Help Center

Follow

Unexpected Network Behavior in Win 10 Version 1703 With the Server SPN GPO

Purpose:
There is a particular issue with Windows 10 1703 (Creators Update) and the application of the Microsoft network server: Server SPN target name validation level Group Policy Object that can negatively impact the ability to navigate network shares, including administrative shares (e.g. IPC$ and ADMIN$).

The above referenced GPO makes the following registry entry with a DWORD value that is not 0 (valid values are 0, 1, and 2):

HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel

Background:
With the creators build 1703, changes were made to the Service Hosts (svchosts.exe) to operate using multiple instances where the available RAM on the machine was greater than 3.5GB. Due to this change, certain privileges, specifically the Act as part of the operating system
(SeTcbPrivilege) were impacted for svchost.exe instances running the LanmanServer service (common name: Server service) with the above referenced GPO or registry entry.

Resolution:
It is assumed the Microsoft network server: Server SPN target name validation level GPO is set as a best practice and/or to prevent malicious code execution. It is therefore impractical to simply remove the GPO or set the registry value to 0.

In order to correct the issue, the following should be performed on all machines impacted by the above behavior.

1. Open regedit

2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer

3. Edit RequiredPrivileges and add SeTcbPrivilege
000.png

Or, run the following PowerShell script (special thanks to Josh M for authoring this script) against your target machines. IMPORTANT: WinRM must be enabled on target machines in order to use Invoke-Command.

1. Create a text file (.txt) that lists your targets, one machine name per line, no spaces anywhere, and saved as C:\spntargets.txt (or change the script $Targets variable to the location of the txt file).

2. Copy/paste the below code into a PS1 file (.ps1) or run this in an elevated Windows PowerShell ISE window.

3. Read the output for any errors, etc. and Enjoy!

#Requires -RunAsAdministrator
#Requires –version 3.0

#Define Targets To run this script on, your text file should contain one computername per line
$Targets = Get-Content C:\spntargets.txt

#Defining Creds
$Creds = Get-Credential

#This is where we will run the command on each computer defined in $Targets
foreach ($Target in $Targets) {
    Invoke-Command -ComputerName $Target -Credential $Creds -ScriptBlock {

        #Looking to make sure target is build 1703        
        $ReleaseID = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "ReleaseID" -ErrorAction SilentlyContinue
        if ($ReleaseID.ReleaseId -eq 1703) {           

            #Key that will be modified if SMBHardeningLevel is not equal to 0
            $Key = get-item "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\"
            $Values = $key.GetValue("RequiredPrivileges")

            #REG_MULTI_SZ That will be added
            $values += "SeTcbPrivilege"

            #Checking to see if ServerHarding level is not equal to 0
            $LanMan = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" | Where-Object -FilterScript {($_.SmbServerNameHardeningLevel -eq 0)}

            #If Server Hardening level is anything other than 0 modify the value, otherwise write host
            if ($LanMan -eq $Null) {
                Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\" "RequiredPrivileges" $values
                write-output "$env:COMPUTERNAME Status: Parameters have been modified, I need to be rebooted twice!"
            } else {
                Write-Output "$env:COMPUTERNAME Status: SmbServerNameHardeningLevel is set to 0 Aborting this script"
            }
        } else {
            Write-Output  "$env:COMPUTERNAME Status: This machine is not build 1703, aborting" 
        }
    }
    
}

Once deployed, the machine will need to reboot twice (the script will remind you), which we learned during testing of the script. In certain cases we needed to run the script again on the target machine after the first reboot, but this was exceptionally rare.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk