Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve SMB Server Signing check for incoming change in MS logic behavior #397

Closed
TuemmlerKelch opened this issue Sep 20, 2023 · 1 comment
Closed

Improve SMB Server Signing check for incoming change in MS logic behavior #397

TuemmlerKelch opened this issue Sep 20, 2023 · 1 comment
Assignees
@SteffenWinternheimer
Labels
enhancement New feature or request
Milestone
5.7.0

Comments

@TuemmlerKelch
Copy link
Collaborator

MS will change behavior in current builds and we need to adapt our logic in advance to be able to cover systems using either the new or the old way. See below article for details.

Excerpt.
Any auditing tools that look at the registry could give false information. Use Get-SmbServerConfiguration and Get-SmbClientConfiguration or the CIM classes MSFT_SmbClientConfigurationand MSFT_SmbServerConfiguration and ensure any scripts or auditing tools use them (this has been the right approach for all SMB settings for a decade).

https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704
@TuemmlerKelch TuemmlerKelch added the enhancement New feature or request label Sep 20, 2023
@TuemmlerKelch TuemmlerKelch added this to the 5.7 milestone Sep 20, 2023
@SteffenWinternheimer
Copy link
Collaborator

SteffenWinternheimer commented Sep 21, 2023
edited
Loading

Luckily its explained pretty easy. The following RegistryKeys have to be exchanged with the corresponding cmdlets and their fields
grafik
grafik

Procedure:
It is important to also check via RegistryPath, due to the reason, that older systems may not have the cmdlets available. Following logic will be implemented:

  • Check in a try clause cmdlets and try to get values
  • If cmdlets cannot be found, the process will go into the catch area, where we then test SMB via Registry path.

=> This will lead in a priority for the powershell cmdlets and the RegistryPaths act as a backup.

try {
    if((Get-SmbClguration).RequireSecuritySignature -eq $True){
        return @{
            Message = "RequireSecuritySignature is not set to True"
            Status = "False"
        }
    }
    return @{
        Message = "Compliant"
        Status = "True"
    }
}
catch {
    try{
         $regValue = Get-ItemProperty -ErrorAction Stop `
        -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
        -Name "RequireSecuritySignature" `
        | Select-Object -ExpandProperty "RequireSecuritySignature"
        
        if ($regValue -ne 1) {
            return @{
                Message = "Registry value is '$regValue'. Expected: 1"
                Status = "False"
            }
        }
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
    catch [System.Management.Automation.PSArgumentException] {
        return @{
            Message = "Registry value not found."
            Status = "False"
        }
    }
    catch [System.Management.Automation.ItemNotFoundException] {
        return @{
            Message = "Registry key not found."
            Status = "False"
        }
    }
}

Merged
@qngngyn qngngyn closed this as completed Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SteffenWinternheimer SteffenWinternheimer

Labels
enhancement New feature or request
Projects
None yet
Milestone
5.7.0
Development

No branches or pull requests
3 participants
@SteffenWinternheimer @TuemmlerKelch @qngngyn