 Thanks for joining us for Ops 104, securing SMB from within and without. Let's get started. Today, we're doing securing SMB from within and without, with principal program manager Ned Pyle, internet legend Ned Pyle, and owner of the cutest dogs on earth, Ned Pyle. Ned, take it away. Thanks so much for the intro. As Orin and Sonia put out, I have dogs. Most people on Twitter really don't know anything that I do, or care the slightest bit about me at all, they just care about seeing pictures of dogs jumping around. Today, I'm going to talk about securing SMB from within and without, and what that means is when you think of SMB security, you probably think of permissions and ACLs, making sure that users have access to files in the way they're supposed to. What I'm really talking about when it comes to this is the idea that there's various types of attacks, and there's various types of scenarios for SMB, like any distributed system, where the key is to understand how the architecture of that product works, and understand the main threats beyond just the basic security that you would do for anything, which is privilege and access control. I'm going to talk about something called interception attacks, which we used to refer to all the time as man in the middle attacks, and I'm going to talk about SMB lateral movement, SMB being used itself sort of against you, the same way that HTTP might be used against you, or SSH might be used against you, or other distributed system protocols, transports might be used against you. I didn't really talk about going beyond like the basic security theater. We're going to talk about a progressive approach to applying security, and it's going to look like a lot, but I try to outline it in a way with two major branches of things to work on, and each one has steps you go through, and it might take months or years, and you might never actually get all the way there. It kind of depends on your threat model, and your time, and your own management's decisions about security versus ease of use and stuff like that. So starting off with SMB is everywhere. It is all around you. It is there when you do your taxes and take out your garbage. SMB is, as you know it, right away, a real file system, right? Something used by remote desktops, something used by storage spaces and storage products. You dig in, you start seeing more SMB that you weren't aware of was there. It's part of clustering products. It's how you copy files. It's how you map your drives. It's where group policy comes from. It's all your file servers. It's how library migration works. It's how namepipes and all your applications work. Like, it is everywhere. It is ubiquitous, and besides HTTP and TCP, it's probably the most used protocol on your network. If you run Windows or don't run Windows, it's super popular within Linux as part of the kernel. It's been part of iOS for years now, and it is really, really everywhere. And so it's not just mapping a drive and copying some files. It's a whole lot of stuff, and that's all interactions between, you know, all the machines on your network. Oh, and it's also your management tools, by the way. Half of them are using things like RPC over SMB. Your Snap-ins everywhere. They've been using SMB, and they haven't even been telling you. I just want to say that this is one of the surprising things about the content that we've had at this event, because we set out to make it a hybrid event, and every sort of session that Orin and I have been involved in so far has ended up being a security session. I kind of put a tweet out the other day about the fact that this is so critical to the role of an IT pro. There's so many things that we do that have a security aspect to them, and I think that last sort of thing illustrates why, because things like an insecure protocol underlies so many of the things that fall under the responsibility of the IT pro there. Not really under the control of the developers. They're not really under the control, even if you've got a dedicated security team, but they underpin everything that the IT pros touch, and that's why I think we have such a strong security thread throughout all of the type of content. Yeah, and it, I don't even put down here about Azure files, right? Like Azure files, which we're talking about hybrid and Azure stuff, Azure files is SMB too. And everything I talk about tactically will impact Azure files. If you're using it, you know, just as a way to host data, typically inside of Azure, or you might be using it through VPN maybe, or you might be using Azure file sync which doesn't really use SMB at all. But that endpoint node, your Azure file sync node, that's using SMB all throughout your entire organization, you know, you wanna make sure that that is part of your safety that we're gonna describe here, and that's part of your threat model, the same way that you would just any other file server except that now you're protecting not only that server, but everything that it holds that goes into Azure and ends up being part of your hybrid discussion. For me, the best kind of hybrid conversation is one where you don't really think that much about either Azure or Windows on-prem, you just think about the thing you're trying to do so that it's applicable across the board. And almost everything I describe here would be applicable to Azure files too. What I'm really saying here is that most people come up against big distributed system conversations about, you know, how do we protect our entire network? How do we protect, you know, a gigantic matrix of computers? And they start to sort of throw up their hands and say it's, it can't be done. And it is very difficult, but it's not impossible. And if you spend your time going through and looking at this and just biting off little pieces at a time, biting off little chunks of work, you get some really significant improvements in your security with every little bite and then you eventually, you know, you eat the entire elephant, right? So we're really talking about doing, you know, one of two things. One, defense is about looking unpleasant on the outside, looking in, right? It's about not wanting to be an attractive target. It's about doing a little bit of probing against your defenses and finding out that things are pretty tight and not bothering you. Sit there and try and dig and dig and dig to get the one little tiny hole that somebody can find. And the other thing is about layering your defenses. It's about not just having, you know, the firewall is our defense, the antivirus is our defense, something is our defense. You all watched from the whole SolarWinds thing. That's a classic example of people taking entirely too much, you know, sort of confidence into one piece of the defense to when it fails, like you're really, really in trouble. So SMB defense that we're gonna talk about is, like I said, one of three things. There's permissions, right? There are these things called interception attacks and there are these things around movement, lateral movement, ingress and egress attacks. And I'm gonna focus on the latter two. I'm not gonna sit there and talk about NTFS permissions and SMB permissions. That's something that's old and well documented and nice and crusty and all that kind of stuff. So let's talk about interception defense and what that really means. And to make sure that I live up to my legacy of being purely about dogs, here's a couple of my dogs going around the yard and the snow providing interception defense. And this goes on for a minute. I have a version of this actually where I put on like the Nintendo Super Mario Brothers coin sound every time that they bounced off each other but I figured you probably wouldn't have the rights to that here. Well, you could do Jackie do tax. I could also have done the Benny Hill soundtrack, yes. With little Jackie. So interception attacks are anything where you're manipulating communication between client and server, right? It's anything like eavesdropping or stealing creds or having fake endpoints and you trick me into going to your baloney server and it's full of nastiness. And it's also not necessarily always evil to say interception. I mean, well, let's see, you both I assume heard of and maybe even run into a riverbed, right? Like there's a WAN product whose job it is very much in your favor to optimize traffic between two sites. That's intercepting stuff, it's package shaping, right? It's manipulating, it's compressing it's doing all kinds of stuff. One of the very normal things to do when I'm talking about here is getting into your SMB stealing your credentials, stealing your data or just using it as a way to deliver evilness onto your machines. So when we go through this whole process we're gonna go through these two paths the interception area and the movement area we'll start with interception attacks and you'll see like kind of what my plan is here to talk about over the next amount of time. Patching SMB1 removal, which by now you should be saying move along Ned I've already taken care of this. I've got nothing to talk about here this is all ironed out, don't worry about it. No guest authentication. That's something that a lot of people don't know about. No webdav. Now we're starting to get, you see are getting more and more into the weeds here. Limiting your outbound SMB traffic. Using something called UNC hardening. Are you familiar with UNC hardening? It's one of our things we've kept pretty well secret. Ever heard of it? Have you ever heard of it and we've done publishing any documentation? I don't know. Yeah, so we have exactly one blog post and one KB article for the super critical thing which is actually on by default in Windows 10 and doing all kinds of stuff that people don't know about. I'll talk about that in a minute. About SMB3.1.1 about