Last active
October 25, 2018 15:09
-
-
Save RomelSan/665c8c691679d752fe6aa149b5b6c1e2 to your computer and use it in GitHub Desktop.
This tool checks and enforces SMB v3 basic security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SMB Check v0.3 | |
# By Romel Vera (https://www.github.com/RomelSan) | |
# This tool checks and enforces SMB v3 basic security | |
# License: MIT | |
# Build: December 8, 2017 | |
#=========================================================================== | |
# Check Admin | |
#=========================================================================== | |
function Test-IsAdmin { | |
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") | |
} | |
if (!(Test-IsAdmin)){ | |
Write-Host "`r`nPlease run this script with admin priviliges`r`n" -ForegroundColor Green | |
exit | |
} | |
else { | |
Write-Host "`r`nAdmin Check: OK" -ForegroundColor Green | |
} | |
#=========================================================================== | |
# Check PowerShell Version (5+) | |
#=========================================================================== | |
$global:powershellVersion=$PSVersionTable.PSVersion.Major | |
if ($global:powershellVersion -gt 4) | |
{ | |
Write-Host "PowerShell Version: OK" -ForegroundColor Green | |
} | |
else | |
{ | |
Write-Host "PowerShell Version: NOT OK" -ForegroundColor Yellow | |
} | |
# Global Variables | |
$global:smbv1_client="OK" | |
$global:smbv1_server="OK" | |
$global:server_encryption="OK" | |
$global:server_rejectunencrypted="OK" | |
$global:server_securesignature="OK" | |
$global:server_requiresignature="OK" | |
$global:client_securesignature="OK" | |
$global:client_requiresignature="OK" | |
$global:client_insecurelogons="OK" | |
# Main Functions | |
Function check-server { | |
Write-Host "`r`nChecking SMB Server Protocol..." -ForegroundColor Green | |
$server_status=Get-SmbServerConfiguration | |
if ($server_status.EnableSMB1Protocol -eq $false) | |
{ | |
$global:smbv1_server="OK" | |
Write-Host "`r`nSMB v1 Server Protocol is currently Disabled: Good" -ForegroundColor White | |
} | |
if ($server_status.EnableSMB1Protocol -eq $true) | |
{ | |
$global:smbv1_server="danger" | |
Write-Host "`r`nSMB v1 Server Protocol is currently Enabled: Bad" -ForegroundColor Yellow | |
} | |
if ($server_status.EncryptData -eq $false) | |
{ | |
$global:server_encryption="danger" | |
Write-Host "`r`nSMB Server Encryption is currently Disabled: Bad" -ForegroundColor Yellow | |
} | |
if ($server_status.EncryptData -eq $true) | |
{ | |
$global:server_encryption="OK" | |
Write-Host "`r`nSMB Server Encryption is currently Enabled: Good" -ForegroundColor White | |
} | |
if ($server_status.RejectUnencryptedAccess -eq $false) | |
{ | |
$global:server_rejectunencrypted="danger" | |
Write-Host "`r`nSMB Server Reject Unencrypted Access is currently Disabled: Bad" -ForegroundColor Yellow | |
} | |
if ($server_status.RejectUnencryptedAccess -eq $true) | |
{ | |
$global:server_rejectunencrypted="OK" | |
Write-Host "`r`nSMB Server Reject Unencrypted Access is currently Enabled: Good" -ForegroundColor White | |
} | |
if ($server_status.EnableSecuritySignature -eq $false) | |
{ | |
$global:server_securesignature="danger" | |
Write-Host "`r`nSMB Server Security Signature is currently Disabled: Bad" -ForegroundColor Yellow | |
} | |
if ($server_status.EnableSecuritySignature -eq $true) | |
{ | |
$global:server_securesignature="OK" | |
Write-Host "`r`nSMB Server Security Signature is currently Enabled: Good" -ForegroundColor White | |
} | |
if ($server_status.RequireSecuritySignature -eq $false) | |
{ | |
$global:server_requiresignature="OK" | |
Write-Host "`r`nSMB Server Require Security Signature is currently Disabled: Good, this is super-seeded by encryption" -ForegroundColor White | |
} | |
if ($server_status.RequireSecuritySignature -eq $true) | |
{ | |
$global:server_requiresignature="danger" | |
Write-Host "`r`nSMB Server Require Security Signature is currently Enabled: Bad, this is super-seeded by encryption" -ForegroundColor Yellow | |
} | |
} | |
Function check-client { | |
Write-Host "`r`nChecking SMB Client Protocol..." -ForegroundColor Green | |
$client_status=Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol | |
if ($client_status.State -eq "Disabled") | |
{ | |
$global:smbv1_client="OK" | |
Write-Host "`r`nSMB v1 Client Protocol is currently Disabled: Good" -ForegroundColor White | |
} | |
if ($client_status.State -eq "Enabled") | |
{ | |
$global:smbv1_client="danger" | |
Write-Host "`r`nSMB v1 Client Protocol is currently Enabled: Bad" -ForegroundColor Yellow | |
} | |
$client_status=Get-SmbClientConfiguration | |
if ($client_status.EnableSecuritySignature -eq $false) | |
{ | |
$global:client_securesignature="danger" | |
Write-Host "`r`nSMB Client Security Signature is currently Disabled: Bad" -ForegroundColor Yellow | |
} | |
if ($client_status.EnableSecuritySignature -eq $true) | |
{ | |
$global:client_securesignature="OK" | |
Write-Host "`r`nSMB Client Security Signature is currently Enabled: Good" -ForegroundColor White | |
} | |
if ($client_status.RequireSecuritySignature -eq $false) | |
{ | |
$global:client_requiresignature="OK" | |
Write-Host "`r`nSMB Client Require Security Signature is currently Disabled: Good, this is super-seeded by encryption" -ForegroundColor White | |
} | |
if ($client_status.RequireSecuritySignature -eq $true) | |
{ | |
$global:client_requiresignature="danger" | |
Write-Host "`r`nSMB Client Require Security Signature is currently Enabled: Bad, this is super-seeded by encryption" -ForegroundColor Yellow | |
} | |
if ($client_status.EnableInsecureGuestLogons -eq $false) | |
{ | |
$global:client_insecurelogons="OK" | |
Write-Host "`r`nSMB Client Insecure Logons is currently Disabled: Good`r`n" -ForegroundColor White | |
} | |
if ($client_status.EnableInsecureGuestLogons -eq $true) | |
{ | |
$global:client_insecurelogons="danger" | |
Write-Host "`r`nSMB Client Insecure Logons is currently Enabled: Bad`r`n" -ForegroundColor Yellow | |
} | |
} | |
# Function that makes corrections | |
Function make-correction { | |
if ($global:smbv1_server -eq "danger") | |
{ | |
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force | |
} | |
if ($global:smbv1_client -eq "danger") | |
{ | |
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart | |
} | |
if ($global:server_encryption -eq "danger") | |
{ | |
Set-SmbServerConfiguration -EncryptData $true -Force | |
} | |
if ($global:server_rejectunencrypted -eq "danger") | |
{ | |
Set-SmbServerConfiguration -RejectUnencryptedAccess $true -Force | |
} | |
if ($global:server_securesignature -eq "danger") | |
{ | |
Set-SmbServerConfiguration -EnableSecuritySignature $true -Force | |
} | |
if ($global:server_requiresignature -eq "danger") | |
{ | |
Set-SmbServerConfiguration -RequireSecuritySignature $false -Force | |
} | |
if ($global:client_securesignature -eq "danger") | |
{ | |
Set-SmbClientConfiguration -EnableSecuritySignature $true -Force | |
} | |
if ($global:client_requiresignature -eq "danger") | |
{ | |
Set-SmbClientConfiguration -RequireSecuritySignature $false -Force | |
} | |
if ($global:client_insecurelogons -eq "danger") | |
{ | |
Set-SmbClientConfiguration -EnableInsecureGuestLogons $false -Force | |
} | |
} | |
# MAIN CODE | |
check-server | |
check-client | |
Write-Host "`r`nPreparing Corrections...`r`n" -ForegroundColor Green | |
Read-Host -Prompt "Press any key to continue or CTRL+C to quit" | |
make-correction | |
Write-Host "All Done." -ForegroundColor Green |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment