This week has been very interesting with Microsoft unintentionally disclosing a remote code execution vulnerability in SMB v3. This particularly affects the data compression feature within the 1903 and 1909 versions of Windows 10 and Server 2019. This left defenders everywhere in a frantic state while malicious actors worked overtime in order to take advantage of the vulnerability before a patch was released. Luckily, Microsoft ended up releasing an emergency out-of-cycle patch two days later to combat this. As we all know though, just because a patch is released, doesn’t mean everyone will apply it or even has the means to do so across a domain, still making this a concern. In light of that, one can use PowerShell to reduce the attack surface by disabling the compression feature of SMB v3. We can do so with the following…
$ver = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId
if($ver -eq 1903 -or $ver -eq 1909){
    $val = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters").Disablecompression
    if($val -eq 1){
        Write-Output "SMBv3 Compression is already disabled"
    }
    elseif($val.length -eq 0){
        Write-Output "Registry Value doesn't exist..."   
        Write-Output "Creating Value to disable SMBv3 compression"
        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
    }
    else{
        Write-Output "SMBv3 Compression is enabled... disabling it..."   
        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
    }
}
else{
    Write-Output "This version of Windows 10 / Server 2019 is not susceptible to the SMBv3 vulnerability"
}
