to remote into your device while you were logged in, you would receive a message asking you if you want to end your session to allow that access. That would require the attacker to be inside your home network and to know your password. The other less likely option would be that you have port forwarding set up on your router to allow RDP traffic on port 3389 to be forwarded to your computer. RDP should never be open or available on the internet.
      REMOTE ASSISTANCE: The other way an attacker can remote into your device is through Remote Assistance. I cover how to disable that in my Securing RDP video and it is also an option in the Securing Windows 10 script you ran. This only disabled Windows Remote Assistance. There are remote access applications such as Splashtop or AnyDesk. If you have wiped and reinstalled Windows this type of software would have been removed.
      CHROME REMOTE DESKTOP: If the Chrome Remote Desktop add on was installed in your browser I would suggest removing it. If you have a Google account that you sign into Chrome with, this add on would install again whether you wiped your computer or not. Visit chrome.google.com/webstore/detail/chrome-remote-desktop/inomeogfingihgjfjlpeplalcfajhgai to see if you can "Remove Add On". If you see a blue button that says "Add to Chrome" it means the add on is not installed and this is not your issue.
      ROUTER: Your router is available to the internet and likely has no ports open on it. For someone to get past your router and into your home network they would need to know your WiFi password. Attackers can use antennas that extend the wireless networks they can connect to by miles. If they know you Wireless password they can connect to your home network and reach any devices inside your home. They would need to know your username and password to access your Windows device remotely using RDP. My assumption is that you do not have WinRM enabled on your device since it is I presume a home computer and not a domain joined one. WinRM allows commands to be remotely executed on your computer. Tools like PSEXEC utilize SMB to execute remote commands on your computer. If you think this is a possibility I would suggest changing your wireless password. A reasonably strong password is 12-16 characters with lowercase and uppercase letters with at least 2 numbers and 2 special characters.
      You can check your password strength at bitwarden.com/password-strength/
      ONLINE ACCOUNTS pose the most risk. Some internet providers, (If memory servers me right Comcast) allow way to much of your homes private network to be available from their website. Being able to log into their site allows access to your wifi password and all kinds of cyber security nightmares and you have no choice in the matter. If your password to login to your comcast account is weak it is very possible an attacker would use that to get in. I would suggest using a password manager such as LastPass or Bitwarden to use strong random passwords for all your accounts and use MFA wherever possible. Bitwarden allows you to enter the MFA QR code so you can copy the 6 digit MFA code directly from Bitwarden instead of pulling out your phone every time. bitwarden.com/help/article/authenticator-keys/
      On your home computer you can safely disable SMB (Port 445), RDP (Port 3389), SSDP (Port 1900), and WinRM (Port 5985, 5986) in the Windows Firewall. The below PowerShell commands can be run in an administrative session to disable these services.
      # Disabling Remote Assistance"
      New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -ErrorAction SilentlyContinue | Out-Null
      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Value 0
      # Disabling RDP
      Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
      # Disable SMB
      Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
      Set-SmbServerConfiguration -EnableSMB1Protocol $False
      Set-SmbServerConfiguration -EnableSMB2Protocol $False
      # Disable WinRM
      Disable-PSRemoting -Force
      Stop-Service -Name WinRM
      Set-Service -Name "WinRM" -StartupType Disabled
      # Disable SSDP
      Stop-Service -Name "SSDPSRV" -Force -ErrorAction SilentlyContinue
      Set-Service -Name "SSDPSRV" -StartupType Disabled
      Disable-NetFirewallRule -DisplayName "Network Discovery*"

    • @markschumacher3157
      @markschumacher3157 3 роки тому +1

      ​@@OsbornePro Thank you for the checklist , I'll use that to set up windows .
      One more concern I have the flash drives I have been using to boot to windows . The thumb drives all have missing storage capacity . Of the original 8GB only 7.2 GB is now usable . I'm unable to flash or format or use diskpart to regain the missing space.
      Is it possible the drive is loading compromised system files windows during the install ? Is there a way , I can check for this?
      - One thing I want to mention is that , during a fresh install with the drives wiped , I can enter a recovery mode where I can browse the files in System 32 , Some of the modified dates on these files are 2019.

    • @OsbornePro
      @OsbornePro  3 роки тому

      ​@@markschumacher3157 No problem, to a USB Flash drive manufacturer,
      1KB = 1000 bytes
      1MB = 1000KB
      1GB = 1000MB
      The 8GB USB Flash drive contains 8 * 1000 * 1000 * 1000 = 8,000,000,000 bytes of space. This USB drive is hence labelled as an 8GB USB drive.
      The 8GB USB drive you purchased is treated by the RAM manufacturers as
      8,000,000,000 / (1024*1024*1024) = ~ 7.45 GB
      It is also possible there is a system recovery image however if that was the case you would be able to delete with diskpart to free up all the space on the USB drive. You would be able to see that space is used on the drive and delete or format it.

    • @Red-Viper-Red
      @Red-Viper-Red 2 роки тому

      @@markschumacher3157 sounds like you might have a boot-sector virus

  • @mootologist
    @mootologist 3 роки тому +1

    Good one. Thanks!

  • @Gabriell1302
    @Gabriell1302 3 роки тому +1

    Great video. Thanks.