Closed TuemmlerKelch closed 12 months ago
Luckily its explained pretty easy. The following RegistryKeys have to be exchanged with the corresponding cmdlets and their fields
Procedure: It is important to also check via RegistryPath, due to the reason, that older systems may not have the cmdlets available. Following logic will be implemented:
=> This will lead in a priority for the powershell cmdlets and the RegistryPaths act as a backup.
try {
if((Get-SmbClguration).RequireSecuritySignature -eq $True){
return @{
Message = "RequireSecuritySignature is not set to True"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
catch {
try{
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
-Name "RequireSecuritySignature" `
| Select-Object -ExpandProperty "RequireSecuritySignature"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
}
MS will change behavior in current builds and we need to adapt our logic in advance to be able to cover systems using either the new or the old way. See below article for details.
Excerpt. Any auditing tools that look at the registry could give false information. Use Get-SmbServerConfiguration and Get-SmbClientConfiguration or the CIM classes MSFT_SmbClientConfigurationand MSFT_SmbServerConfiguration and ensure any scripts or auditing tools use them (this has been the right approach for all SMB settings for a decade).
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704