tis-disable-smb1 22

  • package : tis-disable-smb1
  • version : 22
  • description : Disable SMB1 Server on Windows >= Vista. Install KB4012598 on win XP.
  • maintainer : Hubert TOUVET
  • date : 2018-02-27 18:58:39

setup.py

# -*- coding: utf-8 -*-
from setuphelpers import *
import platform

uninstallkey = []

def pending_reboot_reasons():
    result = []
    reboot_required = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update','RebootRequired',0)
    if reboot_required:
        result.append('Windows Update: %s' % reboot_required)
    reboot_pending = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing','RebootPending',0)
    if reboot_pending:
        result.append('CBS Updates: %s' % reboot_pending)
    renames_pending = registry_readstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Session Manager','PendingFileRenameOperations',None)
    if renames_pending:
        result.append('File renames: %s' % renames_pending)
    return result

def is_kb_installed(hotfixid):
    installed_update = installed_windows_updates()
    if [kb for kb in installed_update if kb['HotFixID' ].upper() == hotfixid.upper()]:
        return True
    return False


def install_kb4012598():
    if windows_version() < Version('5.2'):
        install_exe_if_needed('windowsxp-kb4012598-x86-custom-fra_eb47689656c58ab374521babb9bdca07304d87f5.exe','/quiet /norestart',key='',min_version='1')
    elif windows_version() < Version('5.3'):
        if iswin64():
            install_exe_if_needed('WindowsServer2003-KB4012598-x64-custom-ENU.exe','/quiet /norestart',key='',min_version='1')
        else:
            install_exe_if_needed('windowsserver2003-kb4012598-x86-custom-fra_9cf9ac070a1b21bca6757de5d127427c090d581d.exe','/quiet /norestart',key='',min_version='1')
    else:
        error('Please install kb4012598')

def install():
    restart_needed_by = []

    """
    if service_installed('mrxsmb10') and service_is_running('mrxsmb10'):
        print('Disable SMB1 client')
        run('sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi')
        run('sc.exe config mrxsmb10 start= disabled')
        restart_needed_by.append('Disable SMB1 client service')
    else:
        print('OK: SMB1 client not running')
    """

    if windows_version() < Version('8.1',2):
        was_smb1server = registry_readstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters','SMB1',1)
        registry_setstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters','SMB1',0,type=REG_DWORD)
        if was_smb1server:
            restart_needed_by.append('Disable SMB1 server service')
        else:
            print('OK: SMB1 server disabled in registry')
    else:
        was_smb1server = run_powershell('Get-SmbServerConfiguration | Select EnableSMB1Protocol').get('EnableSMB1Protocol',True)
        print('Current SMB1 status : %s' % (was_smb1server,))
        if was_smb1server:
            print('Disabling SMB1')
            result = run_powershell('Set-SmbServerConfiguration -EnableSMB1Protocol $false  -Force')
            result = run_powershell('Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart')
            # {u'ScratchDirectory': None, u'RestartNeeded': True, u'LogLevel': 2, u'LogPath': u'C:\\Windows\\Logs\\DISM\\dism.log', u'WinPath': None, u'Online': True, u'SysDrivePath': None, u'Path': None}
            if result.get('RestartNeeded',True):
                restart_needed_by.append('Disable SMB1 Server Feature')

    # before Vista, no SMB2, so check patch
    if windows_version() <  Version('6.0'):
        # check if KB4012598 is installed
        if not is_kb_installed('KB4012598'):
            install_kb4012598()

    restart_needed_by.extend(pending_reboot_reasons())
    if was_smb1server or restart_needed_by:
        with disable_file_system_redirection():
            run_notfatal('msg * /time:360 Merci de redemarrer votre ordinateur pour terminer la desactivation du service vulnerable serveur SMB1. Tranquil IT Systems.')
        error('Redemarrage necessaire pour : %s ' % restart_needed_by)
    else:
        print('No reboot required')


def uninstall():
    restart_needed_by = []
    """
    if service_installed('mrxsmb10') and not service_is_running('mrxsmb10'):
        print('Enable SMB1 client')
        # see https://support.microsoft.com/fr-fr/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
        run('sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi')
        run('sc.exe config mrxsmb10 start= auto')
        restart_needed_by.append('Enable SMB1 client service')
    else:
        print('OK: SMB1 client running or not installed')
    """

    if windows_version() < Version('8.1'):
        was_smb1server = registry_readstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters','SMB1',0)
        registry_setstring(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters','SMB1',1,type=REG_DWORD)
        if not was_smb1server:
            restart_needed_by.append('Enable SMB1 server service')
        else:
            print('OK: SMB1 server enabled in registry')
    else:
        was_smb1server = run_powershell('Get-SmbServerConfiguration | Select EnableSMB1Protocol').get('EnableSMB1Protocol',True)
        print('Current SMB1 status : %s' % (was_smb1server,))
        if not was_smb1server:
            print('Enabling SMB1')
            result = run_powershell('Set-SmbServerConfiguration -EnableSMB1Protocol $true  -Force')
            result = run_powershell('Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart')
            # {u'ScratchDirectory': None, u'RestartNeeded': True, u'LogLevel': 2, u'LogPath': u'C:\\Windows\\Logs\\DISM\\dism.log', u'WinPath': None, u'Online': True, u'SysDrivePath': None, u'Path': None}
            if result.get('RestartNeeded',True):
                restart_needed_by.append('Enable SMB1 Server Feature')

    restart_needed_by.extend(pending_reboot_reasons())
    if not was_smb1server or restart_needed_by:
        with disable_file_system_redirection():
            run_notfatal('msg * /time:360 Merci de redemarrer votre ordinateur pour terminer la reactivation du service serveur SMB1. Tranquil IT Systems.')
    else:
        print('No reboot required')

    

Changelog

No changelog
    

manifest.sha256

[["WindowsServer2003-KB4012598-x64-custom-ENU.exe", "fa2f1ac56bb81d236e797afea75ce4f4ecf374ed1182e7e2337350f387fd5eac"], ["WAPT/certificate.crt", "79e5388683c0b6cb03f4f81e4e58e3a11463b2b6cf169dd9c453098027dcfaa4"], ["WAPT/wapt.psproj", "795d36d10109ca85357285f79090fac2be856e5830ea31fa913cc55cb825807b"], ["windowsserver2003-kb4012598-x86-custom-fra_9cf9ac070a1b21bca6757de5d127427c090d581d.exe", "1f113bbcb4ec87efb80b105de1591e42dd9ff41f2f81fe04bab3e878cd5c069e"], ["setup.py", "2d19c818ea1223ac4e9e9585a805243d2c78290bd7b33fe77a65b3e47be58d26"], ["windowsxp-kb4012598-x86-custom-fra_eb47689656c58ab374521babb9bdca07304d87f5.exe", "3b5aa3201ca409a073dabff9c5fdd8a635851eb37befaef28829c4f374367412"], ["WAPT/control", "fa095372d0329e3499e26048b4f25b593915cab532e321a833ab29b2f71f5196"]]