L1 BIO 12.01.01 CIS Windows - SMBv1 server

Intune: Disable SMBv1 Server

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Disable SMBv1 server = block legacy file sharing - workstations should NOT act as file servers (SMBv1 = WannaCry vector).

Aanbeveling
IMPLEMENT IMMEDIATELY
Risico zonder
Critical
Risk Score
10/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11
βœ“ Windows Server

SMBv1 server = double risk: Client disabled: Blocks outbound SMBv1 (cannot connect to SMBv1 shares), Server disabled: Blocks inbound SMBv1 (cannot host SMBv1 shares). Workstation file sharing: Usually unnecessary (use OneDrive/SharePoint), Attack: Workstation with SMBv1 server β†’ EternalBlue exploit β†’ ransomware. Defense: Disable server β†’ no SMBv1 listening β†’ exploit fails.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Disable SMBv1 server: Policy: Configure SMB v1 server: Disabled, Effect: Workstation cannot host SMB shares via SMBv1 (SMBv2/v3 unaffected), File sharing: Use OneDrive/SharePoint (recommended) OR SMBv2/v3 (if needed).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. File sharing: OneDrive/SharePoint (eliminate workstation shares)

Implementatie

Intune Settings Catalog: SMB β†’ Configure SMB v1 server: Disabled. Verify: netstat -an | findstr :445 β†’ Should show NO SMBv1 listener.

Compliance

Microsoft Security Baseline, CIS Windows Benchmark L1, BIO 12.01.

Monitoring

Gebruik PowerShell-script configure-smb-v1-server-is-set-to-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script configure-smb-v1-server-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Security Options: SMB v1 Server Disabled .DESCRIPTION CIS - SMB v1 server uitschakelen (security risk). .NOTES Filename: smbv1-server-disabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Feature: SMB Security|Expected: Disabled #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"; $RegName = "SMB1"; $ExpectedValue = 0 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "smbv1-server.ps1"; PolicyName = "SMB v1 Server"; IsCompliant = $false; CurrentValue = $null; Details = @() }; function Invoke-Revert { Set-ItemProperty -Path $RegPath -Name $RegName -Value 1 -Type DWord } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "SMB v1 server disabled" }else { $r.Details += "SMB v1 server enabled" } }else { $r.Details += "Not configured" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force -ErrorAction SilentlyContinue; Write-Host "SMB v1 server disabled - REBOOT RECOMMENDED" -ForegroundColor Yellow } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Set-ItemProperty -Path $RegPath -Name $RegName -Value 1 -Type DWord } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK: SMBv1 server = WannaCry/EternalBlue target.

Management Samenvatting

Disable SMBv1 server. Workstations = NO file servers. WannaCry defense. Implementatie: 1-2 uur.