Image

This post was updated on May 17, 2017, at 12:20 PM PDT.
Over the past few days, there has been a lot of buzz around the WannaCry ransomware campaign. For those in the trenches dealing with how to address wave after wave of attacks, it's not as simple as the unhelpful motto of "patch your systems." Most medium and enterprise businesses cannot trust blindly installing a plethora of patches across every Windows devices, especially server-class operating systems with mission critical applications. A long history of compatibility issues with patches is part of the reason why there are so many systems vulnerable to WannaCry when the patches have been available since March. So, what are your options if you want to prevent having to tell management that ransomware has ravaged your critical systems?
PATCH YOUR SYSTEMS
This is by far the best option when protecting against WannaCry. It's also the least helpful. On a more specific note, you can narrow down which patches to install across the environment to those which specifically deal with closing the EternelBlue SMB vulnerability of which WannaCry takes advantage. Below is a list of patches and their associated platforms you can search for in your environment. If the patch is installed, your system is safe for the time being.
KB Number |
Platform |
4012212 |
Windows 7 SP1Windows Server 2008 R2 SP1 |
4012213 |
Windows 8.1Windows Server 2012 R2 |
4012214 |
Windows Server 2012 |
4012215 |
Windows 7 SP1Windows Server 2008 R2 SP1 |
4012216 |
Windows 8.1Windows Server 2012 R2 |
4012217 |
Windows Server 2012 |
4012598 |
Windows XPWindows VistaWindows 8Windows Server 2003 SP2Windows Server 2008 |
4013429 |
Windows 10 Version 1607Windows Server 2016 |
4015217 |
Windows 10 Version 1607Windows Server 2016 |
4015438 |
Windows 10 Version 1607Windows Server 2016 |
4015549 |
Windows 7 SP1Windows Server 2008 R2 SP1 |
4015550 |
Windows 8.1Windows Server 2012 R2 |
4015551 |
Windows Server 2012 |
4015552 |
Windows 7 SP1Windows Server 2008 R2 SP1 |
4015553 |
Windows 8.1Windows 2012 R2 |
4016635 |
Windows 10 Version 1607Windows Server 2016 |
4019215 |
Windows 8.1Windows Server 2012 R2 |
4019216 |
Windows Server 2012 |
4019264 |
Windows 7 SP1Windows Server 2008 R2 |
4019472 |
Windows 10 Version 1607Windows Server 2016 |
DISABLE SMBV1
The WannaCry ransomware exploits vulnerabilities in the way Windows handles SMB connections. By disabling SMBv1 entirely on systems that do not rely on it, you can protect systems without having to install a patch. The easiest way to accomplish this on 2008 R2 and earlier systems is to set the following two registry keys to 0, which will disable the appropriate versions.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | SMB1On more recent systems, the following two commands will disable SMBv1:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabledFor more information on enabling and disabling SMB, see this Microsoft Support Article.