tis-disable-smb1 9

  • package : tis-disable-smb1
  • version : 9
  • architecture : all
  • locale :
  • description : Disable SMB1. Computer must be restarted.
  • maintainer : Hubert TOUVET
  • date : 2018-02-27 18:58:39
  • min_wapt_version :
  • min_os_version :
  • max_os_version :
  • impacted_process :

setup.py

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def pending_reboot_reasons():
    result = []
    reboot_required = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update','RebootRequired',0)
    if reboot_required:
        result.append('Windows Update: %s' % reboot_required)
    reboot_pending = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing','RebootPending',0)
    if reboot_pending:
        result.append('CBS Updates: %s' % reboot_pending)
    renames_pending = registry_readstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Session Manager','PendingFileRenameOperations',None)
    if renames_pending:
        result.append('File renames: %s' % renames_pending)
    return result

def install():
    restart_needed_by = pending_reboot_reasons()

    if service_installed('mrxsmb10') and service_is_running('mrxsmb10'):
        print('Disable SMB1 client')
        run('sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi')
        run('sc.exe config mrxsmb10 start= disabled')
        restart_needed_by.append('Disable SMB1 client service')
    else:
        print('OK: SMB1 client not running')

    if windows_version() < Version('8.1'):
        was_smb1server = registry_readstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters','SMB1',1)
        registry_setstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters','SMB1',0,type=REG_DWORD)
        if was_smb1server:
            restart_needed_by.append('Disable SMB1 server service')
        else:
            print('OK: SMB1 server disabled in registry')
    else:
        smb1status = run_powershell('Get-SmbServerConfiguration | Select EnableSMB1Protocol').get('EnableSMB1Protocol',True)
        print('Current SMB1 status : %s' % (smb1status,))
        if smb1status:
            print('Disabling SMB1')
            result = run_powershell('Set-SmbServerConfiguration -EnableSMB1Protocol $false  -Force')
            result = run_powershell('Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart')
            # {u'ScratchDirectory': None, u'RestartNeeded': True, u'LogLevel': 2, u'LogPath': u'C:\\Windows\\Logs\\DISM\\dism.log', u'WinPath': None, u'Online': True, u'SysDrivePath': None, u'Path': None}
            if result.get('RestartNeeded',True):
                restart_needed_by.append('Disable SMB1 Server Feature')


    if (service_installed('mrxsmb10') and service_is_running('mrxsmb10')) or was_smb1server or restart_needed_by:
        with disable_file_system_redirection():
            run_notfatal('msg * /time:360 Merci de redemarrer votre ordinateur pour terminer la desactivation du service vulnerable SMB1. Tranquil IT Systems.')
        error('Redemarrage necessaire pour : %s ' % restart_needed_by)
    else:
        print('No reboot required')
    

Changelog

No changelog
    

manifest.sha256

setup.py 060e9bb68d78460c00beaf7f1ffed12df4d32f7c8302714da23cdd5a3a75a71d
WAPT/certificate.crt 79e5388683c0b6cb03f4f81e4e58e3a11463b2b6cf169dd9c453098027dcfaa4
WAPT/wapt.psproj 795d36d10109ca85357285f79090fac2be856e5830ea31fa913cc55cb825807b
WAPT/control 3e7112af09853955cabfc543e9f34f374232ce00ad7edc0a8deab04be509c321