protecting from the ransomware going around

BeGentleWithMe-INeedHelp
BeGentleWithMe-INeedHelp used Ask the Experts™
on
I heard that the ransomware that screwed up the british health system and many others.... that was because they were running win xp machines?

or is it more than that?

Any tips on protection?

I saw this page:

https://pbs.twimg.com/media/C_w_rWlUAAAtWs

that talks of turning off smb 1 protocol for file sharing.

What's the downside / what problems would that cause if we do that on each machine?

Those powershell commands are for win 8 and above.

running those commands on win 7 gets error messages about that command not found.

are there comparable commands to run on win 7?   it's not safe by default / nothing to worry about?

thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
The biggest victims were using outdated and insecure workstations and servers.

Windows 7 is fine is fully up to date (that is, all critical and recommended updates as of May 10, 2016).

Windows 10 is very secure and updates for it were available May 10.

SMB will be updated and patched on the above, and you should not disable it. It is used in file and folder sharing.
Sr. Systems Administrator
Commented:
the patch for this was available in march

Microsoft Security Bulletin MS17-010 - Critical
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

for XP and 2003, those patches were made available friday

Customer Guidance for WannaCrypt attacks
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Distinguished Expert 2018
Commented:
If you havent already, patch your systems.

Organizations that got hit got hit because of unmatched systems or their continued use of Server 2003 and/or XP. Microsoft chose to release an update for XP and 2003 even though both are no longer supported, but that came rather late given the seriousness of the exploit.

Now that said, you also have to think about HOW the network for infected. Chances are it was a phishing campaign. Once that first machine was infected it was game over.

So... protection is part patching, part education, and maybe even revising security policies. Flash drives can be a weak point as well. At the firewall level, you can block C&C servers even though many have been blackholed.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Commented:
Sorry, that page doesn’t exist!
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
I strongly suspect this was a problem caused by specialised medical equiptment, controlled by a supplied PC. This happens a LOT.

A state of the art Xray machine, may have shipped in 2004 with an embedded PC, running XP as a controller. The machine still runs fine in 2017, and could easily last another decade, however the control program and PCI cards supplied cannot be updated. Often, these devices are not supported by IT departments, and often manufacturers recommend against patching.

The last place I worked did research on engines, they were running Windows 2000, Windows 3.11, HP-UX on 68000 and a PDP-11 as controllers for various machines.

I guess the way to manage this would be to ask about upgradeability when dropping a million dollars on the table to purchase a new MRI machine or whatever; preferably negotiating a contract that allows reasonable pricing for an upgraded controller PC every 3 years, for the expected lifetime of the  machine. Few organisations have that sort of insight.
Chris GralikeSpecialist

Commented:
I found versioning a quite elegant way of countering the risk of ransomware even after patching. If ransomware overwrites the original it results in a new version.

So now we use SharePoint versioning enabled document libraries mounted to windows as an alternative to these older SMB shares. If someone was victom to randsomware we simply roll back to the previous version of the file and troubleshoot the client responsible dor the update.
Chris JonesSenior Systems Administrator

Commented:
Patching is a good, solid way to mitigate attack, worms, viruses etc.

However, for preventative measure, it is also well worth locking down Firewalls and implementing inline IDPS (Intrusion detection and prevention systems) with heuristic ability.

Firewall rules are so very often left  to go stale and can sit on a list for years without being reviewed. I feel that it is sensible to reassess firewall rules on a semi regular basis.

If you can get away with blocking a port/address without compromising the functionality of your network it might be worth doing... however it is well worth remembering that a large firewall rule set will take a significant level of RAM and processing (I once tried to automatically block CN, AG, RU using a Geo based script, the firewall collapsed under heavy duty pressure very quickly).
Chris GralikeSpecialist

Commented:
In addition, naturally you need to do all of the (technical) tweaks and tips above to mitigate this risk as much as feasible within your budget.

But mind that it is not  possible to prevent all and every issue arising from human behavior. So do explain to your end-users how to recognize and deal with these risks and periodically test it using dummy mails etc.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial