1 00:00:03,070 --> 00:00:08,950 In this demonstration, you will learn how to audit the SMB V1 usage and how to enable it if it's absolutely 2 00:00:08,950 --> 00:00:09,520 required. 3 00:00:10,390 --> 00:00:14,920 Then we will dive into the security capabilities of SMB version two or three. 4 00:00:15,770 --> 00:00:20,960 And in this part, I will work with you to enable SMB signing an encryption on an SMB share. 5 00:00:21,820 --> 00:00:26,710 As we revisit the diagram, we will be working on the Domain Admins Management Workstation. 6 00:00:27,520 --> 00:00:31,270 We have an existing file share which is managed by file server one. 7 00:00:32,110 --> 00:00:35,350 The group policies will be configured under the main controller. 8 00:00:36,220 --> 00:00:38,860 We begin by looking at SMB version one. 9 00:00:39,700 --> 00:00:42,280 You are currently logged in to the management machine. 10 00:00:43,120 --> 00:00:47,840 Let's open up PowerShell and take a look at what the current SMB V1 configuration is. 11 00:00:48,760 --> 00:00:53,800 You will issue the command, get SMB server configuration, and we will pip us to select specifically 12 00:00:53,800 --> 00:00:59,530 to audit SMB one access, and we can see that the auditing capability is disabled. 13 00:01:00,430 --> 00:01:03,760 Now let's take a look to see if SMB version one is enabled. 14 00:01:04,630 --> 00:01:10,390 You will issue the command, get SMB server configuration picked by Select and enable SMB one protocol 15 00:01:10,390 --> 00:01:12,370 and the results returned back as false. 16 00:01:13,300 --> 00:01:16,390 So this shows us that SMB version one is disabled. 17 00:01:17,290 --> 00:01:19,660 Now, bear in mind that this is a Windows ten machine. 18 00:01:19,660 --> 00:01:22,720 So by default, SMB version one is disabled. 19 00:01:23,590 --> 00:01:26,320 Let's take a look at the configuration on a server. 20 00:01:27,220 --> 00:01:32,980 Since all of our servers are running server 2019, you will log in to the file server to see if smb 21 00:01:32,980 --> 00:01:38,360 v one is enabled to view the SMB one configuration on file server one. 22 00:01:38,380 --> 00:01:40,210 You will do this from server manager. 23 00:01:41,080 --> 00:01:45,910 Once you have server manager open, you will add file server one and then right click and click on Windows 24 00:01:45,910 --> 00:01:49,810 PowerShell so that we can run the same PowerShell commands on file server one. 25 00:01:50,650 --> 00:01:55,630 The first thing that you will do is see if SMB version one is enabled, and you will do this by running 26 00:01:55,630 --> 00:01:59,530 the PowerShell command, and you'll notice that the results returned back as false. 27 00:02:00,430 --> 00:02:01,420 Now let's take a look. 28 00:02:01,420 --> 00:02:06,040 If SMB version one auditing is enabled and you'll see that this is disabled as well. 29 00:02:06,880 --> 00:02:09,640 Now, why are we looking at SMB one auditing? 30 00:02:10,450 --> 00:02:15,670 Well, auditing SMB version one usage can be very useful when you need to determine which clients are 31 00:02:15,670 --> 00:02:17,710 attempting to connect to the SMB server. 32 00:02:17,710 --> 00:02:24,970 Using SMB version one, you have the ability to enable auditing on Windows Server 2016, Windows ten 33 00:02:24,970 --> 00:02:26,980 and Windows Server 2019. 34 00:02:27,820 --> 00:02:30,370 When you have SMB version one auditing enabled. 35 00:02:30,370 --> 00:02:34,870 And should you have any clients that attempt to connect with SMB version one, you will have an event 36 00:02:34,870 --> 00:02:39,550 3000, which will appear in the Microsoft Windows SMB server audit event log. 37 00:02:40,330 --> 00:02:45,430 And within that log you will have the ability to identify each client that attempts to connect using 38 00:02:45,430 --> 00:02:49,060 SMB version one, and you'll see a snippet of the log on your screen. 