strange issue after disabling SMB (WannaCry)

  • 260 Views
  • Last Post 16 May 2017
MatCollins posted this 14 May 2017

hi,

because of this damn wannacry, we decided to prohibit the usage of SMB1. we did it using GPO and disabled it using the registry and applied it to our ou=domain controllers (only). It was good and no complain. Until:

a user called us indicate he can no RDP to his 2003 server. he told the error is "RPC server is unavailabled". i was totally stunned by the relation because:

  • firstly we did apply the gpo on domain controllers only
  • users from local domain could connect to 2003 server, but remote domains -> "rpc server unavailable"

the evidences shows that these two are somehow related, but i can't figure out why.

now the problem of 2003 servers is solved by setting IgnoreRegUserConfigErrors to 1. but the question remains, why??

any ideas?

Order By: Standard | Newest | Votes
Anthony.Vandenbossche posted this 14 May 2017

Hi, what kind of trust do you have configured? With an external trust, only NTLM is used when authenticating across forests. Maybe Kerberos is a hard constraint?



 

show

MatCollins posted this 14 May 2017

all domains are child domains of a single root domain. So they are all inside a forest with builtin trusts

darren posted this 15 May 2017

Mat-

I’m curious what registry setting you used to disabled SMB1? All the guidance I’ve seen for doing this had it removed via Windows feature commands. That said, those were all for newer OS’. It might help to understand the problem by knowing

what you set on 2003. Also, any reason why you only applied it to DCs?

 

Darren

 

show

barkills posted this 15 May 2017

Presumably because his DCs were 2008 or 2008R2, as the registry is the way to disable SMBv1 (server) on those OSes. But the registry alone doesn’t get all of SMBv1 on those OSes—it neglects the SMBv1 client aspect

(which requires a service config change). And of course, a reboot is needed too. This same detail is also the way to disable SMBv1 on Windows 7.

 

And to answer your other question, here’s more detail:

 

Step 1 (server):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

 

Step 2 (client):

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

 

Step 3:

Reboot! ;)

 

Brian

 

show

BrianB posted this 15 May 2017

Doesn't group policy require the use of smb for the sysvol? If I remember correctly, old xp and 2003 clients cant use smbv2. If rdp  is controlled by gpo, then the old client cant get the policy after smbv1 is disabled on the DC. Maybe unrelated in this case.







I could be wrong, so correct me if I am.







Brian B.









Get Outlook for Android

show

darren posted this 15 May 2017

Thanks Brian A. for the info. So from that it sounds like EternalBlue exploits SMB clients as well as server then?   

 

Brian B—yes, GP uses SMB for pulling down the GPT part of a GPO, so if it were completely disabled on a DC, this would definitely impact GP processing. I don’t recall the SMB level of support in those older OS versions however.



 

Darren

 

show

darren posted this 15 May 2017

And pursuant to this, a fellow Group Policy MVP shared this handy article that Microsoft provides for instructions on how to disable SMB versions in all (supported) versions of Windows. Nice:

 

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

 

Darren

 

show

jeremyts posted this 16 May 2017

Just need to be careful and aware of other dependencies of the Workstation (LanmanWorkstation) service and don’t just run the commands as provided…

 

For example, many say just do this…

 

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

 

But in a Citrix environment running PVS, this will also remove the PvsVmAgent service dependency. So just be careful and understand your environment before running commands.

 

Cheers,

Jeremy

 

show

Bharathian posted this 16 May 2017

Hi,

 

In our environment, we don’t use XP & 2003, so we disabled only the LANMANSERVER component. As per Microsoft, they also confirmed only to disable the server component alone.

 

Step 1 (server):



Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

 

From Microsoft regarding Wannacry Ransomware:

 

Do we need to disable SMB v1 client (Lanmanworkstation) as well on all our machines?

No. It is only the SMBv1 server component (which means Lanmanserver), on the client machine and not Lanmanworkstation on the client machine.

 

Regards

Bharathi

 

 

 

Sensitivity: Unclassified

show

jeremyts posted this 16 May 2017

I guess there’s a lot of misinformation out there about this one due to the panic. The patches contain a new mrxsmb10.sys file, which is also used by the mrxsmb10 service, which can potentially be a dependency

of the LanmanWorkstation service. The thought may be that having the mrxsmb10.sys driver loaded could still leave you exposed. Not sure how valid that statement is.

 

Cheers,

Jeremy

 

show

Bharathian posted this 16 May 2017

Thanks for your input Jeremy. Will check this.

 

Regards

Bharathi

 

 

Sensitivity: L&T Construction Internal Use

show

Close