SMB1 Access Audit
Purpose
This solution monitors servers for SMB1 protocol usage. It enables SMB1 access auditing (if disabled), scans event logs for recent SMB1 access attempts (Event IDs 1001, 3000) within the past hour, and triggers an alert through a compound condition if SMB1 is enabled and any access attempts are detected.
Associated Content
| Content | Type | Function |
|---|---|---|
| SMB1 Access Audit And Detection | Script | Enables SMB1 access auditing if disabled and scans event logs for recent SMB1 access attempts (Event IDs 1001, 3000) within the last hour. Returns exit codes for detection or script failure. |
| SMB1 Traffic Audit | Compound Condition | This Compound Condition creates an alert on Servers with SMB1 Protocol enabled and if SMB1 access attempts (Event IDs 1001, 3000) is detected within the last hour |
Additional Content
| Content | