Disabling SMB

I read a guide online how to disable smb on my windows 7 machines and this is supposedly what I had to enter into power shell on both of them

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled

these were met with success messeges in the power shell to let me know I entered them right . but is there any way to make sure I now have the machines smb actually disabled thus disabling the recent exploit?

Is there any reason you wouldn't just update the computers?

3 Likes

disable homegroup for one

ok disabled

1 Like

if the exploit requires the smb to be on , then all I have to do is disable it

You did update them also correct? Always patch your shit

do you know how to check if the smb is disabled?

This will have all you need to know.

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

1 Like

The exploit requires you to not be patched. Patch and you don't have to cripple your system, you should have done this in march when the patch was released so you shouldn't need to worry at all.

Unless your not patching at all? I'm which case this is just one of your problems.

The exploit also has no bearing on the payload. The computers can still individually be hit by the ransomeware.

I think that's what I entered into powershell , is there anyway to check it to make sure like a status indicator perhaps?

The patch doesn't work on any of these machines so next best thing is to disable smb , from what I can see none of these machines need any of the smb functions.

In what way does it not work?

It never installs and simply gives a windows version error despite the download being for the correct version and being 64bit.

would it be a good idea to download Windows 10 from MS and istall that. You can get authorization keys later.

Sounds like your not using Windows update?

no there are direct links to the patch from microsoft.

this doesn't really help me figure out if the smb is disabled

Just disable smb 1.0 and you're good.

Go run the nmap module for ms17-010.

But this is another case of someone who doesn't know what they're doing. Keep your systems updates through windows update. You're only putting your computers and data at risk. You already had those systems vulnerable for months, haven't patched them properly, and you haven't even thought about the other vulnerabilities.

3 Likes

What Eden is getting at is there's no reason to blow away smb when there is a proper Windows update to fix the issue.

It's rolled up into the March rollup or KB4012212

Edit:Although you should could still disable v 1.0

1 Like

Yes, but it's not only that. If your not updating your system then you have to be on top of preventing exploits. In this case these systems have been unnecessary vulnerable for months because of some unjustified (as far as I can tell) reason for not having updates turned on.

You can't turn off critical updates and just go about your way.
Do you know how many vulnerabilities Microsoft patched?
Why are you just mitigating one of them over 2 months later?
Would you have ever done it if it wasn't widespread in the news?
This was in the news over 2 months the ago so what did you miss and what else have you missed?

This is a symptom of a larger problem not being addressed as far as I can see. And the solution is simple. Turn on updates.

1 Like