tis-disable-smb1 9

  • package : tis-disable-smb1
  • version : 9
  • description : Disable SMB1. Computer must be restarted.
  • maintainer : Hubert TOUVET
  • date : 2017-07-20 11:19:47
  • signer : TRANQUIL IT SYSTEMS
  • signature_date : 20170720-111947
  • min_os_version :
  • min_wapt_version :

setup.py

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def pending_reboot_reasons():
    result = []
    reboot_required = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update','RebootRequired',0)
    if reboot_required:
        result.append('Windows Update: %s' % reboot_required)
    reboot_pending = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing','RebootPending',0)
    if reboot_pending:
        result.append('CBS Updates: %s' % reboot_pending)
    renames_pending = registry_readstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Session Manager','PendingFileRenameOperations',None)
    if renames_pending:
        result.append('File renames: %s' % renames_pending)
    return result

def install():
    restart_needed_by = pending_reboot_reasons()

    if service_installed('mrxsmb10') and service_is_running('mrxsmb10'):
        print('Disable SMB1 client')
        run('sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi')
        run('sc.exe config mrxsmb10 start= disabled')
        restart_needed_by.append('Disable SMB1 client service')
    else:
        print('OK: SMB1 client not running')

    if windows_version() < Version('8.1'):
        was_smb1server = registry_readstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters','SMB1',1)
        registry_setstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters','SMB1',0,type=REG_DWORD)
        if was_smb1server:
            restart_needed_by.append('Disable SMB1 server service')
        else:
            print('OK: SMB1 server disabled in registry')
    else:
        smb1status = run_powershell('Get-SmbServerConfiguration | Select EnableSMB1Protocol').get('EnableSMB1Protocol',True)
        print('Current SMB1 status : %s' % (smb1status,))
        if smb1status:
            print('Disabling SMB1')
            result = run_powershell('Set-SmbServerConfiguration -EnableSMB1Protocol $false  -Force')
            result = run_powershell('Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart')
            # {u'ScratchDirectory': None, u'RestartNeeded': True, u'LogLevel': 2, u'LogPath': u'C:\\Windows\\Logs\\DISM\\dism.log', u'WinPath': None, u'Online': True, u'SysDrivePath': None, u'Path': None}
            if result.get('RestartNeeded',True):
                restart_needed_by.append('Disable SMB1 Server Feature')


    if (service_installed('mrxsmb10') and service_is_running('mrxsmb10')) or was_smb1server or restart_needed_by:
        with disable_file_system_redirection():
            run_notfatal('msg * /time:360 Merci de redemarrer votre ordinateur pour terminer la desactivation du service vulnerable SMB1. Tranquil IT Systems.')
        error('Redemarrage necessaire pour : %s ' % restart_needed_by)
    else:
        print('No reboot required')
    

manifest

[["setup.py", "dff48826f610af6b5ce527f3304021f919d5318b"], ["WAPT/certificate.crt", "0db563dc9077b268ca07ba834322d0fc5e21f8e5"], ["WAPT/wapt.psproj", "557e60050809687d56525e6ac46df9c0e02ccae6"], ["WAPT/control", "7a447febac38cc155cc9f0232c8a9264d3bc0d58"]]