WannaCrypt attacks: guidance for Operations Management Suite customers
Strengthening the security posture of your infrastructure is critical in protecting against evolving cyber threats. The following steps are recommended to safeguard your resources against the recent WannaCrypt ransomware attack:
- This recent WannaCrypt malware exploits a Service Message Block (SMB) vulnerability (CVE-2017-0145). Customers should immediately install MS17-010 to resolve this vulnerability.
- Review all SMB endpoints exposed to the internet, commonly associated with ports TCP 139, TCP 445, UDP 137, UDP 138. Microsoft recommends against opening any ports to the internet that are not essential to your operations.
- Disable SMBv1 - instructions located here: https://aka.ms/disablesmb1
- Utilize Windows Update to keep your machines up-to-date with the latest security updates.
Additional Steps for OMS Security
If you are using the Operations Management Suite (OMS) Security solution, we recommend additional steps to further protect your organization from attacks like these:
- Routinely assess that all systems are patched with latest updates. You can perform an update assessment to understand the current state of your computers and address the most critical threats in the Security and Audit dashboard. Follow the steps below to verify that all systems are patched with required security updates:
- In the Microsoft Operations Management Suite main dashboard, click Security and Audit tile.
- In the Security and Audit dashboard, click Update Assessment under Security Domains
- Use OMS Security to continuously monitor your environment for threats. Collect and monitor event logs and network traffic to look for potential attacks. Threat Intelligence option in the Security and Audit Dashboard will help you identify any potential threats in your environment and respond quickly:
- In the Security and Audit dashboard, choose the 3 options in the Threat Intelligence tile
- Server with outbound malicious traffic will help you to identify if there is any computer that you are monitoring (inside or outside of your network) that is sending malicious traffic to the Internet.
- Detected threat types tile shows a summary of the threats that are detected. You can extract more information about each threat by clicking on it.
- Threat intelligence map will help you to identify the current locations around the globe that have malicious traffic and gather more details associated with those threats.
- In the Security and Audit dashboard, choose the 3 options in the Threat Intelligence tile
- Confirm that anti-malware is deployed and updated. If you are using Microsoft anti-malware for Azure or Windows Defender, Microsoft released an update last week which detects this threat as Ransom:Win32/WannaCrypt. If you are running anti-malware software from any number of security companies, you should confirm with your provider that you are protected. You can also use the OMS Security solution to verify that anti-malware, and other critical security controls, are configured for your computers:
- Open Security and Audit dashboard, click Antimalware Assessment under Security Domains.
- Use Malware Assessment tile to identify following issues-
- Active threats: computers that were compromised and have active threats in the system.
- Remediated threats: computers that were compromised but the threats were remediated.
- Signature out of date: computers that have malware protection enabled but the signature is out of date.
- No real-time protection: computers that don’t have antimalware installed
For more information on using Operations Management Suite Security, see the documentation .
For a comprehensive look at the Affected Software, Vulnerability Information and Security Update Deployment, see Microsoft Security Bulletin MS17-010 .
For more information about this update, see Microsoft Knowledge Base Article 4013389 .
Support
Help for installing updates: Windows Update FAQ
Security solutions for IT professionals: TechNet Security Support and Troubleshooting
Help for protecting your Windows-based computer from viruses and malware: Microsoft Secure
Comments
- Anonymous
May 19, 2017
Thank you, guidance for Microsoft Operations Management Suite.I want to check "Disable SMBv1" status of each machine.RegardsYoshihiro Kawabata - Anonymous
May 20, 2017
Thank you for information, it was very useful. I question for you, I've seen some users facing problems with sharing after enabling SMBv2, and it turns to normal operation enabling v1 again. Do you know something regarding it? Regards, Renan- Anonymous
May 25, 2017
@Renan, the issue could be related to applications / services which depend on SMB1. It's best to check for applications which currently use this protocol. A good way is to have an environment wide vulnerability scan using either a 3rd party tool or the guidance described here: https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-dscea/
- Anonymous
- Anonymous
May 20, 2017
"If you are running anti-malware software from any number of security companies, you should confirm with your provider that you are protected"..valuable and good article..thank you.. - Anonymous
May 20, 2017
thanks