Note to our Managed Service Customers: Our security team has been working to audit and create an action plan for all our Windows customers. We expect all audits to be completed by end of day May 15th 2017.

As you probably know by now, on May 12 2017, a large cyber-attack was launched using a ransom-ware program called WannaCry (or WannaCrypt). This attack infected more than 230,000 computers in 150 countries, demanding ransom payments. This attack affected many Nation Health Service hospitals in England and Scotland and up to 70,000 devices including computers, MRI scanners, and blood-storage refrigerators.

Naturally, many of our Healthcare customers have reached out today to ensure they are not vulnerable to these attacks. The guide below describes steps you can take to ensure that you are safe from this particular vulnerability.

The vulnerability: WannaCry exploits the SMB1 (Server Message Block) protocol on Windows machines to spread itself. Once on a host machine, it proceeds to encrypt the hosts data. 

What to do:

Obviously applying the relevant patches from Microsoft is the best way to proceed. You can find the correct patches on this page for your operating system:  “MS17-010: Security update for Windows SMB Server: March 14, 2017”

The quickest way to prevent SMB1 attacks on a host machine is to disable the SMB1 protocol altogether.

To see if SMB1 is turned on using PowerShell:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

This will return either True or False. False means the service is off and you’re safe. True means you SMB1 is still on and if you don’t have the security patches installed you’re vulnerable.

To Turn SMB1 protocol off completely using PowerShell (logged in as administrator):

Set-SmbServerConfiguration -EnableSMB1Protocol $false

We highly recommend turning off the SMB1 as it is a very old protocol and hardly used by any modern application.

In case you’re wondering if you need SMB1 for anything currently running on your server, the SMB service provides an Audit feature that can capture SMB1 usages and then you can just examine the SMBServerAudit event log on the systems. To turn on the Audit on SMB1 run the following command:

Set-SmbServerConfiguration –AuditSmb1Access $true

For more information on this attack and fixes please refer to this Microsoft Article: