3/12/20 fixed typo with rule direction in step 2 thanks to @TechGrlTweeter

3/12/20 Microsoft has patched the issue. Details here. Ned Pyle also confirmed that the mitigation to disable SMB compression would have no impact on SMB operations; the feature is not yet live.

SMB Vulnerability

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

There are two problems:

  1. Windows 2019 SMB Servers are vulnerable to RCE
  2. Windows 10 clients are vulnerable when they connect to an attacker SMB service (Phishing etc).

Problem 1 - Servers

Use group policy to disable SMB Compression on Windows 2019 Servers.

1) Create new Group Policy linked to Servers OU(s)

2) Apply WMI filter to the empty GPO: root\CIMv2
Query: Select BuildNumber from Win32_OperatingSystem WHERE BuildNumber >= 18300

3) Edit the GPO:

Computer Configuration > Preferences > Registry

Create new registry GPP item:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value Name: Disable Compression
Value Type: REG_DWORD
Value Data: 1

Done.

Screenshots (in case they are useful to you):

WMI Query for 2019 Servers (thanks Tyler!):

gpowmi

Full GPO:

gpofull

Problem 2 - Clients

Goal: Prevent your clients from being tricked into talking to a malicious SMB server while retaining access to corporate SMB services.

1) Create a new GPO linked to Workstations OU(s)

2) Navigate to Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Outbound Rules

3) New Outbound Rule:

Rule Type: Port

Protocols and Ports: TCP, Specific Ports: 139,445

Action: Block the connection

Profile: Private, Public (Not Domain)

Name: DENY TCP 139,445 OUTBOUND when off Domain Network

Done.

There is an extra step you can take for telemetry/logging L2TP connections though:

4) Open the Outbound Rule you just created. Navigate to the “Advanced” tab. On Interface Types click Customize. Un-check the “Remote Access” interface type.

Done.

Note: It’s recommended to have SMB (TCP 139,445) blocked inbound to workstations as a security baseline. Highly recommended if you can make it work with your business. The workstations still act as SMB ‘servers’ in the context of this vulnerability. If you can’t, you’ll need to apply the server rules to the workstations as well.

Screenshots (in case they are useful to you):

General tab of FW rule:

fwgeneral

Ports and Protocols:

fwpp

Allow Domain Network SMB:

fwdomain

Allow L2TP connection SMB (inside advanced tab):

fwl2tp

Full rule:

fwrule