Security Overview
The SMBv2 Security Challenge
While SMBv2 offers improved performance and security features over its predecessor SMBv1, it has also been targeted by several high-profile security vulnerabilities.
Disabling SMBv2 can be a proactive measure to enhance network security, particularly in environments where the protocol is not required.
Security Benefits
The SMBv2 Disable Script
Complete PowerShell Solution
This script provides a comprehensive solution to disable SMBv2 with proper logging and error handling. It automatically manages log rotation and provides clear status reporting.
$smbv2log = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\SMBv2.log"
if ((Get-ItemProperty -Path $smbv2log).length/1MB -gt 10)
{
$a = get-date
$b = $a.Day.ToString() + "." + $a.Month.ToString() + "." + $a.Year.ToString()
Compress-Archive -Path $smbv2log -DestinationPath "$smbv2log.$b.zip"
}
Start-Transcript -append $smbv2log
try {
$smbv2 = Get-SmbServerConfiguration
Write-Output "$smbv2"
if ($smbv2.EnableSMB2Protocol -eq $True)
{
Set-SmbServerConfiguration -EnableSMB2Protocol $False -Force
Write-Output "SMBv2 Was Successfully Disabled"
exit 0
}
else
{
Write-Output "Not successful, SMB2 protocol was already disabled"
exit 0
}
}
catch {
Write-Output "An error occurred: $_"
exit 1
}Script Breakdown
1. Log Management
The script starts by managing log file sizes. If the log exceeds 10MB, it compresses the existing log with a timestamp and starts fresh.
Best Practice: Automatic log rotation prevents disk space issues and maintains performance.
2. SMB Configuration Check
The script retrieves the current SMB server configuration and checks if SMBv2 is enabled. This prevents unnecessary changes and provides clear status reporting.
Smart Logic: Only makes changes when necessary, avoiding redundant operations.
3. Security Implementation
When SMBv2 is detected as enabled, the script disables it using Set-SmbServerConfiguration with force parameter to ensure the change is applied.
Immediate Effect: Changes take effect immediately without requiring a restart.
4. Error Handling
Comprehensive try-catch error handling ensures that any issues are logged and reported back to Intune with appropriate exit codes.
Robust Handling: Exit codes (0 for success, 1 for failure) enable proper Intune reporting.
Intune Deployment Configuration
Deploy this script from Microsoft Intune as a platform script with the following recommended configuration:
Intune Platform Script Configuration
Recommended Settings
- Run as System Account
- PowerShell execution policy: Bypass
- Run script in 64-bit host
Scheduling Options
- One-time deployment
- Target security groups
- Monitor compliance status
Implementation Summary
What This Script Accomplishes
- Gets the current SMB configuration of the device
- Disables SMBv2 protocol if currently enabled
- Maintains comprehensive logs for troubleshooting
- Hardens your environment against SMB-based attacks
