Merge pull request #262 from microsoft/powershell-smb-settings

MathiasVP · web-flow · commit 7c83d9d54b51 · 2025-07-23T19:58:04.000+01:00
Powershell SMB settings
diff --git a/powershell/ql/src/queries/security/cwe-319/UnsafeSMBSettings.qhelp b/powershell/ql/src/queries/security/cwe-319/UnsafeSMBSettings.qhelp
@@ -0,0 +1,30 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The commands<code>Set-SmbClientConfiguration</code> and <code>Set-SmbServerConfiguration</code> are used to set configurations for SMB traffic.
+Insecure configurations such as outdated versions, or turning off encryption, can make connections susceptible to attackers.
+</p>
+</overview>
+
+<recommendation>
+<p>The minimum version of SMB is 3.0, but it is recommended to use the latest version. For example, use: 
+<code>Set-SmbServerConfiguration -Smb2DialectMin SMB300</code> or <code>Set-SmbClientConfiguration -Smb2DialectMin SMB300</code>
+</p>
+<p>
+SMB encryption should be enabled. For example, use: 
+<code> Set-SmbServerConfiguration -encryptdata $true -rejectunencryptedaccess $true </code> or <code> Set-SmbClientConfiguration -RequireEncryption $true </code>
+</p>
+
+<p>
+SMB NTLM blocking should be enabled. For example: <code>Set-SMbClientConfiguration -BlockNTLM $true </code>
+</p>
+</recommendation>
+
+<references>
+<li>MSDN: <a href="https://learn.microsoft.com/en-us/powershell/module/smbshare/set-smbserverconfiguration">Set-SmbServerConfiguration</a>.</li>
+<li>MSDN: <a href="https://learn.microsoft.com/en-us/powershell/module/smbshare/set-smbclientconfiguration">Set-SmbClientConfiguration</a>.</li>
+
+</references>
+</qhelp>
diff --git a/powershell/ql/src/queries/security/cwe-319/UnsafeSMBSettings.ql b/powershell/ql/src/queries/security/cwe-319/UnsafeSMBSettings.ql
@@ -0,0 +1,88 @@
+/**
+ * @name Insecure SMB settings
+ * @description Use of insecure SMB configurations allow attackers to access connections
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id powershell/microsoft/public/insecure-smb-setting
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-315
+ */
+
+import powershell
+
+abstract class SMBConfiguration extends CmdCall {
+  abstract Expr getAMisconfiguredSetting();
+
+  /** Gets the minimum version of the SMB protocol to be used */
+  Expr getMisconfiguredSmb2DialectMin() {
+    exists(Expr dialectMin |
+      dialectMin = this.getNamedArgument("smb2dialectmin") and
+      dialectMin.getValue().stringMatches(["none", "smb202", "smb210"]) and
+      result = dialectMin
+    )
+  }
+}
+
+/** A call to `Set-SmbServerConfiguration`. */
+class SetSMBClientConfiguration extends SMBConfiguration {
+  SetSMBClientConfiguration() { this.getAName() = "Set-SmbClientConfiguration" }
+
+  /** holds if the argument `requireencryption` is supplied with a `$false` value. */
+  Expr getMisconfiguredRequireEncryption() {
+    exists(Expr requireEncryption |
+      requireEncryption = this.getNamedArgument("requireencryption") and
+      requireEncryption.getValue().asBoolean() = false and
+      result = requireEncryption
+    )
+  }
+
+  /** Holds if the argument `blockntlm` is supplied with a `$false` value. */
+  Expr getMisconfiguredBlocksNTLM() {
+    exists(Expr blocksNTLM |
+      blocksNTLM = this.getNamedArgument("blockntlm") and
+      blocksNTLM.getValue().asBoolean() = false and
+      result = blocksNTLM
+    )
+  }
+
+  override Expr getAMisconfiguredSetting() {
+    result = this.getMisconfiguredRequireEncryption() or
+    result = this.getMisconfiguredBlocksNTLM() or
+    result = this.getMisconfiguredSmb2DialectMin()
+  }
+}
+
+/** A call to `Set-SmbServerConfiguration`. */
+class SetSMBServerConfiguration extends SMBConfiguration {
+  SetSMBServerConfiguration() { this.getAName() = "Set-SmbServerConfiguration" }
+
+  /** holds if the argument `encryptdata` is supplied with a `$false` value. */
+  Expr getMisconfiguredEncryptData() {
+    exists(Expr encryptData |
+      encryptData = this.getNamedArgument("encryptdata") and
+      encryptData.getValue().asBoolean() = false and
+      result = encryptData
+    )
+  }
+
+  /** holds if the argument `encryptdata` is supplied with a `$false` value. */
+  Expr getMisconfiguredRejectUnencryptedAccess() {
+    exists(Expr rejectUnencryptedAccess |
+      rejectUnencryptedAccess = this.getNamedArgument("rejectunencryptedaccess") and
+      rejectUnencryptedAccess.getValue().asBoolean() = false and
+      result = rejectUnencryptedAccess
+    )
+  }
+
+  override Expr getAMisconfiguredSetting() {
+    result = this.getMisconfiguredEncryptData() or
+    result = this.getMisconfiguredRejectUnencryptedAccess() or
+    result = this.getMisconfiguredSmb2DialectMin()
+  }
+}
+
+from SMBConfiguration config
+select config.getAMisconfiguredSetting(), "Unsafe SMB setting"
diff --git a/powershell/ql/test/query-tests/security/cwe-319/UnsafeSMBSettings.expected b/powershell/ql/test/query-tests/security/cwe-319/UnsafeSMBSettings.expected
@@ -0,0 +1,12 @@
+| test.ps1:5:44:5:47 | None | Unsafe SMB setting |
+| test.ps1:7:44:7:49 | SMB210 | Unsafe SMB setting |
+| test.ps1:9:41:9:46 | false | Unsafe SMB setting |
+| test.ps1:9:73:9:78 | false | Unsafe SMB setting |
+| test.ps1:11:47:11:52 | false | Unsafe SMB setting |
+| test.ps1:13:39:13:44 | false | Unsafe SMB setting |
+| test.ps1:15:39:15:44 | false | Unsafe SMB setting |
+| test.ps1:15:65:15:70 | false | Unsafe SMB setting |
+| test.ps1:15:88:15:93 | SMB210 | Unsafe SMB setting |
+| test.ps1:17:44:17:47 | None | Unsafe SMB setting |
+| test.ps1:17:62:17:67 | false | Unsafe SMB setting |
+| test.ps1:17:94:17:99 | false | Unsafe SMB setting |
diff --git a/powershell/ql/test/query-tests/security/cwe-319/UnsafeSMBSettings.qlref b/powershell/ql/test/query-tests/security/cwe-319/UnsafeSMBSettings.qlref
@@ -0,0 +1 @@
+queries/security/cwe-319/UnsafeSMBSettings.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-319/test.ps1 b/powershell/ql/test/query-tests/security/cwe-319/test.ps1
@@ -0,0 +1,30 @@
+# https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-ntlm-blocking?tabs=powershell
+
+#Bad Examples
+
+Set-SmbServerConfiguration -Smb2DialectMin None
+
+Set-SmbClientConfiguration -Smb2DialectMin SMB210
+
+Set-SmbServerConfiguration -encryptdata $false -rejectunencryptedaccess $false
+
+Set-SmbClientConfiguration -RequireEncryption $false
+
+Set-SMbClientConfiguration -BlockNTLM $false 
+
+Set-SMbClientConfiguration -BlockNTLM $false -RequireEncryption $false -Smb2DialectMin SMB210 
+
+Set-SmbServerConfiguration -Smb2DialectMin None -encryptdata $false -rejectunencryptedaccess $false
+
+#Good Examples
+
+Set-SmbServerConfiguration -Smb2DialectMin SMB300
+
+Set-SmbClientConfiguration -Smb2DialectMin SMB300
+
+Set-SmbServerConfiguration -encryptdata $true -rejectunencryptedaccess $true
+
+Set-SmbClientConfiguration -RequireEncryption $true
+
+Set-SMbClientConfiguration -BlockNTLM $true 
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/security/cwe-319/UnsafeSMBSettings.ql`