search

fbprogmbh / Audit-Test-Automation

FBPro Audit Test Automation Package allows you to create compliance reports for your systems. The resulting HTML-reports provide a transparent overview of your devices' security configuration compared to international security standards and hardening guides.
https://fb-pro.com/audit-test-automation-package-audit-tap/
BSD 3-Clause "New" or "Revised" License
86 stars 27 forks source link

Improve SMB Server Signing check for incoming change in MS logic behavior #397

Closed TuemmlerKelch closed 12 months ago

TuemmlerKelch commented 1 year ago

MS will change behavior in current builds and we need to adapt our logic in advance to be able to cover systems using either the new or the old way. See below article for details.

Excerpt. Any auditing tools that look at the registry could give false information. Use Get-SmbServerConfiguration and Get-SmbClientConfiguration or the CIM classes MSFT_SmbClientConfigurationand MSFT_SmbServerConfiguration and ensure any scripts or auditing tools use them (this has been the right approach for all SMB settings for a decade).

https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704

SteffenWinternheimer commented 1 year ago

Luckily its explained pretty easy. The following RegistryKeys have to be exchanged with the corresponding cmdlets and their fields grafik grafik

Procedure: It is important to also check via RegistryPath, due to the reason, that older systems may not have the cmdlets available. Following logic will be implemented:

=> This will lead in a priority for the powershell cmdlets and the RegistryPaths act as a backup.

try {
    if((Get-SmbClguration).RequireSecuritySignature -eq $True){
        return @{
            Message = "RequireSecuritySignature is not set to True"
            Status = "False"
        }
    }
    return @{
        Message = "Compliant"
        Status = "True"
    }
}
catch {
    try{
         $regValue = Get-ItemProperty -ErrorAction Stop `
        -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
        -Name "RequireSecuritySignature" `
        | Select-Object -ExpandProperty "RequireSecuritySignature"

        if ($regValue -ne 1) {
            return @{
                Message = "Registry value is '$regValue'. Expected: 1"
                Status = "False"
            }
        }
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
    catch [System.Management.Automation.PSArgumentException] {
        return @{
            Message = "Registry value not found."
            Status = "False"
        }
    }
    catch [System.Management.Automation.ItemNotFoundException] {
        return @{
            Message = "Registry key not found."
            Status = "False"
        }
    }
}