Remove Authenticated Users from SrvsvcSessionInfo - microsoft/SMBSecurity GitHub Wiki

About

⚠️ WARNING ⚠️
Please use extreme caution whenever modifying SMB (LanmanServer) default security parameters! Thoroughly test all changes in a lab or QA environment first. Form a rollback strategy. Then use a slow rollout to push changes to production systems.

A remediation script has been added under the Remediation directory of the SMBSecurity repo. Remove-SessionInfoAuthenticatedUsers.ps1 is built to remove the "Authenticated Users" DACL (Discretionary Access Control List) from the SrvsvcSessionInfo security descriptor (SD).

The remediation script will need to be unblocked if SMBSecurity was downloaded as a ZIP archive. This should not be an issue if the repo was cloned using git. To unblock the script, use the Unblock-File cmdlet in PowerShell or open the file properties in File Explorer and check the box labeled "Unblock," then select OK.

This script performs the following actions:

  1. Checks whether Authenticated Users is listed under the SrvsvcSessionInfo security descriptor (SD).
  2. Ends the script if Authenticated Users is not found.
  3. Backups the original state of the LanmanServer\DefaultSecurity registry key as a REG and SMBSecurity XML file.
  4. Removes Authenticated Users from SrvsvcSessionInfo and saves the change.
  5. Creates a backup of the changed LanmanServer\DefaultSecurity registry key as a REG file.
  6. Generates a binary string of the SrvsvcSessionInfo value for use with group policies.
  7. Outputs file locations and the binary string.
📝 NOTE
Updates to the SMB subsystem within Windows may overwrite manual changes to SMB security descriptors. These registry values are the defaults set by Windows and may change at any time. A registry group policy must be used to make a permanent change to an SMB SD.

Instructions

  • Download or clone the SMBSecurity repo.
  • Navigate to and execute the script:

This example has the repo cloned to C:\Scripts\SMBSecurity.

CD C:\Scripts\SMBSecurity\Remediation
.\Remove-SessionInfoAuthenticatedUsers.ps1

Sample output:

The operation completed successfully.
Authenticated Users was removed from the SrvsvcSessionInfo security descriptor. The currect rights are:

SecurityDescriptor Account                Access Right
------------------ -------                ------ -----
 SrvsvcSessionInfo BUILTIN\Administrators  Allow {FullControl}
 SrvsvcSessionInfo Server Operators        Allow {FullControl}
 SrvsvcSessionInfo BUILTIN\Power Users     Allow {FullControl}

The operation completed successfully.


The SMBSecurity backup file is located at: C:\Users\Administrator\AppData\Local\SMBSecurity\Backup-SrvsvcSessionInfo-SMBSec-25032025-1317014398.xml

The updated DefaultSecurity key has been exported to: C:\scripts\smbsecurity\Remediation\SMBSecurityDescriptors_after_133874074218161146.reg

The reg key backup file, before the change, has been exported to: C:\scripts\smbsecurity\Remediation\SMBSecurityDescriptors_before_133874074213246001.reg

The binary string for the updated SrvsvcSessionInfo registry value is:

0100048064<snip>
⚠️ WARNING ⚠️
Development on this project has ended in a pre-release state. Please use with extreme caution!
This project can be used AS-IS, with no warranties, guarantees, or support of any kind! A registry setting backup file is created prior to any change being committed. Use that reg file to restore the previous state, then restart the Server (LanmanServer) service to restore the old security state.
📝 NOTE
The -ComputerName parameter is currently not supported! Please use PSRemoting to manage servers remotely.
⚠️ **GitHub.com Fallback** ⚠️