CIS Logo
tagline: Confidence in the Connected World

Intel Insights: How to Restrict Server Message Block

Overview

The MS-ISAC observes specific malware variants consistently reaching The Top 10 Malware list. These specific malware variants have traits allowing them to be highly effective against state, local, tribal, and territorial (SLTT) government networks, consistently infecting more systems than other types of malware. An examination of the characteristics of these malware variants revealed that they often abuse legitimate tools or parts of applications on a system or network. One such legitimate tool is Sever Message Block (SMB).

Understanding the Threat Surface

SMB is a Microsoft Windows operating system network file sharing protocol. This protocol is often used by cyber threat actors (CTA) to travel through a network, spread malware, and exfiltrate or alter information. CTAs use the system’s remote access and client-to-client communication abilities for propagation. The protocol is used to steal, disclose, alter, or destroy data in the system by allowing malware to access files on remote servers. For example, malware will scrape credentials from the initial infected system and use those credentials to spread via SMB throughout the entire network.

Recommendations

After evaluating your environment and conducting appropriate testing, use Group Policy to set a Windows Firewall rule to restrict SMB inbound communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication.

At a minimum, SLTT governments should create a Group Policy Object that restricts inbound SMB connections to clients originating from clients. The MS-ISAC recommends organizations use the CIS Benchmarks and CIS Build Kits, which are a part of the CIS SecureSuite. Please see below for detailed steps on disabling SMB.

The MS-ISAC recommends organizations use the CIS Benchmarks and CIS Build Kits, which are a part of CIS SecureSuite. Please see below for detailed steps on disabling PowerShell.

How to Disable SMB Client with Group Policy:

These directions are for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012.  For Windows 10, Server 2016, and Server 2019 please visit Microsoft’s SMB webpage. Additionally, the SMB name changes based on the version that is being disabled.

  1. Click Start Menu > Control Panel > System and Security > Administrative Tools.
  2. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  3. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  4. Right-click the Registry node, point to New, and select Registry Item.

registry-item

In the New Registry Properties dialog box, select the following:

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 4

start-properties

Then remove the dependency on the MRxSMB10 that was just disabled.

In the New Registry Properties dialog box, select the following:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  • Value name: DependOnService
  • Value type REG_MULTI_SZ
  • Value data:
    • Bowser
    • MRxSmb20
    • NSI

Note: These three strings will not have bullets (see the following screenshot).

depend-on-service-properties

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above 

Note: When you use Group Policy Management Console, you don't have to use quotation marks or commas. Just type each entry on individual lines.

How to Disable SMB Server with Group Policy:

Note: The SMB name changes based on version that is being disabled.

  • Click Start Menu > Control Panel > System and Security > Administrative Tools.
  • Right-click the GPO that should contain the new preference item, and then click Edit.
  • In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  • Right-click the Registry node, point to New, and select Registry Item.

registry-item2

In the New Registry Properties dialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0

registry-properties

For more information please visit Microsoft’s SMB webpage.

The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24x7 cybersecurity assistance is available at 866-787-4722, SOC@cisecurity.org. The MS-ISAC is interested in your comments - an anonymous feedback survey is available.