forcing a particularly secure variation of SMB that provides extra security precautions instead of letting it negotiate under some circumstances. We're talking about encryption and we're talking about really the hard, really hard part of this one that you might end up having conversations with somebody like Steve Sifus about which is eliminating NPLM and then really buffing up the default implementation of Kerberos which is still very, very safe but can be made much, much, much safer against modern attack variations. And I'm no expert there anymore. I mean, I used to sort of know what I was doing with Kerberos. Back when I worked in the AD team. So if you really want super-duper answers there I'm not gonna be your perfect person but I can give you some good understanding and point you in the right direction to go do this stuff. So we're gonna go through that and then we're gonna go through movement attacks and talk about blocking traffic at the edge inbound and outbound and how to inventory your entire SMB world and then use that to build a truly extremely safe sort of a pain in the butt to deploy but once you have it really, really safe SMB environment where lateral movement is very restricted to what you need to do. And generally speaking, owning one machine will not help an attacker move very far. And then finally, the idea of especially in certain classes of machines just not using SMB as a server at all. And that's something that as you see again I move through the easy to the hard, right? Messing around with corporate firewall pretty easy. Inventoring all your SMB sounds like a real drag. Doing crazy firewall stuff is gonna be difficult but very a big payoff. And then down to the like what if we just shut stuff off completely to type model? But of course, you know, it'd be nice that you could be not known as a no SMB guy and you could be known as a no guest at auth guy but just getting people to get even one or two steps up that ladder is enough of a challenge. So getting them to the top of the ladder is a really great to have but not so many people will get there. Right. So let's start with this first part here and I'm gonna have some nice demos along the way where I go through and I'll do this live and they're not very, they're not super dangerous demos or they're in danger of going bad or anything. It's mostly configuring things and then showing you the result. And then we'll go to the bottom and we'll be all set. So before I start, is there anything you want to comment on here or do you wanna just crank ahead? I do wish you hadn't said that there'd be no problems with the demo. I get short of like when Dr. Bunson says to beta this is definitely safe. I should know better, right? Well, lights are about to go out. About to be a once in a hundred year weird storm, I guess that's not even on any radars right now it's just gonna open up. You have the power of editing. Oh my goodness. All right, so let's start talking about passing right away. That's the best defense obviously for known vulnerabilities within SMB. You wanna do that kind of stuff as soon as you feasibly can. So there's the constant push and pull that you all see with customers around how long it might take to apply patches should I apply patches, which is not a great conversation to have. And really my answer is always going to be that eventually you must, right? I mean, eventually in order to be supported you have to apply patches in Windows. But you know, going as fast as you can is certainly better than we don't have a plan or we don't do anything. And ideally for us here you would patch the afternoon that we got patches out and that would be the end of it and there would never would be a wanna cry or not petty or one of those things, right? So that's a easy one. No SMB one, I think nowadays when I first started on eliminating SMB one seven years ago when I first came to be a PM and everybody, I mean, they literally laughed in my face, laughed in my face and like rolled on the floor and held their sides like they were in a cartoon about how the idea that I would not just deprecate a protocol but actually remove it from Windows like remove something from Windows, that's impossible. It's never going to happen and stop stupid new PMs with their stupid naive ideas. And it really did take years and years of work to get it and it's still not fully removed but it's still something where it's very unlikely for you to have it right now unless you wanna have it or need to have it. Which do you think would get removed first entirely from Windows Server, SMB one or Wins Server? Oh, I think I could probably be Wins. I'm pretty sure I can be Wins and I can be NetVios and that might be it, yeah. So you've all seen me talk about SMB one and you've heard me yak about it for years and make funny jokes on Twitter and it's just architecturally done sound. It's just garbage that can't be fixed. It was written in the 80s and then monkeyed with all through the 90s by a variety of parties, some Microsoft and some not. And it's just from a time when security didn't matter and everybody was on cocaine. I don't know what they were doing. Everything was crazy back then and it can't be fixed and there's no point in trying to fix it. So if you've got to run it, the key is to only use it when absolutely necessary and make sure that you are not allowing those machines to talk to really anybody outside of their little conversations, air gap networks, that kind of stuff. Cause we're not really fixing SMB one anymore. There's no way to fix it. We patch it when we find gigantic vulnerabilities. We haven't had quite some time because we think we've caught a bunch of the big ones years ago when we took a big effort to do it. But it's so typically speaking, if you buy a server 2019 or if you buy Windows 10 and install it's not going to be there. That really the only spot now where you would install an SMB one client would be on by default sitting there is a Windows 10 like home edition. Even pro, we don't have it on by default anymore in the client, but the server is always gone. The SMB one server, no matter what. And if you don't use it for a while even on that home edition or if you enable a little feature inside of Enterprise and Pro and stuff that will look for it, it will actually uninstall itself after a couple of weeks of not being used. So if you were to say, just not making SMB one connection for three weeks, and I mean three weeks of like on time, not just necessarily off time, then it'll just be like, well, I'm not using, I'm just uninstall some people. So that's the self removal piece. Let me show you a little demo of SMB one here. Four dogs, I'm gonna have dogs all the time in this forum. Big smart guy. So here I am running on a Windows 10 machine. And I'm gonna go to add more programs. And I'm gonna demonstrate SMB one here. All right, there's my demo. It's all done because it's not there by default. The only way you need to troubleshoot SMB one right now would be to actually go put it on on purpose because it's not there anymore. If you go to server manager, it would be inside of server manager. If you want to, I mean, if you really like, you know, really have a problem where it's deployed out into a fleet, obviously you're not gonna be running around, clicking and add, remove programs on individual desktops unless you work in a very, very small shop. So, you know, you would uninstall through PowerShell. You can use disable a Windows optional feature. We'll watch it here. It's already uninstalled. That's the, that's it. There's not a whole lot to see on an SMB one demo. That's my goal is that you don't care so much about SMB one demos. So the next thing is guest auth. Are you familiar with what we call SMB guest fallback? If you've really been into the SMB one world, you might remember this one, you might not. It's okay if you don't. SMB guest fallback or SMB one says, I don't know the password to log into this server I'm talking to. So I'm gonna use a guest access and then I'll connect. Now, in the case of a Windows server, we turned off guest access to SMB like in Windows 2000. Nothing would happen like this would fail, right? So I type my password wrong or I don't know what the password is and I try to connect and it's like a bad password at the end of my, but if this was something like that, if I remember back to the, I mean, I might be wrong, but it was like read, it gave you read access to something or you could just use the guest account. I mean, I remember it from my NT4. There's two things, there's the guest account and then there's guest access and this is just guest access. It's connecting you as a guest level privilege. Well, the problem is if the server is evil, it's gonna be like, yeah, guest is great, come on in. I don't need to know what your password is. Please connect to me. I love when people connect to me as guests and here you are looking for some files. Here's some files. They probably got the files you were hoping you would get because they're malware and now you have ransomware. So the whole point of this feature was a convenience thing, right? When we talk about SMB1, we're talking about how to make life easier for the user in the early 90s. So everything was about ease of use. It was never about safety. This, if you saw Windows 10 right now, this guest access is off. I mean, this particular aspect of SMB specifically to SMB is off. And if you want to turn it in, you know, turn it back on, you have to opt into it using micro policy called enable insecure guest logons. And, you know, we try to go out of our way to make sure that you don't want to do this and even the name of the policy. We sat there and it talked about for a while making sure of like somebody would think about it. Now, Web Dev has been around forever. And it's actually not that, not used too much anymore, but the client for Web Dev is on in Windows by default. And you'll be using it something like you might use it sometimes without realizing it when you would go to, say, system tunnels and try to, you know, you could actually map drives to run system trials tools off this system trials web servers. Web Dev is just a webby way to do, you know, UNC file access. Even Web Dev itself is very difficult to secure. So let's say you're doing it legitimately and you want to use Web Dev. You've got to use certificates. You've got to set it up for HTTPS and TLS. You've got to do all these things on purpose and like nobody does, right? So even if you're using it safe, even if you're using it on purpose, it's not that safe, typically. And really what you're worried about is not using it safely. We have seen several attacks where they're just like tricking a user and trying to go across the internet to a UNC path, the web client lets them in and start downloading malicious code. So right away you can stop this by simply stopping the web client service in Windows and just not letting it run. It used to be required by a number of features, Office itself made use of it for some stuff. As far as we know right now, as far as we know right now, no legitimate Windows first party software requires the web client service. I could be wrong and you could specifically call me out as being wrong, but I have turned off the web client service in my machine and all of our test machines four years ago and no one has complained. So in a domain environment, can I add a group policy and to prevent that service from being enabled then? Not only can you, but you should. So you can use group policy preference or use the group policy as a little service thingy, which is kind of gross. The preference one is pretty good, I think. And you could use that to just set the web client service to be disabled. I believe right now it's on demand. It doesn't actually start because almost everything that isn't like needed right, you know, Windows 10 isn't actually started right away, but you don't want to disable it. So no one would just, you know, get in there and do it. On the Windows server, it's not called the web client service, it's called the web data redirector feature for some reason, so it's feeling fancy and you don't install that. When you say like, oh no, you made me uninstall this thing that I want to use that I like, we do have something coming to make up for this lack of functionality called SMB over quick. And I'm not going to spend an hour and a half talking about this new feature, but it is like a big game changing feature about how you access SMB, especially over the internet, where instead of using- You will at some stage spend that time talking about that feature just not on this talk. I mean, I've already talked about it with you at length on some conference we were at. I've talked about it at Ignite previously. I've written a big blog post about it that has like a quarter of a million views. Like everybody knows about this is not a secret, just haven't shipped it yet. And that's the secret is when can I get it? Not is it happening? It's happening, it's done. I'm sitting there looking at the WAC extension to manage it. Like I closed that tab, but you know, that's running right now. Okay, so we're in the, we're getting away from the easy stuff and we're getting more towards the hard stuff like this one limiting outbound SMB. And that's where you're preventing SMB from being like turned on you and used against you. Now I'm going to pin this one here for a second because I actually have a big long demo and explanation in the second half. We talked about movement, but this really is part of that interception attack saying, you can't get intercepted if there was no SMB, right? If I send Oran an email with a batch file stuck in it, that's going to open up a UNC path and that UNC path is going to open up to my file server running on the internet that's full of nastiness. It won't work if I'm not allowed to connect to nasty internet servers and you won't get my credentials. You won't be able to do, you know, pass the hash or golden ticket or any of those things where you're trying to harvest stuff that all break because generally speaking, I won't be allowed to talk to crazy servers on the internet. We have a real advantage here with SMB that the HTTP folks don't have, right? Like controlling your HTTP access as an attack variant is like, wouldn't say it's impossible, but it's extremely hard because there's so many legitimate reasons to be partying on the internet with HTTP. There are none with SMB. So it's a pretty good idea to be able to block these types of things yourself and just stop attacks from being meaningful. I'll go into real detail in this in a minute, okay? So let's talk about UNC hardening where I already managed to stump Oran and Sonya about my secret feature that I never tell anybody about. They didn't know, I'm very disappointed. We sometimes call this one the coffee shop attack. When it first came out years ago, it was described as a way that you take your laptop into a coffee shop. You'd be on Wi-Fi, just doing stuff, and your laptop boots up. It's a corporate laptop that you're just running around with. And as a corporate laptop, when you boot it up, it right away tries to apply group policy. So it's gonna try to go to SysVol on some domain controller and some DC up there from the Contoso domain. I'm going to your domain, please give me my group policy and my startup scripts and all that kind of stuff. And that server that you were seeing was not your server, either from art poisoning or literally it's like somebody's sitting in the coffee shop with their DC running in the VM on the Wi-Fi, right? And they've got a little bit of recon and they know that Sonya works at Contoso. So they need to name some servers a little bit just to catch her. But as soon as you would connect, they'd be like, hey, cool, there's a server that looks like my server and it's full of stuff. And they would use a couple of actual vulnerabilities to make sure that you connected. But it wasn't your server, they hadn't stolen a DC. They weren't actually really impersonating you. They had literally just named a server, the DC. And as long as your laptop thought that the DC was good, it was owned. And so the idea around this UNC hardening is to say, I don't just care about the names of servers or the identity of domains and forests and stuff. I care about mutual authentication. I care about signing an encryption where there's a bunch of stuff that has to happen to prove that you're actually my domain, right? Like we can't just pretend to do Kerberos. Like you really have to have a KDC that I trust and there used to be an actual exchange of secrets that you would have to know. We can't just connect on nothing and it required you to sign, that requires more secrets and require you to encrypt, that requires more secrets. And so you're basically saying, let's shift the pattern of SMB. This is where we really started to do this around eight years ago from being a server-oriented security model where the server is like, be secure, clients, you remember to be secure to being much more of a client saying, like, I don't trust anybody and you better be secure server and you better prove stuff or we're not gonna talk anymore. And so a lot of stuff that we go through here is really about that change in the paradigm where the client itself is where the security originates not the server anymore. By default, this thingy has actually been on for you all this time for SysFall and NetLogOn only. By default, when you connect to your domain controller with your Windows 10 machine, it will require from the client, signing of SMB and Kerberos mutual auth to any of your domain controllers. And that's been going on since Windows 10 came out. Well, we weren't telling you. And if you're a real old fogey, like Orin, you probably remember the default domain controller policy would say like, oh, the DC must always be signed. Like you were thinking to yourself, like we always kind of did this, right? But there was that server side thing where the attacker is not gonna make his server nice and secure for you, obviously, right? It's, their job is to make sure that it's weak and it gets you in there. So we changed that sort of paradigm from the server demands signing to the client demand signing. I'll give you a little demo of this too here. Hang on a sec. So Harming has group policy. Hopefully this isn't too small to read, but I mean, you could follow along with my voice. So if I go to group policy and pick out some policy or I make some policy, sure. And I edit what I'm looking for in here is computer policies, window setting, oops, grab it. I'm sorry, administrative templates, network, grab it, network provider, Harming UNC paths. This is one of the most bizarre group policies you'll ever actually see. In fact, you might find it used here just to deal with it directly by using the registry, using group policy preferences, something like that. But it had to solve a problem back when group policy didn't really have a way to solve these types of UI issues. So it talks about this, how it works, what you're really gonna be doing is providing source paths with wildcards or with specific names. And then UNC appended paths on those with specific shares or asterisks again to do wildcards. And then you're gonna provide a little table that says, what do I want to be able to have happen? So require integrity is signing, require privacy is encryption, and require mutual authentication in practical windows terms means Kerberos, require Kerberos, then require one of these two things. There's no need to ever require both integrity and privacy because privacy is encryption and encryption is better than signing and it effectively assumes the job of signing as well as encryption. So if I enable this policy and I click on show, I get this little little table. And what I'm going to do is specify different types of paths in here, not my main controllers, that's already built in, it's not just all built in. Let's say, if I had a server called this and I wanted to make sure that every single solitary time you connected to it on any of its shares, you had to use Kerberos and signing that would do it, require mutual off Kerberos, require integrity signing, any share I connect to on the server, anywhere in the company, that's going to happen. I could also do it very specifically for one share and I could put in some value there, like this one where I'm just going to require Kerberos and encryption. And you can use wildcards where I would just like, I could ask to risk out some share. So let's say I have like an app deployment share on every single solitary server and it's always called app deployer or whatever. I can do this and that would mean that like literally any server I ever talked to in my whole life that had the word app deploy inside of its share name, that would require whatever I required. That's how SysFall works right now, there's no name in there for SysFall, it's just black, white, raster risk and then SysFall's a special share and the DCs that you're going to get signing on those will be elected or not. But it's not difficult to deploy and it's the part you want to be careful about, the risky part is encryption. This has been backported all the way to Vista. When we did, in fact, we even talked about demand to XP and then I finally prevailed. With encryption, that's only been available in SMB3 and on. So that's Windows 8 and 8.1, both hugely popular operating systems that command a gigantic market share of 50. And then there's Windows 10, right? Which is like literally a billion machines. So Windows 10 is where you want to have required privacy on. If you got Windows 7 and you go around saying nobody can connect to anything unless they do encryption, they're not going to be connecting to anything. So you have to be super careful about the fact that from these flags, the reason why we do integrity out of the box instead of privacy first and apples because at the time we did that 95% of the fleet wouldn't have connected and it would have blown up the universe. So now you know what UNC hardening is and you can win at hardening trivia. All right. So now let's talk about SMB3.1.1. As you probably know, it's huge fish and otters of SMB. When we connect to a server, we go through a process called negotiation where we first connect and say, here's my dialect and I support doing all of these things. I support doing encryption and I support doing multi-channel and I support all this crazy crap. But the negotiation is effectively just sort of a wish. It says, the client says, I support these packets, sorry, these dialects and the server says, I support these dialects and the highest one that matches, we're going to use. And that's great. If you just want to have good compatibility, if I talk to a 2008 R2 server, it'll say, okay, we support SMB2.1 I support to Windows 2016 server. It'll be like, oh, I support SMB3.0. The problem is, is we progressively added more security pieces, pre-authentication integrity, a whole bunch of stuff to SMB that really only happens in SMB3.1.1. And a bad person, such as Oran, will be our canonical bad person in this example, would just simply set up their evil server to only support SMB2 and then attack whatever some vulnerability they knew about from SMB2, right? They would just say, like, I don't support SMB3. I mean, what can you do? So, the reason- I figure if I'm going to be able, I'll wear the hat. So you've gone full rick. And that's, it's very distracting honestly, that you went full rick. You never go full rick, Oran. What do you look, do you look friendly? Oh, wow. Oh my goodness. Now you got to say a boot. You got to say a boot. How about that? A1A. Oh, yeah. Pineapple pizza, maple syrup, hockey. So what we can do, starting at Windows 10, and about, I forget which word, it's far enough a back now where I don't care anymore. It's like 17.09 or some particular instance from some years ago is now, we can actually just say, I don't want to negotiate. I want to actually specify which versions of SMBN going to use from anywhere from 2.02 all the way to 3.1.1. Again, nothing here about SMB1, SMB1 is something else and you shouldn't have anything to worry about negotiating it because you turned it off already. And like I said, again, this is another one of those risky ones. The risk here is if you've got a whole bunch of servers that are running 2012 because you're not caught up or you got a whole bunch of servers at around 2008 because you haven't finished upgrading your servers and you're wildly unsupported and you're just constantly sweating and upset, you'll be breaking your whole fleet. If you sit there and mandate, you got to use SMB3.1.1 because they don't know what that is. It's very, very simple to set. It's just registry values on my workstation where you are setting a min and a max of whatever you want it to be. Look at, you can see how we do the values here. It's like design even for do-dos like me to be able to understand. And if you want to just use SMB3.1.1, you just hit the min and the max to that. That's it. You will make every connection in 3.1.1 going forward. Is that going to be thrown into a group policy at some point or is it always just gonna be ready? It could be. I haven't had enough call for it. I'm a little nervous about, we talked about it when we first put together this idea. I was a little nervous about the idea of like blasting out something which could completely destroy your whole fleet. And the fun part about making giant mistakes with SMB3.1 client is through group policy is if you break SMB, what no longer works? Great policy. There you go. So it's pretty easy to wedge the crap out of yourself and then be like hand fixing 10,000 laptops. I guess it's one of those things that could have sort of be put in there and then eventually lit up several versions later. Yeah. But he sort of moved along. Still on the table. Still on the table. This one's actually a pretty recent option, actually. So it's really just for customers who are extremely homogenous and then obviously super security oriented. And even the really high security folks just aren't that homogenous yet. That's the ongoing battle, isn't it? We have IT pros who are fighting organizations to get budget and time to go and upgrade servers or replace systems that literally cannot be upgraded because they've got dependencies on manufacturing hardware or whatever the reason is that they're still on an older operating system. And I don't know what it is that's gonna break through some of those organizations. It's almost like as soon as you get someone in the organization that understands the impact of running these older systems and what it's doing to their security posture, that tends to be the icebreaker to go, actually, yes, here's the time and the money to go and get those systems out of our environment. But we hear so many customers that still have that battle and still have those older systems because they can't devote the time and the money to replacing them or upgrading them. But it's frustrating from our perspective because we understand the risk. And I know that it's frustrating from the IT pros that don't get the support to get rid of the old machines that they want to get rid of. The first big breach usually helps. Yes. I mean, I made way more traction with the SMB1 removal after WannaCry than before WannaCry, you know? Funny, then. Union usually helps, which is a terrible way to go through life, but you're right. Ballpark, 40%, 35%, some relatively high number. It's difficult for us to tell if servers out there are still 2008. I mean, let's just say it's a third. That's a huge number, right? We're talking about tens, maybe hundreds of millions of servers where you've got a third, maybe or so that are living there in an 11-year-old operating system. I mean, yeah. We could do with some more sort of passive-aggressive group policy names. I just don't think we'd be allowed to do it. So don't turn on this policy unless it's the name of the policy, but... That was the answer to that one, right? You should have seen some of the names I originally was calling it. It was designed to make you feel very mad about yourself. Okay. Keep plowing through here. All right. Encryption. We started with encryption where it was a server-side component starting in 2012, R2, I think, where you had SMB3 and you were able to say, I want encryption on the server or I want encryption on these shares. And then you could also say, like, I really want encryption, but you don't have to use it if you don't want to or you've got to use encryption and you don't get to connect if you don't want to. And again, that's really helpful for setting policy and making sure that legitimate clients are doing legitimate safety all the time. And we've hardened SMB3 and we've hardened SMB's negotiation process enough that nobody could very easily tamper with that anymore and break it. But what we really wanted going forward was the client to start making these decisions and be less about the server. So we started adding things like on-the-fly mapping for encryption. So that means that you can net use and new SMB mapping and get encryption right there as a user, either in startup scripts and logon scripts or as your mapping drives, or whatever you're doing. It's not designed necessarily for an easy end user experience of like a mark from sales, but that person probably isn't mapping drives, right? They're probably