Almost a year ago, Itai Grady released a script on the technet gallery that blocks the reconnaissance done by using the Server Message Block (SMB) Session Enumeration method.

I’ve studied, changed the script and made a module of it. Why?

It’s easier to share and install once it’s uploaded on the PowerShellGallery.

The approach inside the module is a bit different and allows to move more easily from the default state to the hardened state and vice-versa.

Let’s say that the module assumes breach and is somehow “more” idem-potent than the original version 😀

Let’s see quickly how to use it:

# Download the module Save-Module -Name NetCease -Repository PSGallery -Path ~/Downloads # Load the module Import-Module ~/Downloads/NetCease/1.0.1/NetCease.psd1 -Force -Verbose # View current NetSessionEnum permissions Get-NetSessionEnumPermission | Select TranslatedSID,SecurityIdentifier,AccessMask,AceType | ft -AutoSize # Harden permissions Set-NetSessionEnumPermission -Verbose -Confirm:$false # Restart the Server service for changes to take effect Restart-Service LanmanServer -Force -Verbose



How to test if it works?

To quickly test if, I borrowed the pieces of code: the Get-NetSession function from @harmj0y and the PSReflect module from @mattifestation



In the above screenshot, you can see that the Get-NetSession doesn’t return anything after I hardened the configuration of the targeted Domain Controller.

Note that the Server service has some dependencies on other services. Restarting these services could cause a little disruption, so be careful.



The ATA gateway detected my previous attempts:



The module will work on Windows 7, 8.1, 10, Windows Server 2008 R2, 2012 R2 and 2016 and isn’t only for domain controllers. If you want to limit the recon performed by an insider attacker, you’ll want to apply it to every machine.

Bonus : I didn’t immediately realized it but it’s possible to create a Desired State Configuration (DSC) config 😎

Here’s the result of applying twice the DSC config and having first restored the default permissions:

