Nessus Output

Description
The remote Windows host supports Server Message Block (SMB) Protocol version 1. 
It is, therefore, affected by an unspecified remote code execution vulnerability that allows an unauthenticated, 
remote attacker to execute arbitrary code.

Note that this vulnerability is one of multiple Equation Group vulnerabilities and 
exploits disclosed by a group known as the Shadow Brokers.

Solution
Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. 
Additionally, block SMB directly by blocking TCP port 445 on all network boundary devices. 
For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Verify if SMB version 1 is enable

Get-SmbServerConfiguration | Select EnableSMB1Protocol

Fix

Disable version SMB version 1.

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Fix via Group Policy

Create a new group policy preference registry

Nessus Compliance Check

<custom_item>
 type : REGISTRY_SETTING
 description : "SMB version 1 disabled"
 value_type : POLICY_DWORD
 value_data : 0
 reg_key : "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
 reg_item : "SMB1"
 check_type : CHECK_EQUAL
 reg_option : CAN_NOT_BE_NULL
</custom_item>

References

• https://support.microsoft.com/en-us/kb/2696547
• https://threatpost.com/unpatched-smb-zero-day-easily-exploitable/123963/
• https://threatpost.com/google-discloses-another-high-severity-microsoft-bug/123934/ 
• http://thehackernews.com/2017/02/windows-smb-0day.html
• http://www.kb.cert.org/vuls/id/867968
• https://threatpost.com/microsoft-waits-for-patch-tuesday-to-fix-smb-zero-day/123541/