RomelSan/SMB Check v0.3.ps1

## SMB Check v0.3.ps1
# SMB Check v0.3
# By Romel Vera (https://www.github.com/RomelSan)
# This tool checks and enforces SMB v3 basic security
# License: MIT
# Build: December 8, 2017

#===========================================================================
# Check Admin
#===========================================================================
function Test-IsAdmin {
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}

if (!(Test-IsAdmin)){
Write-Host "`r`nPlease run this script with admin priviliges`r`n" -ForegroundColor Green
exit
}
else {
Write-Host "`r`nAdmin Check: OK" -ForegroundColor Green
}

#===========================================================================
# Check PowerShell Version (5+)
#===========================================================================
$global:powershellVersion=$PSVersionTable.PSVersion.Major
if ($global:powershellVersion -gt 4)
    {
        Write-Host "PowerShell Version: OK" -ForegroundColor Green
    }
else
    {
        Write-Host "PowerShell Version: NOT OK" -ForegroundColor Yellow
    }


# Global Variables
$global:smbv1_client="OK"
$global:smbv1_server="OK"
$global:server_encryption="OK"
$global:server_rejectunencrypted="OK"
$global:server_securesignature="OK"
$global:server_requiresignature="OK"
$global:client_securesignature="OK"
$global:client_requiresignature="OK"
$global:client_insecurelogons="OK"

# Main Functions

Function check-server {
Write-Host "`r`nChecking SMB Server Protocol..." -ForegroundColor Green

$server_status=Get-SmbServerConfiguration
    if ($server_status.EnableSMB1Protocol -eq $false)
        {
            $global:smbv1_server="OK"
			Write-Host "`r`nSMB v1 Server Protocol is currently Disabled: Good" -ForegroundColor White
        }

    if ($server_status.EnableSMB1Protocol -eq $true)
        {
            $global:smbv1_server="danger"
			Write-Host "`r`nSMB v1 Server Protocol is currently Enabled: Bad" -ForegroundColor Yellow
        }

	if ($server_status.EncryptData -eq $false)
		{
            $global:server_encryption="danger"
			Write-Host "`r`nSMB Server Encryption is currently Disabled: Bad" -ForegroundColor Yellow
        }

	if ($server_status.EncryptData -eq $true)
		{
            $global:server_encryption="OK"
			Write-Host "`r`nSMB Server Encryption is currently Enabled: Good" -ForegroundColor White
        }

	if ($server_status.RejectUnencryptedAccess -eq $false)
		{
            $global:server_rejectunencrypted="danger"
			Write-Host "`r`nSMB Server Reject Unencrypted Access is currently Disabled: Bad" -ForegroundColor Yellow
        }

	if ($server_status.RejectUnencryptedAccess -eq $true)
		{
            $global:server_rejectunencrypted="OK"
			Write-Host "`r`nSMB Server Reject Unencrypted Access is currently Enabled: Good" -ForegroundColor White
        }

	if ($server_status.EnableSecuritySignature -eq $false)
		{
            $global:server_securesignature="danger"
			Write-Host "`r`nSMB Server Security Signature is currently Disabled: Bad" -ForegroundColor Yellow
        }

	if ($server_status.EnableSecuritySignature -eq $true)
		{
            $global:server_securesignature="OK"
			Write-Host "`r`nSMB Server Security Signature is currently Enabled: Good" -ForegroundColor White
        }

	if ($server_status.RequireSecuritySignature -eq $false)
		{
            $global:server_requiresignature="OK"
			Write-Host "`r`nSMB Server Require Security Signature is currently Disabled: Good, this is super-seeded by encryption" -ForegroundColor White
        }

	if ($server_status.RequireSecuritySignature -eq $true)
		{
            $global:server_requiresignature="danger"
			Write-Host "`r`nSMB Server Require Security Signature is currently Enabled: Bad, this is super-seeded by encryption" -ForegroundColor Yellow
        }

}

Function check-client {
Write-Host "`r`nChecking SMB Client Protocol..." -ForegroundColor Green

$client_status=Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    if ($client_status.State -eq "Disabled")
        {
            $global:smbv1_client="OK"
			Write-Host "`r`nSMB v1 Client Protocol is currently Disabled: Good" -ForegroundColor White
        }
    if ($client_status.State -eq "Enabled")
        {
            $global:smbv1_client="danger"
			Write-Host "`r`nSMB v1 Client Protocol is currently Enabled: Bad" -ForegroundColor Yellow
        }

$client_status=Get-SmbClientConfiguration
	if ($client_status.EnableSecuritySignature -eq $false)
		{
            $global:client_securesignature="danger"
			Write-Host "`r`nSMB Client Security Signature is currently Disabled: Bad" -ForegroundColor Yellow
        }

	if ($client_status.EnableSecuritySignature -eq $true)
		{
            $global:client_securesignature="OK"
			Write-Host "`r`nSMB Client Security Signature is currently Enabled: Good" -ForegroundColor White
        }

	if ($client_status.RequireSecuritySignature -eq $false)
		{
            $global:client_requiresignature="OK"
			Write-Host "`r`nSMB Client Require Security Signature is currently Disabled: Good, this is super-seeded by encryption" -ForegroundColor White
        }

	if ($client_status.RequireSecuritySignature -eq $true)
		{
            $global:client_requiresignature="danger"
			Write-Host "`r`nSMB Client Require Security Signature is currently Enabled: Bad, this is super-seeded by encryption" -ForegroundColor Yellow
        }

	if ($client_status.EnableInsecureGuestLogons -eq $false)
		{
            $global:client_insecurelogons="OK"
			Write-Host "`r`nSMB Client Insecure Logons is currently Disabled: Good`r`n" -ForegroundColor White
        }

	if ($client_status.EnableInsecureGuestLogons -eq $true)
		{
            $global:client_insecurelogons="danger"
			Write-Host "`r`nSMB Client Insecure Logons is currently Enabled: Bad`r`n" -ForegroundColor Yellow
        }
}

# Function that makes corrections
Function make-correction {
    if ($global:smbv1_server -eq "danger")
        {
            Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
        }
    if ($global:smbv1_client -eq "danger")
        {
            Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
        }

	if ($global:server_encryption -eq "danger")
		{
			Set-SmbServerConfiguration -EncryptData $true -Force
		}
	if ($global:server_rejectunencrypted -eq "danger")
		{
			Set-SmbServerConfiguration -RejectUnencryptedAccess $true -Force
		}
	if ($global:server_securesignature -eq "danger")
		{
			Set-SmbServerConfiguration -EnableSecuritySignature $true -Force
		}
	if ($global:server_requiresignature -eq "danger")
		{
			Set-SmbServerConfiguration -RequireSecuritySignature $false -Force
		}
	if ($global:client_securesignature -eq "danger")
		{
			Set-SmbClientConfiguration -EnableSecuritySignature $true -Force
		}
	if ($global:client_requiresignature -eq "danger")
		{
			Set-SmbClientConfiguration -RequireSecuritySignature $false -Force
		}
	if ($global:client_insecurelogons -eq "danger")
		{
			Set-SmbClientConfiguration -EnableInsecureGuestLogons $false -Force
		}
}

# MAIN CODE
check-server
check-client

Write-Host "`r`nPreparing Corrections...`r`n" -ForegroundColor Green
Read-Host -Prompt "Press any key to continue or CTRL+C to quit"
make-correction

Write-Host "All Done." -ForegroundColor Green
	# SMB Check v0.3
	# By Romel Vera (https://www.github.com/RomelSan)
	# This tool checks and enforces SMB v3 basic security
	# License: MIT
	# Build: December 8, 2017

	#===========================================================================
	# Check Admin
	#===========================================================================
	function Test-IsAdmin {
	([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
	}

	if (!(Test-IsAdmin)){
	Write-Host "`r`nPlease run this script with admin priviliges`r`n" -ForegroundColor Green
	exit
	}
	else {
	Write-Host "`r`nAdmin Check: OK" -ForegroundColor Green
	}

	#===========================================================================
	# Check PowerShell Version (5+)
	#===========================================================================
	$global:powershellVersion=$PSVersionTable.PSVersion.Major
	if ($global:powershellVersion -gt 4)
	{
	Write-Host "PowerShell Version: OK" -ForegroundColor Green
	}
	else
	{
	Write-Host "PowerShell Version: NOT OK" -ForegroundColor Yellow
	}


	# Global Variables
	$global:smbv1_client="OK"
	$global:smbv1_server="OK"
	$global:server_encryption="OK"
	$global:server_rejectunencrypted="OK"
	$global:server_securesignature="OK"
	$global:server_requiresignature="OK"
	$global:client_securesignature="OK"
	$global:client_requiresignature="OK"
	$global:client_insecurelogons="OK"

	# Main Functions

	Function check-server {
	Write-Host "`r`nChecking SMB Server Protocol..." -ForegroundColor Green

	$server_status=Get-SmbServerConfiguration
	if ($server_status.EnableSMB1Protocol -eq $false)
	{
	$global:smbv1_server="OK"
	Write-Host "`r`nSMB v1 Server Protocol is currently Disabled: Good" -ForegroundColor White
	}

	if ($server_status.EnableSMB1Protocol -eq $true)
	{
	$global:smbv1_server="danger"
	Write-Host "`r`nSMB v1 Server Protocol is currently Enabled: Bad" -ForegroundColor Yellow
	}

	if ($server_status.EncryptData -eq $false)
	{
	$global:server_encryption="danger"
	Write-Host "`r`nSMB Server Encryption is currently Disabled: Bad" -ForegroundColor Yellow
	}

	if ($server_status.EncryptData -eq $true)
	{
	$global:server_encryption="OK"
	Write-Host "`r`nSMB Server Encryption is currently Enabled: Good" -ForegroundColor White
	}