being given mapped drives through a process to go to their home folder or to go to the sales teams, organizational share or whatever, right? So that gives you a nice easy way to guarantee that you're going to get encryption out of the clients who don't trust the world. I mean, again, we're turning them on its head and having the clients not trust things. Actually, what I'm going to do is I'm going to turn on a wire shark here and let you see the process and do a little bit of wire sharking here. Let's make this bigger and better. All right, so right now here's my machine just making a whole lot of chatty noise for no reason. And let's take a look at net use here. I know we're all supposed to use PowerShell for everything and I'm like, come on, come on, come on. Your command line is still good. You see this little guy right here? Retire integrity, require privacy. Those were added in the last year or so. And as you might expect, if I'm going to go to, let's see, what's the name of the server I have lying around here? Let's see, require privacy. So we're doing some wire sharking right there. All right, have to drive. What was that? That server doesn't have encryption required on it anywhere. I mean, you can trust me, but I went to the C drive. It's not something you would typically be messing around with anyway. And I went right away into my request process, asking for encryption, getting encryption. Let's see if I can do the request tree. And now all my traffic is unreadable goo. So somebody had some way to like, you know, sit there and parse and steal stuff out of your actual payload, the file you're copying, and that's a fairly sophisticated attack, but it would exist. It's protected the whole way through. And it didn't matter what the server felt about it. I wanted encryption. I get to decide now. Okay, so that's all like the relatively easy stuff here's where things get gnarly. Very gnarly, as you probably know, what we want to be able to do here is solve the real problem. SMB doesn't, SMB two and three don't, they don't really have authentication. None of SMB really has authentication. It uses something called spinago where the windows security package negotiation system is used to provide authentication and authorization. It's one of the big powers of windows, right? It's you use Kerberos, you get a SID, you get some access control rights, and that that access is usable everywhere in windows. Everything has an object. Everything can have an ankle from pipes to files to folders to objects, you know, win objects to application stuff is everywhere. And all comes from one spot, which is your identity, the SID, and then your access control, the law that you got and saying what you're allowed to access. Well, an easy way to abuse that is to say, let me have SMB talk to me about some nonsense. I'm literally like, literally send you a phishing attack where I want you to connect to me over SMB. And I have no intention of it working. I don't care if you log in or not. What I really want to do is harvest your challenge and take that stuff for things like past a hash where I can either, you know, sit there and break your week password or use a dictionary to break your week password or use a brute force to break your week password or actually be able to take some credentials and sort of pass them around and do stuff like that as you and the same for Kerberos with the so-called silver and golden tickets attacks where you can make things a little bit safer. But generally speaking, you don't want people to take your credentials and, you know, beat on them offline. And the NTLM, NTLM B2, that's what I really mean here. Really, it's only defense these days is if you've got a really super good long password, it'll make that brute force or that dictionary attack harder. But it's just something that's difficult to train people to do. It's just not a good solution. Passwords themselves are a busted ass solution from the 70s that just need to die. And it's going to take a long time before and I probably will be dead of old age before we stop having any passwords. But if you want to take like the bare minimum attack level here and mandate longer passwords and somehow teach your users to use past phrases and somehow teach them, you know, about, you know, using something that they can somehow remember that also wouldn't easily be in a dictionary attack or easily be guessable by somebody who was doing basic recon, that's really, really hard. So the next phase here is to go with Windows Hello for business or smart cards and just make it so that there's another factor and owning that piece doesn't matter anymore because what you put on the wire is truly like unbrewed forcible and it's like some gigantically long random crap that would take eons to break and it could not be guessed, it could not be dictionary attacked but it requires all this stuff, right? I mean, you're probably far more expert than I am on things like Hello and, you know, smart cards because I don't really work in that space anymore but there's tons of good documentation. There's tons of like excellent systems we have now for using Hello where the Kerberos protocol isn't really using passwords anymore and you're now having to basically physically attack your targets in order to get access to more of this material to get access to their smart card, you know, the actual cards or physically have access to their laptop or all those types of things. Steve did a bit of, went through all of the way that the different processes work within Windows when using Hello and then how secrets are kept. So there's one of the other sessions in this hybrid event is actually on some of these issues that Ned's talking about right now. Steve really is the guy to talk about all this and it's funny, when I originally wrote a lot of this content I'm going to link to this at the very end about what I want. You should definitely not be like furiously writing down notes here how to deploy based on this video or the demos I'm doing here. You should be absolutely going and looking at the materials that I'll link to at the end for specific details just to get your brain in gear. But Steve and I talked for hours and hours and days about all of this stuff to make sure that when I was giving my advice for how to secure SMB I was going down his team's preferred method and level of like security and complexity and the advantages that it brings to make sure that people use it and then we actually ended up having conversations where I was like, I don't think your documentation is good enough Steve and then he would write more documentation for me and then it ended up being stuff for you. So like a bunch of blog posts, stuff he's done started with me just kind of like barking at him in a team's thing, like I don't understand how this works and then I can't figure it out can you explain it and he'd explain it really nicely like can you also write it down and then he would also write it down very nicely. So I'm like, I'm the canonical moron of all of this who didn't understand how stuff works and then it basically shoved it all into Steve's plate in order to make it easy enough that even I can understand it so I'm sure you and your viewers will have no trouble. The thing after Windows Hello for Business and Smart Card is a thing called GMSA which is not really helping you with users it's a service account product but it's a general way to say I want to make sure that my I don't have accounts lying around that people will be able to harvest from so a regular Active Directory account called backup user that has like mega powers in the environment GMSA replaces those with a system it's well documented I wrote some of the original documentation on it where the service password is no longer known by anybody anywhere except the service itself and it's 127 unicode wide characters I mean it's unbreakable you know you need like regularly automatically rotated as well so group management you can set it to rotate you can set it to rotate every couple of days and it's this whole giant mechanism to make sure that basically you abolish service accounts ever from being used again and you use GMSA as a system Yeah, when I used to do a bit of a talk about it nice to ask how many people have got service accounts in the domain admins group and an unfortunate number of people would put up their hands when I asked that question It's still a constant and trivially easy way to attack many customers that when red teams go in that's one of the first things they're looking for is very obviously documented like they can just sit there and you know do a nice little dump of AD looking for accounts that sound suspicious AD is just a nice little LDAP phone book of things to go, you know, take over and they're looking for stuff called backup SVC and crap like that and since they can get their hands on that one it's game over The second last piece here is fast Kerberos Armory another one that Steve went in did a lot of extensive documentation on recently to talk about and it's something that came out a while ago but the same way that you know that we say we don't want you having the ability to put credentials on the wire with NTLM we can't do that with Kerberos we still have to send Kerberos ASRAX we still have to send TGS request and all that kind of stuff that makes Kerberos work and there's eventually a time when you're going to have the ability to have your credentials as safe as they might be still be something that you may take it offline in Mimicats and blast it against and you can figure out a password or something like that and Kerberos Armoring is a way to create basically an entire extra set of encryption and tunneling and signing around the entire ticket process itself and then with AppGuard make it so that nobody can harvest anything you know, you can't harvest on the wire and then with AppGuard you can't harvest it your credit card, sorry you can't harvest it on the machine basically like 99.999% protected having blocked NTLM and turned on fast Kerberos Armoring from having anybody be able to just make attacks against your credentials as part of their use in SMB basically it's been around for a long time Armoring has been around since Windows 8 and 2012, I remember first writing some STS articles about it a long time ago and the trouble with that kind of thing at the time is you know, nobody had 2012 it had just come out and so when brand new security features are aligned with brand new OS especially domain controllers and then they aren't really like it was pretty right, it was done extremely well and it's first implementation it didn't require further work really it didn't get that sort of mind share going forward of like you know, that you would see from like okay a new version of Fast Kerberos came out and it's way better and now you should definitely be using it as a software from its own perfection so a lot of people just sort of forgot that it existed or never even saw that it existed and you should really go back and explore there's some great documentation on it and it doesn't require like functional level changes one of those cool features is like I will find later OSDCs and work and nowadays I mean like you shouldn't have any 2008 DCs I mean you might have 2008 but like come on, you shouldn't have any 2008 DCs that's sick, that's gross they should just really work you might still have problems with like oh I still have you know I don't know XP laptops that's a different kind of problem like you've got a whole other problem going on that I can't fix right now and the last one is a Skrill and if you don't know what that is, it's because you're a normal human person that is something called a smart card required for interactive logon it's extremely difficult to deploy it basically means that when you log on or when you really like when you set your password when you configure a user like that password is set randomly and no one knows what it is anymore it's sort of like GMSA and with a smart card you basically are embedding this thing in the smart card and the domain controller knows about it but like nobody else knows what this password is ever and it's like the app compatibility and like daily use of a world where you could never possibly know your password is even right now extremely difficult to know that there's just times when you need to know it sometimes you got to have it and that breaks all that so almost nobody ever does this thing okay so that was interception attacks and interception defense is just it's not something you're gonna do tomorrow a few of those things I just described you really could bang out probably in a weekend but a lot of that stuff is going to take planning and thought and carefulness moving forward and that goal again these are little porcupine sticker things is like you are not trying to be perfect you're trying to be extremely unpleasant every one of those things is an opportunity for an attacker to get tripped up and either not work or better yet get caught you know from some symptom of them trying to bump into your defense okay all of that everything if you were going to sleep for the last 30 minutes is documented at this one spot under this URL and it's just a long blog post with details and pictures and links and everything you would need to do all of this stuff all of it so let's talk about the other half it's not really other half it's the other one quarter that's a big section this section is much smaller it's about movement defense so here's how many firewalls are actually configured there you go nicely done so I've got a firewall it has endless allow rules that allow almost anything to happen and so I have a firewall which is pretend and stupid and the goal of movement defense is to really leverage not just your corporate firewall the edge but really leverage the fact that every single windows device you have for the last almost 20 years now has included a firewall and it's latest iteration is called the defender firewall and it's extremely good it's got tons of management options to group policy it is something which many customers simply just turn off one of two reasons one they've got some other third party product they're going to use bless you for that enjoy yourself I don't care and the other reason is they got some application they're using and some garbage person who wrote that application couldn't figure out why it wasn't working they told the customer turn the firewall off and of course it magically worked because they didn't know what they were doing and now the firewall is off and so to make some app work you just obliterated all your security which is terrible so we're going to talk about actually using this thing and making it part of your life movement what we're talking about is ingress and egress at the edge of your network but we're also talking about minimizing the amount of times that all of your windows 10 clients can talk to servers to make controllers or other windows or not windows devices running inside your network so the easy part here is talking about the edge right you only have to really secure the edge it's a very easy task you've only got so many firewalls and allow internet access not that many so as we look through our giant roadmap our subway map of stuff we're talking about movement attacks now and demo wise we're going to go through and look at inventory shares and the firewall block and allow piece and so you'll get two more little hands-on things here that I think you'll find interesting to use so a blocking inbound edge is simply just taking your giant expensive hardware firewalls or appliances that you have connected to your internet pipes and just saying port 445 doesn't need to come in and it probably doesn't there's really no legitimate reason if it's coming in it should be coming in through vpn or soon through SMB over quick which is not port 445 and it sounds like this is a pretty easy solution because it actually is a very easy solution and many customers have done it and a surprisingly large number of customers for some reason haven't done it because they still get attacks where somebody tricks a user into you know going through you know through SMB but really they're really mostly being tricked into going out and that's where people don't configure stuff is the outbound part the outbound part of your edge should block SMB as well like why would your user need in the corporate network so they're connected through a VPN to your corporate network from home because they're working from home right now and then somebody sends them a link to open up a UNC path just you know through that VPN network to your network out your firewall to the internet to like some rando server in you know North Korea or something like why would you allow that you don't need to allow SMB outbound it's pretty easy and the times that you do the list is really small like Azure files you might want to certain like Azure services you can just you know we publish all of our IP allow list for things like that you need to be able to unblock outbound from your firewall it's all super well documented because of course we like money and but even in those services you should be using VPN like if you want to use Azure files you might get lucky and your you know your ISP poster is allowing SMB traffic over the internet and it is working but oftentimes they won't and what you really should be doing is your outbound traffic should be VPN as well to whatever that provider is you know the cloud provider like Azure sorry we hit that problem with our team in that I use an Azure files because we might use it to share some demos with people outside the organization and anybody who seems to be in North America can't access those Azure file shares but people in the rest of the world can. It's super it was actually really super frustrating for us to do a lot of development of the storage migration service which has an Azure component you know to be able to deploy VMs and do transfers and stuff like it would deploy Azure VMs on the fly using the REST APIs that we put into SMS so you like VMs would appear in Azure and then you would try to copy you know data to it using SMS and we'd be blocked and we're like we're in building 40 like why are we blocking our own access to our own self to an Azure data center that's down the street like we were super aggressive Microsoft IT was super aggressive about this so it's just very very hard to do and that's why SMB over Quicks can be a really interesting feature because it'll allow you to safely and securely go over SMB places you want with the certificate that you trust right not just some random server on the internet and I you know eventually make it so these types of like crazy rules everywhere you just block everything and then we'll just go through quick tunnels for all of our applications in a very specific way but that's decades away so that's a pretty easy part now let's get into the this you know kind of sucks part inventories are always in the neck right like what servers actually need SMB to be connected to inside your environment do they need it from everybody do they need certain clients only obviously a domain controller needs to be able to allow just about anybody to connect to it but does like a you know anybody else actually need that I hear you clients needing inbound SMB like does your laptop actually need to be an SMB server should that be something that it does even if you thought it was a good idea as the end user does the IT shop that's a good idea from everybody why would I allow that I mean why is SMB server running on my laptop anyway might be a question you want answered anyway we go through and do this inventory and we're left with like a real list and a real matrix of stuff that we need to go through and do the the next part the real hard work I have a little demo here so let's do a demo here let's say but I don't know what to do like I really don't know where to start assuming that we've got an active directory environment it might be you know pretty easy to start with something like let me get a list of all my servers and clients and everything in my environment and just dump these right I mean I could put these into like into a CSV file let's say I'm just getting like the names of all my servers and their operating systems just like some basic sort of information about my environment there's my all those CSV like I have Excel on here there we go I could drop that into Excel and make it easier and make pivot tables and do all kind of crazy crap but what I'm really looking to do is start you know building up an inventory of my devices and I cannot tell you how many times I talk to IR folks red team folks forensics folks who their first approach to the customer is we need to understand all the devices that you actually have running around here what could be compromised and nobody really knows starting with the ability you know if you want to start to secure your environment it definitely starts with knowing what you have to secure but if I have start building a list and you can make scripts and there's all kinds of cool way you can get trying to demonstrate a little bit of simple stuff here if I go through and let me see here let's do this a little bit and connect to one of these servers I can start doing things like just share server being very interesting I can start telling you like well what shares do we have we have all these shares even some hidden shares that's that can be interesting what if I want to see like the permissions on all those shares I mean like if I go through this right now thinking to yourself like oh I can just give you know try the old show me everything trick and like that'll help me to get all these sort of details and then you get down to this and you're like oh that's super not helpful I'm trying to audit security and then you're showing me SDDL strings but what if instead we take this and do a little pipelining of barely see it here because I've turned off the lights to make Oren happy that was just to make sure it didn't look like a kite bush video you know what's really cool is if you ever watch the original Clash of the Titans Zeus has a big light behind his head and he's got a big gray beard if I was to wear a white shirt with that light behind me I would look like Zeus I would look like Lawrence Olivier just like him oh am I typing something wrong guess what I'm not going to do I'm not going to troubleshoot typing stuff wrong so now I can look quickly and see all my permissions on those various shares I could also look real quickly just like a spot check and be like you know what about connected users to these machines maybe it can tell me a little bit of the matrix of stuff going on like it was like 2 in the afternoon I can see who tends to be connected using SMB session so there's some stuff I can do I mean ideally I would actually probably just turn on auditing which I've done using group policy stuff the audit policy greatly changed starting in windows Vista or 7 I don't remember I document all this stuff and it just immediately goes out of my head where I could do this very granular of audit policy and object access and I could do things like audit file share on a particular server and so instead of sitting there like let me stare at all the constant comings and goings of users through firewalls logs or network captures that sounds awful I can just turn on auditing and I can go look at that machine let's do that real quick and see like connections and just start noting all that down and then making sure that whenever my audit trail system is that collects event logs looking for attackers that I can use to help me out for once in my life telling me what's going on so like here's file sharing access that was me opening up the C drive a little while ago from this machine which is my laptop or my windows 10 demo machine right here I can just start piping this on some you know whatever my collector of audit information is pipe that into some table and some database and be able to see a real matrix of who's doing what it's one thing to see what shares exist you're going to see a whole bunch of shares you may or may not know why they exist and it's a really tricky thing to figure out like does this share actually get used is this a really a file server or is it just a server that somebody shared a folder on once and forgot to get rid of it and so you can use some of this stuff to go through and build confidence over you know weeks or months and build a matrix of like here's some legitimate file servers here's some domain controllers that we know about here's some application servers that may not be using SMB in some legitimate way here's a bunch of windows 10 laptops where I'm like why am I seeing people sharing stuff on them like what's that all about that doesn't seem legitimate at all and you start putting together this very large potentially list of things for your next phase which is how are you going to allow access or are you going to allow access which is really like the end game here for this and this is the last little piece I need to talk about okay so that brings us to the thing that I skipped in the first section and we're going to talk about now for real which is firewall blocking allow both inbound and outbound so inbound to servers a subset of servers and definitely to win click to your client machines whose job is to be a client you can block inbound SMB pretty liberally at the firewall just saying I don't allow 445 in the end you don't have any legitimate reason to be connected to me my job's not to be a file server my job's not to be a domain controller it's very likely that you're trying to use me for something nefarious to spread ransomware or something else and the same way you wouldn't put IIS on every single server you own you might not want to be able to connect over SMB to every server you own and then you want to block outbound with tailored exceptions from the guest and public network profile of the firewall it can be relatively safe just to block outbound SMB like do I really need to have SMB running when I'm on my laptop at Starbucks probably not do I need it when I'm roaming around inside the park and I'm using some goofy metro wifi provided by the city of Seattle no probably not you might need it because you are working from home because of a giant catastrophic pandemic and your home wifi is identifying you and firewalls identifying you as being on some kind of public or guest profile there you'll have to be careful you'll have to identify and you deploy this like are they really guest or are they being identified as guests inappropriately and we still want them to work because we still want things like policy to apply to these machines that they took home with them but generally speaking you're just trying to make sure that domain controllers and file servers and known legitimate share hosters are going to get access outbound from your clients and to do this you're going to use a variation on IPsec it's a very easy one to use it's not like super duper secure but it's relying on Kerberos rather than relying on a super complicated certificate deployment that will never work in order to guarantee that your communications between nodes are legitimate so even when you're talking to nodes that you need to with SMB and that's all good and you're in some allow list that we allowed it truly is a legitimate proper you server that you own and not somebody trying to impersonate it so let's go through a quick demo so that last computer I was connected to was this one right here right whoops not working anymore that's good right that's not on my authorization list we'll go back here and look at my DC outbound there's no way in hell I'm ever going to remember the name of this DC uh what's the name of this DC that's my DC it still works cool right I think it's very cool you can build this entire matrix and basically like I'm allowed to talk to these machines over this protocol this is not an SMB thing I just did here right you can apply this to literally any TCP port oriented process that you've got in the entire company I'm just using SMB as a great I think example of a broadly available and use protocol that can be also abused because it's so broadly available for other stuff all of this is like great documentation I'm going to point you to an article at the end here that goes through there's a great long presentation that Jessica Payne did on using this file it was an hour long at one of the the big New Zealand I think she did her that it was domain isolation policies wasn't it the windows firewall one but she did it in New Zealand yes in New Zealand it's exactly the one and I have a link to it in one of these articles it just takes you directly to the presentation you can watch the video okay so that one is really interesting to me because it finally does what we're hoping to get out of this entire movement piece which is to prevent lots and lots of obvious egress lots and lots of obvious ingress lots and lots of pointless traversing east-west lateral movement that's going to happen when some attacker comes in and uses one machine turns it into a C2 machine to control lots of other machines or to use it as a way to deploy bad payloads and this type of you know large scale isolation technique means that they would not be able to get much further than perhaps trying to talk to a DC which there's no since fall is not writable so using it as a way to write payload isn't going to work they might as well talk to file servers but that's an isolated thing that you're having to you're now defending a handful of machines because the vast majority are self-defending and not being used to just suddenly broadly deploy a gigantic malware or ransomware fleet amongst themselves because they had so much access to each other they didn't actually need at last piece you can do here is the only thing better for defense than a firewall rule blocking SMB inbound is just not having SMB on inbound for a client especially by turning off the SMB server service it's a risky move right like you need to understand why the customer you know why an application might need to get in but I myself have had my SMB server turned off in my set of laptops and devices and stuff now for five years and I've never had any problem it's just not utilized in my particular workloads as an end user on Windows 10 that nobody needs to connect to me and be an SMB server like that doesn't make any sense go ahead maybe they'll do what they did with SMB1 on home clients in the little sit there for a couple of weeks and go well no one's using it let's turn it off yeah that would be a very easy move for us to make from a logistical standpoint we've built this right like I have a thing already that looks for SMB1 being used and just gets rid of it as not being used and we don't even have SMB1 the server turned on anymore in any of these clients we could apply the same thing to SMB2 plus and we can also have a nobody showed up for a while and get rid of it it's just a something that I have a plan to do someday but it's that last little bit here of it's the SMB1 and now I'm starting to tinker with SMB2 plus and people are getting nervous again that I'm the idea is that no one cares about any of this at my like my chain of engineering until it causes problems one of the most I will definitely not name names but one of the funnier stories we started with when we first turned off guest access in the client during the threshold phase of Windows 10 remember the threshold phase we did it in one release and immediately got a phone call from a very high up VP that his home NAS had stopped working and he was in a security role I'm like well yes you've been connecting to your home NAS as guest this whole time and they did that in the home NAS as a ease of use situation you never had to provide any credentials you connect to it and of course Windows would be like I'll use guest I don't care and then you get to your files and I'm like literally everybody who's ever been to your house has had complete access to all of your files ever no matter how embarrassing or private they may be I've seen some of these home NASs where they had a little web page that would spin up and do a photo montage of all your pictures and who knows what kind of picture it might be on there when somebody's visiting into your house and I was running into of course he was not sympathetic he just wanted his NAS to work right he didn't care and I thought that was I think about this being from seven years ago and then over Thanksgiving I had an executive call me about SMB not working on their home NAS and it turned out to be something very unsafe we could figure I'm like I haven't really made any real progress on the thought leadership of individual users right because no matter how brilliant you might be as an engineering you know president of Microsoft you still eventually a user who just wants to use their stuff and so you know that comes down to your own threat model how much do I really care about security inside my house or on my laptop and stuff and so big changes is really hard for us to do we have to really take our time I thought that old joke about when you were looking at Active Directory to figure out which accounts are administrative accounts and they're usually ones that are configured with the password they're there to expire because admins are lazy and don't not chime in there my favorite is I have IR folks and red team folks just chat with me on twitter and they know of me from my Active Directory side they don't know me from my SMB side they don't care about that stuff they just don't be from SDS and I used to buy a lot of stuff by AD and they would just constantly try to show up and tell me about how many times they had found the password of the domain admins in the description field because nobody wanted to lose it and for all the viewers right now that is not a field that you need authentication to be it's very convenient I guess it's like the post-it note of attributes inside this is the the security challenge though of time immemorial is the fact that users are like water and they'll find the path of least resistance absolutely I'll go around it I have heard of people putting a text file in sysvol that had all of the passwords in it but the description field is even better I think we've got a whole talk here on bet security practice you could have 5 or 6 good talks on AD blue team stuff that would be the only thing you'd have like 9 or 10 talks you could pay Sean Metcalf to come in there and do it okay so the big wrap up here here I am disabling the estimate everybody knows how to disable a service this is a pointless UI that movement defense is going to take a lot of patience and time you saw that the inventory is going to take a lot of time the annotation and being careful about it's going to take time the auditing is going to take time for some customers the idea of being able to harvest their auditing maybe the first step before they can even do this kind of stuff is to know who's accessing their stuff legitimately right now is not something that they're able to do yet so you'll be going through a phased process here maybe before you get around to doing anything with SMB but those layers and pieces together are really going to make you very, very, very difficult to attack everything I talked about just now is at this particular URL it's another blog post that goes through all of that it's got exact details there's a very specific long KB article on how to do this firewall configuration stuff because I've found the documentation of the firewall was it's not lacking it's overabundant the windows defender firewall has got hundreds of pages of documentation hundreds and hundreds and hundreds maybe thousands and I just found it sort of overwhelming to get through so I tried to document just what you would need for this scenario a little bit and that's my final thought I want to go through here is all of this stuff we're doing is designed to make it easy to trip somebody up and all those layers and all that porcupine and all of those various pieces there is this phrase that gets thrown around all the time that the bad guys only have to succeed once and defenders have to succeed all the time and it's a stupidest phrase in the universe because it's really the opposite right I mean it really is the opposite there you go I'm not a dog for Orin is a defender really only has to catch the attacker on any one of these little porcupine problems and that's it once the attackers known you have the advantage right everything that I was doing there had either audible pieces to them or very clear obvious problems are going to be reported and noticed when somebody tries to attack on those methods like how come I can't connect to all these servers that now no one knows about why are we trying to connect to these servers that no one knows exist these aren't even real these are dangerous all of that comes down to you know the attacker really has to tiptoe around your network with all of this stuff in place and it's very likely to get caught once they're caught yet again with the solar winds thing right people tiptoe it around and once solar winds people got nailed they got nailed everywhere and all attackers were screwed everywhere so it's the opposite of what people always say which is that the defenders got this endless surface that can't be protected because it's so vast but really it's vastness and the amount of knobs on it really makes it easy just to lay what's effectively a minefield right you only have to like get your bad guy to step on one mine then everybody knows that there was somebody trying to sneak into the minefield I don't have any other content here do you have some stuff you want to ask her some final thoughts here before we call this cough drop in my mouth because I can barely talk now no that was absolutely wonderful and it was really a great amount of in-depth information which is exactly what we were looking for at this event so thank you very much you can of course catch Ned Pile on Twitter at nerdpile and Sonia do you have anything to conclude with again I think this is another great session where every single IT pro that watches this is going to go and implement something or double check that it's been implemented it's we're just getting such great practical advice here of the things that you need to go and do in your environment so I really appreciate the time and the thought and the preparation that's gone into that Ned thanks for your time oh thanks I really appreciate the offer I'm really glad and I hope we can do this again sometime and if you enjoyed this conversation come and join us at aka.ms forward slash ops 104 dash chat there you'll find us and other people in the community having a conversation about this particular session so join in the conversation and ask your questions and get some answers and also you can go to aka.ms forward slash IT ops talks there you'll find the blog post for the session copy and slide deck and all of the other sessions and our IT ops talks all things hybrid event once again Ned and I thank you for your time thanks so much