L1 BIO 12.01.01 ISO A.13.1.3 CIS Windows - SMBv1

Intune: Disable SMBv1 Client Driver

📅 2025-10-30

•

⏱️ 3 minuten lezen

•

🔴 Must-Have

💼 Management Samenvatting

Disable SMBv1 client driver = block legacy SMB protocol - WannaCry ransomware (2017) exploited SMBv1 (300,000+ infected systems globally).

Aanbeveling

IMPLEMENT IMMEDIATELY

Risico zonder

Critical

Risk Score

10/10

Implementatie

8u (tech: 3u)

Van toepassing op:

✓ Windows 10
✓ Windows 11

SMBv1 = ANCIENT + BROKEN (1983): Security: No encryption, no integrity checks, no mutual authentication, Vulnerabilities: EternalBlue (NSA exploit, leaked 2017) → WannaCry, NotPetya ransomware, Active exploitation: SMBv1 still targeted (easy attacks), Modern: SMBv2/v3 (encryption, signing, performance). Microsoft: 'SMBv1 should be disabled' (official guidance 2017+).

PowerShell Modules Vereist

Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Disable SMBv1 client: Policy: SMB v1 client driver: Disabled, Effect: Windows CANNOT connect to SMBv1 shares (SMBv2/v3 only), Legacy devices: Upgrade to SMBv2+ OR isolate (risk acceptance), Compatibility: 99% of modern NAS/file servers support SMBv2/v3.

Vereisten

Intune subscription
Windows 10/11
File servers: SMBv2/v3 enabled (check legacy NAS)
Testing: Verify no SMBv1 dependencies

Implementatie

Intune Settings Catalog: SMB → Configure SMB v1 client driver: Enabled: Disable driver (recommended). Test: Map network drives → verify SMBv2/v3 used. Legacy: Upgrade/replace SMBv1-only devices.

Compliance

Microsoft Security Baseline, CIS Windows Benchmark L1, BIO 12.01, ISO 27001 A.13.1.3.

Monitoring

Gebruik PowerShell-script configure-smb-v1-client-driver-is-set-to-enabled-disable-driver-recommended.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script configure-smb-v1-client-driver-is-set-to-enabled-disable-driver-recommended.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

CIS M365: Control Windows - SMBv1 (L1) -
BIO: 12.01.01 -
ISO 27001:2022: A.13.1.3 -

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    Intune Security Options: SMB v1 Client Driver Disabled
.DESCRIPTION
    CIS - SMB v1 client driver uitschakelen (security risk).
.NOTES
    Filename: smbv1-client-disabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Feature: SMB Security|Expected: Disabled
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10"; $RegName = "Start"; $ExpectedValue = 4
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
    $r = [PSCustomObject]@{ScriptName = "smbv1-client.ps1"; PolicyName = "SMB v1 Client"; IsCompliant = $false; CurrentValue = $null; Details = @() }; function Invoke-Revert { Set-ItemProperty -Path $RegPath -Name $RegName -Value 1 -Type DWord }
    try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "SMB v1 client disabled" }else { $r.Details += "SMB v1 client: $($v.$RegName)" } }else { $r.Details += "Not configured" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client -NoRestart -ErrorAction SilentlyContinue | Out-Null; Write-Host "SMB v1 client disabled - REBOOT RECOMMENDED" -ForegroundColor Yellow }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Set-ItemProperty -Path $RegPath -Name $RegName -Value 1 -Type DWord }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Critical: KRITIEK: SMBv1 = WannaCry, EternalBlue (300K+ systems compromised 2017).

Management Samenvatting

Disable SMBv1 client driver. WannaCry/EternalBlue defense. Test legacy NAS compatibility. Implementatie: 3-8 uur.

Implementatietijd: 8 uur
FTE required: 0.03 FTE

Intune: Disable SMBv1 Client Driver

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

Compliance

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel