Tag: Event Logs

Microsoft recently posted an article talking about reducing your SMB traffic, and thereby reducing the risk of compromise on your systems. Before you think we’re saying this one change is the solution to all network security issues, even Microsoft states “We are not trying to make the entire network impervious to all threats. We are trying to make your network so irritating to an attacker that they just lose interest and go after some other target.”

Many times we know a security change doesn’t completely fix an issue, we are just making another small change in a series of small changes to make things slightly more secure. A group of small changes often work together to create an overall more secure environment.

If nothing else you’ll have a better understanding of what systems need SMB enabled and where SMB traffic is common on your network.

Server Message Block (SMB) Traffic

Reducing your SMB traffic can really help your risk profile. Server Message Block (SMB) traffic is a communication protocol for providing shared access to files, printers, and serial ports between devices on your network. It also provides an authenticated inter-process communication (IPC) mechanism. There are also security issues in Microsoft’s implementation of the protocol. Many vendors have security vulnerabilities in their solutions because of their lack of support for newer authentication protocols like NTLMv2 and Kerberos. Recent attacks show that SMB is one of the primary attack vectors for many intrusion attempts. Recently two SMB high-severity vulnerabilities were disclosed which can provide RCE (Remote Code Execution) privileges to systems that allow SMB traffic.

Recommendations

1. Block inbound SMB access at the corporate firewalls – This means block inbound SMB traffic at the corporate firewall before it is on your LAN. This is usually the easiest way to block unauthorized traffic to your network and corporate systems. This will not work for remote systems that aren’t behind a managed firewall, but you can use this to help protect servers and other devices on the corporate network.
2. Block outbound SMB access at the corporate firewall with exceptions for specific IP ranges – Sometimes, rarely, you need outbound SMB traffic. If you don’t know, block the traffic and monitor logs for anything that might break.
3. Inventory for SMB usage and shares – It is understandable that employees need to connect to file servers to access file shares, as one example. Great, then allow inbound SMB traffic to just those servers, and block inbound SMB traffic to all Windows 10 clients or other servers. Start looking at your environment and begin blocking traffic unless it is required.
4. Configure Windows Defender Firewall to block inbound and outbound traffic on the workstations – Use the  client firewall to block traffic except to required devices. There are several references to how to make this work, but it is past the time to start working out the details.
5. Disable SMB Server if unused – If you know the device doesn’t require SMB services, you may be able to stop the SMB Server service on Windows clients and even many of your Windows Servers.
6. Test at a small scale – Test the changes and make sure you understand the impact before you just deploy changes into production and break everything. As always, test twice and make sure you understand the changes (and have a rollback plan) before you deploy any changes into production.