With the recent outbreak of ransomware like WannaCry, Petya, there could be more similar exploit lining up. The above 2 variant ransomware propagate via the NSA's EternalBlue exploit - the vulnerability exists due to insufficient input validation in the Microsoft Windows SMBv1 server when handling a crafted SMB request. As a result, a remote attacker utilise the SMB request to gain unauthorized access to sensitive information. Most Enterprise class Anti-virus has claimed that their product can detect and stop the exploit as long as you stay updated, but is this enough for systems administrator to sit back and relax?
Below is what I've learnt from the exploit and what else can we do,
1. Disable SMBv1
The 30 years old protocol should be disabled. Understand some vendor / products might still require SMBv1 and hopefully after the May and June global cyber-attack , vendors will start looking into transition to SMBv2 or SMBv3. You can check on your windows device if SMBv1 is enabled via the powershell below,
# Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
You can disable SMBv1 via GPO, with registry below,
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
if you are running windows 7, or server 2012 (not R2) and below, please refer to https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/
For more information, here is a good reference, https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
Intensive testing is required as there are still many vendor / products still rely on SMBv1.
2. Patch windows regularly
Microsoft released a critical security bulletin, MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx to patch SMBv1, if you still haven’t installed this security patch, your infrastructure is at risk. System administrator should regularly patch their infrastructure, including SAN, router, switches, server, desktop client etc.
3. Layered security with up to date security products
Relying only the desktop Anti-virus is not enough to keep you secure nowadays. Security products is very important to must stay up to date, as vendor release update to cover any exploit once samples being analysed. All vendor has product specialise in different OSI model layer, like Network IDS and IPS, web content filtering, Web application firewalls, anti-virus tools, Anti-spam, host level IPS with DLP, eDiscovery & forensics tools, decryption and encryption at rest and etc, all should be stacked and layered from the Application Layer all the way down to the physical layer to provide a stronger protection.
4. Backup
Say no more, backup and DR plan is a must have for every business.