39 00:02:49,900 --> 00:02:55,240 You can enable SMB V one, either via PowerShell or by adding additional features within Windows. 40 00:02:56,140 --> 00:03:01,420 To enable this within PowerShell, you'll issue the command set SMB server configuration followed by 41 00:03:01,420 --> 00:03:04,450 the enable SMB one protocol with the value of true. 42 00:03:05,260 --> 00:03:10,270 Let's take a look at how you can do this using the graphical way you will navigate. 43 00:03:10,270 --> 00:03:11,830 Get back to server manager. 44 00:03:12,670 --> 00:03:16,780 And by right clicking on file server one, you will click on add roles and features. 45 00:03:17,680 --> 00:03:21,670 You will go through the wizard and select role based or feature based installation. 46 00:03:22,510 --> 00:03:24,500 Ensure that your survey is selected. 47 00:03:25,360 --> 00:03:31,330 We are not adding any additional server roles, so we are more interested in the features and under 48 00:03:31,330 --> 00:03:31,730 features. 49 00:03:31,750 --> 00:03:37,510 If you scroll down, you will see there's an option for SMB 1.0 slash CFC file sharing support. 50 00:03:38,440 --> 00:03:39,190 By default. 51 00:03:39,190 --> 00:03:43,960 This is disabled, but you can enable it by taking the box and clicking on next to install. 52 00:03:44,860 --> 00:03:49,930 Since one of the objectives of the company is to move away from unsecure protocols, we are not going 53 00:03:49,930 --> 00:03:52,840 to enable this but rather ensure that it is disabled. 54 00:03:53,710 --> 00:03:55,120 And to force disablement. 55 00:03:55,120 --> 00:04:00,730 We're going to look at how we can do this using the group policy to configure the group policy. 56 00:04:00,760 --> 00:04:03,160 You will navigate to the group policy management. 57 00:04:04,090 --> 00:04:08,050 This can be found under tools on server manager and group policy management. 58 00:04:08,980 --> 00:04:13,600 Since we want to disable this at a domain level, let's edit the default domain policy. 59 00:04:14,470 --> 00:04:21,010 You can, of course, create a specific policy for SMB configuration settings, so you will right click 60 00:04:21,010 --> 00:04:23,440 the default domain policy and click on edit. 61 00:04:24,310 --> 00:04:28,520 And within the default domain policy, we need to configure registry entries. 62 00:04:29,410 --> 00:04:34,990 Now, in order to disable SMB version one, you would need to disable it both for server and for client. 63 00:04:35,830 --> 00:04:38,020 Let's start with server configuration. 64 00:04:38,860 --> 00:04:43,300 In order to disable this for a server, we would need to configure a registry key. 65 00:04:44,140 --> 00:04:49,690 To do this, you will navigate to computer configuration, expand preferences, window settings and 66 00:04:49,690 --> 00:04:50,770 click on registry. 67 00:04:51,630 --> 00:04:56,460 On the registry node, you will now right click click on new and click on Registry Item. 68 00:04:57,300 --> 00:04:59,310 In the New Registry Properties box. 69 00:04:59,340 --> 00:05:02,640 Your action would be to create an under hive. 70 00:05:02,730 --> 00:05:04,650 We will keep this as the key. 71 00:05:04,680 --> 00:05:09,830 I underscore local underscore machine and for a key path we will select HQ. 72 00:05:09,840 --> 00:05:15,600 I underscore local underscore machine system, current control set services Lendman Server and we will 73 00:05:15,600 --> 00:05:24,510 select parameters undervalue name you will type SMB one value type would be a keyword and your data 74 00:05:24,510 --> 00:05:25,350 would be zero. 75 00:05:26,190 --> 00:05:30,480 You'll click on okay and this disables the SMB one server components. 76 00:05:31,380 --> 00:05:36,690 It's highly recommended to make a good backup of your registry before you go ahead and modify any registry 77 00:05:36,690 --> 00:05:37,170 settings. 78 00:05:38,100 --> 00:05:43,230 So please exercise caution, especially when configuring registry settings from a group policy.