WannaCry MS Patch for SBS2011

Tyrone Phillips
Tyrone Phillips used Ask the Experts™
on
Does anyone know where i can find the MS Patch for SBS2011 to patch against WananCry Ransomware?

I know SBS2011 is based on Server 2008R2, tried those but it tells me its not for this system

Many Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott CSenior Engineer

Commented:
Have you ran the automatic updates?  It should get installed automatically.

Author

Commented:
Automatic updates keep failing, then i have to restart in safe mode, and then regular mode again to revert, i think its a SBS2011 problem, dont have this with any 2012 servers
btanExec Consultant
Distinguished Expert 2018

Commented:
There is no official one for 2011. Instead suggest you disable SMB.
For client operating systems:


Open Control Panel, click Programs, and then click Turn Windows features on or off.
In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.

Restart the system.
 
For server operating systems:

Open Server Manager and then click the Manage menu and select Remove Roles and Features.

In the Features window, clear the
SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
Restart the system.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Distinguished Expert 2018

Commented:
All you really can do is disable SMBv1. Hopefully that doesn't break anything. Your only other alternative might be to utilize HIPS on that server. However, you would ideally have a roadmap to replace the server.

Author

Commented:
Thanks again all, but in Features on the SBS2011 server, there is no listing for SMBv1 anywhere in the list of features
Distinguished Expert 2018

Commented:
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

I highly recommend you test properly, because you do want to be sure nothing breaks. Like things you do with a network printer or scanner (especailly if it sends documents to file shares).
Kyle SantosSoftware Test Analyst I at Dassault Systemes

Commented:
fwiw, I saw Adam Post this earlier.
https://www.experts-exchange.com/posts/780/While-we're-all-running-around-getting-things-patched-and.html#comments
While we're all running around getting things patched and making sure our clients know how to keep from getting ransomware, let's also take a minute to disable SMBv1 as well. Patching will help this time, but you *know* someone is going to try to find another huge hole in SMBv1 to exploit. No Windows OS after Windows XP uses SMBv1, but MS had to include it in their newer OSes for compatibility. All the OSes that only use SMBv1 have been EOL for years. Let's just get future SMBv1 exploits off the table now, shall we?

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

Author

Commented:
I agree, however, no body seems to have a solution to disable SMBv1 on SBS2011, i have an open question on this, but no solution yet.

All the regular posts show methods for Server 2012 and a registry entry for Server 2008 (Supposed to be what SBS2011 was based on) however, the Server 2012 Powershell commands dont work and the registry entry for server 2008 doesn't exist in SBS2011 registry.

Please help!!!!
Natty GregIn Theory (IT)

Commented:
Use Comodo to protect your server, I normally do not recommend antivirus running on servers but in today's ransom age I have to change that thought until we find a better alternative.. But Comodo has a video showing how it was able to defeat the current wannacry business going on.

While you're at it Patch all systems
Exec Consultant
Distinguished Expert 2018
Commented:
One possible mean is block port 445 and 139 on any outbound and inbound.

Separately you want to test out

Using regedit, expand and locate the following subkey.
 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
 
Add a new REG_DWORD key with the name of "Smb1" (without quotation mark)
Value name: Smb1
Value type: REG_DWORD
0 = disabled
1 = enabled
 
Set the value to 0 to disable SMB 1.0, or set it to 1 to re-enable SMB 1.0.
 
You must restart the computer after making any of the changes listed above.
If your server will not update you have more problems than this patch.  Realize the patch is just to slow down the spreading, it does nothing to mitigate the effects.  If run from a station it will still encrypt your shares.

What exactly is the issue with Updates on that server and how are they being done.  SBS is mean to be updated via WSUS and if it is then Windows update will look there.  Have you checked to see if WSUS (if in use) is started and is syncing?
btanExec Consultant
Distinguished Expert 2018

Commented:
I am not in favor to delete away thought the straight answer is that there is no patch for 2011 server build from Windows release. Even the disable of SMB through registry is not tested to verify its invalidity. But to note the registery may very well be the same entries. Blocking of SMB port are another layer to reduce exposure from the whole spirit to mitigate the Wcry threat.

Personal view on this is that we should broaden the way to approach in guidance when there is no point blank recommendation. Deleting qns is a mean to the end but better to have author decide the assessment. May very well still delete if consensus from author is the same..
btanExec Consultant
Distinguished Expert 2018

Commented:
We hope to hear from the author input to close the qns.
Kyle SantosSoftware Test Analyst I at Dassault Systemes

Commented:
Nice.  It looks like you were able to help them, btan. =)
btanExec Consultant
Distinguished Expert 2018

Commented:
Thanks kyle. Hope so too.

Commented:
Its the same patch you would use for Server 2008 R2, The most likely reason you get this error is you require Service pack 1 Installed for the patch to install

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial