Good. Touchpoint for smb v1 are often old fileshare servers in use running windows server 2003 which in return requires new Windows 10 clients to have sm 1.0 back enabled.
I was stuck on SMB Null popping up for my homework. Your video literally explained so much of what I am doing right now with setting up group policies on my network and in an understatement you helped me so much by explaining this. Thank you.
This was a fantastically explained video and very much what I am currently working on. Thank you for this and definitely subscribing for more of the same
Very insightful! I'm stuck right now with trying to access a network share from server 2019 to a chromebook. Do you have any sugesstions or resources on this?
@@websupport-b1s thanks for watching! I don’t have any experience with Chromebooks honestly. I think they are designed to be website based only so I am not sure how they handle file server communication
you have a mistake in your notes "New-Item -Path "HKLM:\System\CurrentControlSet\Services\LanmanServer\Paraeters" -Force -ErrorAction SilentlyContinue | Out-Null" Paraeters is missing a "m"
I've been reading an article on what setting should be enabled in the gpo security options and it says signing doesn't happen when both the server and the clent don't require it. Thus according to the article the "server policy for "digitally sign communications setting (if client agrees) should not be enabled for the reason that a remote client could exploit this when set to enabled by not agreeing to sign because if both do not require "only if client agrees" then signing does not happen. Is this correct? Am I missing something?
Thanks for watching! Sounds right. They can either require signing or allow signing when possible. If the server (or device with SMB open) requires signing for the connection, you won’t be able to connect via SMB without signing. When (if client agrees) is set on the server, the client if not capable of signing (doesn’t present signing algorithm), will be able to connect without signing.
I'm getting relentlessly attacked, and remoted into. I've tried so many different things probably watched about 1000 videos. Replaced my router , wiped windows on every machine 30-40 times. Changed the Group policys, registry, security settings, and lastly I've run your script. Do you do one on one consulting ? I would love a second set of eyes on this.
Thanks for watching! If you changed your group policy settings it sounds like you have a Windows 10 Pro or Windows 10 Enterprise license. I prefer either of those to Home because they offer Group Policy which allows you to add more protections to your device. RDP ACCESS: To give you some info on remotely accessing a device, only one person is able to be logged into your device without special licensing. If someone where to use RDP to remote into your device while you were logged in, you would receive a message asking you if you want to end your session to allow that access. That would require the attacker to be inside your home network and to know your password. The other less likely option would be that you have port forwarding set up on your router to allow RDP traffic on port 3389 to be forwarded to your computer. RDP should never be open or available on the internet. REMOTE ASSISTANCE: The other way an attacker can remote into your device is through Remote Assistance. I cover how to disable that in my Securing RDP video and it is also an option in the Securing Windows 10 script you ran. This only disabled Windows Remote Assistance. There are remote access applications such as Splashtop or AnyDesk. If you have wiped and reinstalled Windows this type of software would have been removed. CHROME REMOTE DESKTOP: If the Chrome Remote Desktop add on was installed in your browser I would suggest removing it. If you have a Google account that you sign into Chrome with, this add on would install again whether you wiped your computer or not. Visit chrome.google.com/webstore/detail/chrome-remote-desktop/inomeogfingihgjfjlpeplalcfajhgai to see if you can "Remove Add On". If you see a blue button that says "Add to Chrome" it means the add on is not installed and this is not your issue. ROUTER: Your router is available to the internet and likely has no ports open on it. For someone to get past your router and into your home network they would need to know your WiFi password. Attackers can use antennas that extend the wireless networks they can connect to by miles. If they know you Wireless password they can connect to your home network and reach any devices inside your home. They would need to know your username and password to access your Windows device remotely using RDP. My assumption is that you do not have WinRM enabled on your device since it is I presume a home computer and not a domain joined one. WinRM allows commands to be remotely executed on your computer. Tools like PSEXEC utilize SMB to execute remote commands on your computer. If you think this is a possibility I would suggest changing your wireless password. A reasonably strong password is 12-16 characters with lowercase and uppercase letters with at least 2 numbers and 2 special characters. You can check your password strength at bitwarden.com/password-strength/ ONLINE ACCOUNTS pose the most risk. Some internet providers, (If memory servers me right Comcast) allow way to much of your homes private network to be available from their website. Being able to log into their site allows access to your wifi password and all kinds of cyber security nightmares and you have no choice in the matter. If your password to login to your comcast account is weak it is very possible an attacker would use that to get in. I would suggest using a password manager such as LastPass or Bitwarden to use strong random passwords for all your accounts and use MFA wherever possible. Bitwarden allows you to enter the MFA QR code so you can copy the 6 digit MFA code directly from Bitwarden instead of pulling out your phone every time. bitwarden.com/help/article/authenticator-keys/ On your home computer you can safely disable SMB (Port 445), RDP (Port 3389), SSDP (Port 1900), and WinRM (Port 5985, 5986) in the Windows Firewall. The below PowerShell commands can be run in an administrative session to disable these services. # Disabling Remote Assistance" New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -ErrorAction SilentlyContinue | Out-Null Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Value 0 # Disabling RDP Disable-NetFirewallRule -DisplayGroup "Remote Desktop" # Disable SMB Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol Set-SmbServerConfiguration -EnableSMB1Protocol $False Set-SmbServerConfiguration -EnableSMB2Protocol $False # Disable WinRM Disable-PSRemoting -Force Stop-Service -Name WinRM Set-Service -Name "WinRM" -StartupType Disabled # Disable SSDP Stop-Service -Name "SSDPSRV" -Force -ErrorAction SilentlyContinue Set-Service -Name "SSDPSRV" -StartupType Disabled Disable-NetFirewallRule -DisplayName "Network Discovery*"
@@OsbornePro Thank you for the checklist , I'll use that to set up windows . One more concern I have the flash drives I have been using to boot to windows . The thumb drives all have missing storage capacity . Of the original 8GB only 7.2 GB is now usable . I'm unable to flash or format or use diskpart to regain the missing space. Is it possible the drive is loading compromised system files windows during the install ? Is there a way , I can check for this? - One thing I want to mention is that , during a fresh install with the drives wiped , I can enter a recovery mode where I can browse the files in System 32 , Some of the modified dates on these files are 2019.
@@markschumacher3157 No problem, to a USB Flash drive manufacturer, 1KB = 1000 bytes 1MB = 1000KB 1GB = 1000MB The 8GB USB Flash drive contains 8 * 1000 * 1000 * 1000 = 8,000,000,000 bytes of space. This USB drive is hence labelled as an 8GB USB drive. The 8GB USB drive you purchased is treated by the RAM manufacturers as 8,000,000,000 / (1024*1024*1024) = ~ 7.45 GB It is also possible there is a system recovery image however if that was the case you would be able to delete with diskpart to free up all the space on the USB drive. You would be able to see that space is used on the drive and delete or format it.
Good. Touchpoint for smb v1 are often old fileshare servers in use running windows server 2003 which in return requires new Windows 10 clients to have sm 1.0 back enabled.
I was stuck on SMB Null popping up for my homework. Your video literally explained so much of what I am doing right now with setting up group policies on my network and in an understatement you helped me so much by explaining this.
Thank you.
Right on thanks for watching!
This was a fantastically explained video and very much what I am currently working on.
Thank you for this and definitely subscribing for more of the same
Thanks for watching! Appreciate the support. I will have more coming out soon and plan to get back into this again
btw I like what you have done with the curtain back there :)
lol thanks
Very insightful! I'm stuck right now with trying to access a network share from server 2019 to a chromebook. Do you have any sugesstions or resources on this?
@@websupport-b1s thanks for watching! I don’t have any experience with Chromebooks honestly. I think they are designed to be website based only so I am not sure how they handle file server communication
Nice job, question do you have a powershell script to enable smb signing, disable llmnr and nbtns? that would be awesome
Thanks for watching! I have that in a script I put together for hardening Windows 10. I pasted those parts below for you.
