Closed Captioning Closed captioning available on our YouTube channel

How to harden Windows workstations and servers from attack

CSO Online | Feb 6, 2019

Use these basic settings to make it harder for attackers to Windows hardware.

Susan Bradley here for CSO Online. We're going to take a break on talking about Office 365 for the next month because I want to talk about some workstation hardening that I want you to do. We're going to start first with a foundational service that has been used in computing for many years. Server message block or SMB is a internet standard protocol Windows uses to share files printers and serial ports. We use it on a regular basis to share and save files across the network. It's even used over the Internet on top of the TCP/IP protocol. It's been in use since Windows 95 and in 2019 it's still often found and abused in networks. In fact if you have SMB V1 still enabled a new network it can often be used in blended attacks to further cause damage such as ransomware. In this 2016 blog post now please note the concerns over SMB v 1 are not new. It's three years old. This blog post. Net Pyle indicates the following concerns over using SMB V1. When you keep on using it you lose some key protections such pre authentication integrity. Which improved protection against man in the middle attackers. You lose out on secured dialect negotiation. Again this is another man in the middle. Protection. You lose out on better encryption. This prevents inspection of data on the wire man in the middle attacks and performance is lost. You lose out on using insecure guest authentication blocking. Again this prevents and protects men in the middle attacks. And you lose out on better message signing. SHA 256 replaces the MD5 as the hashing algorithm. Signing performance increases as a result. If you use SMB v2 and v3. As Ned points send in the blog The Nasty bit is that no matter how you much you secure all of those things. If your clients still use SMB 1 and a man in the middle attack can tell your client to ignore all those protections. You can use either group policy or a push out registry key to disable SMB V1 and push everyone to SMB V2 and you can review the guidance and KB2696547 to detect SMB v 1 is still in use in your network and gracefully disable it. In Windows 10 you can use the power shall command Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol to test if you see if you have SMB v 1 enabled, I was pleased to see that it was disabled at the office. However I was less than pleased to see that here at home where I'm recording this video, I had SMB V1 enabled. You might find out as you disable SMB V1 that older copiers older printers and some older network sensible storage may depend on SMB v1. Ned has provided here a blog post that has a list of products that still require SMB v1 and some guidance for how you might work around it. If you can try to find the firmware or an update from the vendor to disable SMB V1. Work with your vendors push back on them try to get them to where they can support something without SMB being enabled.

On the consumer side if you're a home user like I am. And you have multi-user devices and your Sonos music devices you'll find that you'll still need some SMB V1. Again you need to look to see if you can update the firmware. For those of you that are I.T. admins that use home devices you want to check out Barb's connected world that has a blog post that talks about the things that you can update. Again look to see if there's firmware for these devices. She points on an issue with a device that I love, the Sonos speaker that you have to move local libraries to a NAS box that supports SMB v2 because it still requires SMB v1 to be enabled. If you have issues with these home devices look to the community locations on the vendor site. You'll probably find another I.T. admin just like you working to get these issues ironed out. Finally last but not least you want to make sure that you're not sending outbound SMB packets you want to make sure that you block outbound port 445. And protect UDP ports 137 to 138 and TCP port 139. Most modern firewalls automatically do this but it's wise to just make sure and test to make sure that your firewalls are set appropriately. So now is the time to take stock in your environment. Do you still need SMB V1. Can you get yourself up to SMB V2 or V3. Take the time to look at your network evaluate even check your home network because it too can be vulnerable. Until next time. Thanks for being an insider on CSO Online. This is Susan Bradley.

Featured videos from