It's been a minute since I posted about using JumpCloud Commands for security remediations. There's a particularly nasty zero day that's been actively exploited now that involves attackers obtaining an NTLM hash (Windows password) through Microsoft 365 Apps for Enterprise. That's the self-hosted edition of M365, which isn't vulnerable.
There doesn't seen to be a patch ready, and mitigations are the only defense. Microsoft offers this guidance:
A remote admin could use remote desktop to access their domain controller and then make changes in Active Directory Users and Computers (ADUC). Read this guide to understand more about how the Protected Users security group works. It would then only be a matter of adding members through group properties.
OR use JumpCloud's PowerShell interface:
Get-ADGroup -Identity "Protected Users" Get-ADGroup -Identity "Protected Users" | Add-ADGroupMember –Members "CN=Test,CN=Users,DC=Test1,DC=com" Get-ADGroupMember -Identity "Protected Users"
You can manage SMB traffic with guidance from your firewall vendor / network admin. JumpCloud also provides a point-and-click policy for Windows Firewall settings:
PowerShell is another option:
New-NetFirewallRule -Name "AllowSMB" -DisplayName "Allow SMB" -Enabled True ` -Profile Domain -Direction Inbound -Action Allow -RemoteAddress YOUR IP RANGE ` -Protocol TCP -LocalPort 445 -Program System
Mitigations are great options for security protection and they can provide faster protection to limit uncertainty. Don’t just sit there waiting for a patch, use (JumpCloud) commands to implement a mitigation after you weigh the potential impact(s). This becomes even more significant if your organization is using an un-supported OS that doesn't have any vendor patch forthcoming.