Write-Output '[*] Disabling SMB version 1'
Set-SmbServerConfiguration -EnableSMB1Protocol $False -Force
Write-Output '[*] Enabling SMBv2 and SMBv3'
Set-SmbServerConfiguration -EnableSMB2Protocol $True -Force
Write-Output '[*] Enabling SMB Signing'
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Parameters" -Name RequireSecuritySignature -Value 1 -Force -ErrorAction SilentlyContinue | Out-Null
New-Item -Path "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters" -Name EnableSecuritySignature -Value 1 -Force -ErrorAction SilentlyContinue | Out-Null
New-Item -Path "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters" -Name RequireSecuritySignature -Value 1 -Force -ErrorAction SilentlyContinue | Out-Null
New-Item -Path "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters" -Name EnableSecuritySignature -Value 1 -Force -ErrorAction SilentlyContinue | Out-Null
Write-Output "[*] Disabling SMBv3 Compression"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name DisableCompression -Value 1 -ItemType DWORD -Force
# DNS
Write-Output "[*] Enabling DNS over HTTPS for all Windows applications"
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" -Name EnableAutoDOH -PropertyType DWORD -Value 2 -Force
Write-Output "[*] Disable the use of the LMHOSTS File"
Invoke-CimMethod -Namespace root/CIMV2 -ClassName Win32_NetworkAdapterConfiguration -MethodName EnableWINS -Arguments @{ DNSEnabledForWINSResolution = $False; WINSEnableLMHostsLookup = $False }
Write-Output "[*] Disabling the use of NetBIOS"
$CIMInstance = Get-CimInstance -Namespace "root/CIMV2" -ClassName "Win32_NetworkAdapterConfiguration"
$CIMInstance | Invoke-CimMethod -MethodName SetTcpipNetbios -Arguments @{TcpipNetbiosOptions=2} | Out-Null
Thank you for your great work
Thanks for watching! Glad you it was helpful for ya!
you have a mistake in your notes "New-Item -Path "HKLM:\System\CurrentControlSet\Services\LanmanServer\Paraeters" -Force -ErrorAction SilentlyContinue | Out-Null" Paraeters is missing a "m"
Thanks for watching and thanks for pointing that out much appreciated!
I've been reading an article on what setting should be enabled in the gpo security options and it says signing doesn't happen when both the server and the clent don't require it. Thus according to the article the "server policy for "digitally sign communications setting (if client agrees) should not be enabled for the reason that a remote client could exploit this when set to enabled by not agreeing to sign because if both do not require "only if client agrees" then signing does not happen. Is this correct? Am I missing something?
Thanks for watching! Sounds right. They can either require signing or allow signing when possible. If the server (or device with SMB open) requires signing for the connection, you won’t be able to connect via SMB without signing. When (if client agrees) is set on the server, the client if not capable of signing (doesn’t present signing algorithm), will be able to connect without signing.
I'm getting relentlessly attacked, and remoted into. I've tried so many different things probably watched about 1000 videos. Replaced my router , wiped windows on every machine 30-40 times. Changed the Group policys, registry, security settings, and lastly I've run your script.
Do you do one on one consulting ? I would love a second set of eyes on this.
Thanks for watching! If you changed your group policy settings it sounds like you have a Windows 10 Pro or Windows 10 Enterprise license. I prefer either of those to Home because they offer Group Policy which allows you to add more protections to your device.
RDP ACCESS: To give you some info on remotely accessing a device, only one person is able to be logged into your device without special licensing. If someone where to use RDP to remote into your device while you were logged in, you would receive a message asking you if you want to end your session to allow that access. That would require the attacker to be inside your home network and to know your password. The other less likely option would be that you have port forwarding set up on your router to allow RDP traffic on port 3389 to be forwarded to your computer. RDP should never be open or available on the internet.
REMOTE ASSISTANCE: The other way an attacker can remote into your device is through Remote Assistance. I cover how to disable that in my Securing RDP video and it is also an option in the Securing Windows 10 script you ran. This only disabled Windows Remote Assistance. There are remote access applications such as Splashtop or AnyDesk. If you have wiped and reinstalled Windows this type of software would have been removed.
CHROME REMOTE DESKTOP: If the Chrome Remote Desktop add on was installed in your browser I would suggest removing it. If you have a Google account that you sign into Chrome with, this add on would install again whether you wiped your computer or not. Visit chrome.google.com/webstore/detail/chrome-remote-desktop/inomeogfingihgjfjlpeplalcfajhgai to see if you can "Remove Add On". If you see a blue button that says "Add to Chrome" it means the add on is not installed and this is not your issue.
ROUTER: Your router is available to the internet and likely has no ports open on it. For someone to get past your router and into your home network they would need to know your WiFi password. Attackers can use antennas that extend the wireless networks they can connect to by miles. If they know you Wireless password they can connect to your home network and reach any devices inside your home. They would need to know your username and password to access your Windows device remotely using RDP. My assumption is that you do not have WinRM enabled on your device since it is I presume a home computer and not a domain joined one. WinRM allows commands to be remotely executed on your computer. Tools like PSEXEC utilize SMB to execute remote commands on your computer. If you think this is a possibility I would suggest changing your wireless password. A reasonably strong password is 12-16 characters with lowercase and uppercase letters with at least 2 numbers and 2 special characters.
You can check your password strength at bitwarden.com/password-strength/
ONLINE ACCOUNTS pose the most risk. Some internet providers, (If memory servers me right Comcast) allow way to much of your homes private network to be available from their website. Being able to log into their site allows access to your wifi password and all kinds of cyber security nightmares and you have no choice in the matter. If your password to login to your comcast account is weak it is very possible an attacker would use that to get in. I would suggest using a password manager such as LastPass or Bitwarden to use strong random passwords for all your accounts and use MFA wherever possible. Bitwarden allows you to enter the MFA QR code so you can copy the 6 digit MFA code directly from Bitwarden instead of pulling out your phone every time. bitwarden.com/help/article/authenticator-keys/
On your home computer you can safely disable SMB (Port 445), RDP (Port 3389), SSDP (Port 1900), and WinRM (Port 5985, 5986) in the Windows Firewall. The below PowerShell commands can be run in an administrative session to disable these services.
# Disabling Remote Assistance"
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Value 0
# Disabling RDP
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Disable SMB
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $False
Set-SmbServerConfiguration -EnableSMB2Protocol $False
# Disable WinRM
Disable-PSRemoting -Force
Stop-Service -Name WinRM
Set-Service -Name "WinRM" -StartupType Disabled
# Disable SSDP
Stop-Service -Name "SSDPSRV" -Force -ErrorAction SilentlyContinue
Set-Service -Name "SSDPSRV" -StartupType Disabled
Disable-NetFirewallRule -DisplayName "Network Discovery*"
@@OsbornePro Thank you for the checklist , I'll use that to set up windows .
One more concern I have the flash drives I have been using to boot to windows . The thumb drives all have missing storage capacity . Of the original 8GB only 7.2 GB is now usable . I'm unable to flash or format or use diskpart to regain the missing space.
Is it possible the drive is loading compromised system files windows during the install ? Is there a way , I can check for this?
- One thing I want to mention is that , during a fresh install with the drives wiped , I can enter a recovery mode where I can browse the files in System 32 , Some of the modified dates on these files are 2019.
@@markschumacher3157 No problem, to a USB Flash drive manufacturer,
1KB = 1000 bytes
1MB = 1000KB
1GB = 1000MB
The 8GB USB Flash drive contains 8 * 1000 * 1000 * 1000 = 8,000,000,000 bytes of space. This USB drive is hence labelled as an 8GB USB drive.
The 8GB USB drive you purchased is treated by the RAM manufacturers as
8,000,000,000 / (1024*1024*1024) = ~ 7.45 GB
It is also possible there is a system recovery image however if that was the case you would be able to delete with diskpart to free up all the space on the USB drive. You would be able to see that space is used on the drive and delete or format it.
@@markschumacher3157 sounds like you might have a boot-sector virus
Good one. Thanks!
Thank you sir!
Great video. Thanks.
Thanks!