	if ($server_status.RejectUnencryptedAccess -eq $false)
	{
	$global:server_rejectunencrypted="danger"
	Write-Host "`r`nSMB Server Reject Unencrypted Access is currently Disabled: Bad" -ForegroundColor Yellow
	}

	if ($server_status.RejectUnencryptedAccess -eq $true)
	{
	$global:server_rejectunencrypted="OK"
	Write-Host "`r`nSMB Server Reject Unencrypted Access is currently Enabled: Good" -ForegroundColor White
	}

	if ($server_status.EnableSecuritySignature -eq $false)
	{
	$global:server_securesignature="danger"
	Write-Host "`r`nSMB Server Security Signature is currently Disabled: Bad" -ForegroundColor Yellow
	}

	if ($server_status.EnableSecuritySignature -eq $true)
	{
	$global:server_securesignature="OK"
	Write-Host "`r`nSMB Server Security Signature is currently Enabled: Good" -ForegroundColor White
	}

	if ($server_status.RequireSecuritySignature -eq $false)
	{
	$global:server_requiresignature="OK"
	Write-Host "`r`nSMB Server Require Security Signature is currently Disabled: Good, this is super-seeded by encryption" -ForegroundColor White
	}

	if ($server_status.RequireSecuritySignature -eq $true)
	{
	$global:server_requiresignature="danger"
	Write-Host "`r`nSMB Server Require Security Signature is currently Enabled: Bad, this is super-seeded by encryption" -ForegroundColor Yellow
	}

	}

	Function check-client {
	Write-Host "`r`nChecking SMB Client Protocol..." -ForegroundColor Green

	$client_status=Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
	if ($client_status.State -eq "Disabled")
	{
	$global:smbv1_client="OK"
	Write-Host "`r`nSMB v1 Client Protocol is currently Disabled: Good" -ForegroundColor White
	}
	if ($client_status.State -eq "Enabled")
	{
	$global:smbv1_client="danger"
	Write-Host "`r`nSMB v1 Client Protocol is currently Enabled: Bad" -ForegroundColor Yellow
	}

	$client_status=Get-SmbClientConfiguration
	if ($client_status.EnableSecuritySignature -eq $false)
	{
	$global:client_securesignature="danger"
	Write-Host "`r`nSMB Client Security Signature is currently Disabled: Bad" -ForegroundColor Yellow
	}

	if ($client_status.EnableSecuritySignature -eq $true)
	{
	$global:client_securesignature="OK"
	Write-Host "`r`nSMB Client Security Signature is currently Enabled: Good" -ForegroundColor White
	}

	if ($client_status.RequireSecuritySignature -eq $false)
	{
	$global:client_requiresignature="OK"
	Write-Host "`r`nSMB Client Require Security Signature is currently Disabled: Good, this is super-seeded by encryption" -ForegroundColor White
	}

	if ($client_status.RequireSecuritySignature -eq $true)
	{
	$global:client_requiresignature="danger"
	Write-Host "`r`nSMB Client Require Security Signature is currently Enabled: Bad, this is super-seeded by encryption" -ForegroundColor Yellow
	}

	if ($client_status.EnableInsecureGuestLogons -eq $false)
	{
	$global:client_insecurelogons="OK"
	Write-Host "`r`nSMB Client Insecure Logons is currently Disabled: Good`r`n" -ForegroundColor White
	}

	if ($client_status.EnableInsecureGuestLogons -eq $true)
	{
	$global:client_insecurelogons="danger"
	Write-Host "`r`nSMB Client Insecure Logons is currently Enabled: Bad`r`n" -ForegroundColor Yellow
	}
	}

	# Function that makes corrections
	Function make-correction {
	if ($global:smbv1_server -eq "danger")
	{
	Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
	}
	if ($global:smbv1_client -eq "danger")
	{
	Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
	}

	if ($global:server_encryption -eq "danger")
	{
	Set-SmbServerConfiguration -EncryptData $true -Force
	}
	if ($global:server_rejectunencrypted -eq "danger")
	{
	Set-SmbServerConfiguration -RejectUnencryptedAccess $true -Force
	}
	if ($global:server_securesignature -eq "danger")
	{
	Set-SmbServerConfiguration -EnableSecuritySignature $true -Force
	}
	if ($global:server_requiresignature -eq "danger")
	{
	Set-SmbServerConfiguration -RequireSecuritySignature $false -Force
	}
	if ($global:client_securesignature -eq "danger")
	{
	Set-SmbClientConfiguration -EnableSecuritySignature $true -Force
	}
	if ($global:client_requiresignature -eq "danger")
	{
	Set-SmbClientConfiguration -RequireSecuritySignature $false -Force
	}
	if ($global:client_insecurelogons -eq "danger")
	{
	Set-SmbClientConfiguration -EnableInsecureGuestLogons $false -Force
	}
	}

	# MAIN CODE
	check-server
	check-client

	Write-Host "`r`nPreparing Corrections...`r`n" -ForegroundColor Green
	Read-Host -Prompt "Press any key to continue or CTRL+C to quit"
	make-correction

	Write-Host "All Done." -ForegroundColor Green