EternalBlue exploits a vulnerability in Microsoft's
implementation of the
Message Block (SMB) protocol
It is a
cyberattack
exploit developed by the U.S.
National Security Agency (NSA).[
It was leaked by the
Shadow Brokers hacker group on April 14, 2017, one month
after Microsoft released patches for the
vulnerability for the
Server
The NSA did not alert Microsoft about the vulnerabilities,
and held on to it for more than five years before the breach
forced its hand.
Read
more...
How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in
Windows
Here's how to remove SMBv1 in Windows 10, Windows Server 2019, Windows Server 2016
Server
1 PowerShell
method
2 Dashboard method
Windows 10:
3 PowerShell method
4 Add or Remove Programs method
Server
5 Auditing
SMBv1 usage
To determine which clients are attempting to connect to an SMB
server with SMBv1
This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.
While disabling or removing SMBv1 might cause some compatibility issues with old computers or software, SMBv1 has significant security vulnerabilities and we strongly encourage you not to use it.
Disabling SMBv2 or SMBv3 for troubleshooting
While we recommend that you keep SMBv2 and SMBv3 enabled, you might find it useful to disable one temporarily for troubleshooting, as described in How to detect status, enable, and disable SMB protocols on the SMB Server.
In Windows 10, Windows Server 2019 and Windows Server 2026 disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):
-
Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
-
Scale Out – concurrent access to shared data on all file cluster nodes
-
Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
-
SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
-
Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
-
Directory Leasing - Improves application response times in branch offices through caching
-
Performance Optimizations - optimizations for small random read/write I/O
In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:
-
Request compounding - allows for sending multiple SMB 2 requests as a single network request
-
Larger reads and writes - better use of faster networks
-
Caching of folder and file properties - clients keep local copies of folders and files
-
Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
-
Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
-
Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
-
Support for symbolic links
-
Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
-
Large MTU support - for full use of 10-gigabye (GB) Ethernet
-
Improved energy efficiency - clients that have open files to a server can sleep
The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. For more information about the capabilities of SMBv2 and SMBv3 capabilities, see the following articles:
What's New in SMB
1
Server PowerShell
-
Detect:
PowerShell
Get-WindowsOptionalFeature
-Online -FeatureName smb1protocol
Disable:
PowerShell
Disable-WindowsOptionalFeature
-Online -FeatureName smb1protocol
Enable:
PowerShell
-
Enable-WindowsOptionalFeature -Online -FeatureNamesmb1protocol
2-How to remove SMB v1.
Dashboard method.
Windows Server 2016, Windows
Server 2019:
Server Manager method for
disabling SMB
3 Windows 10: PowerShell method
-
Detect:
PowerShell
Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
Disable:
PowerShell
Disable-WindowsOptionalFeature
-Online -FeatureName SMB1Protocol
Enable:
PowerShell
-
Enable-WindowsOptionalFeature -Online -FeatureNameSMB1Protocol
SMB v2/v3 Protocol (only disables SMB v2/v3 Server)
-
Detect:
PowerShell
Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable:
PowerShell
Set-SmbServerConfiguration –EnableSMB2Protocol $false
Enable:
PowerShell
-
Set-SmbServerConfiguration–EnableSMB2Protocol $true
4 Windows 10: Add or Remove Programs method
Auditing SMBv1 usage
To determine which clients are attempting to connect to an SMB server with SMBv1, you can enable auditing on Windows Server 2016, Windows 10, and Windows Server 2019.
-
Enable:
PowerShell
Set-SmbServerConfiguration –AuditSmb1Access $true
Disable:
PowerShell
Set-SmbServerConfiguration –AuditSmb1Access $false
Detect:
PowerShell
-
Get-SmbServerConfiguration| Select AuditSmb1Access
When SMBv1 auditing is enabled, event 3000 appears in the "Microsoft-Windows-SMBServer\Audit" event log, identifying each client that attempts to connect with SMBv1.
If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.
After these are configured, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.
Note
Do not forget to restart the target systems.
Source: Microsoft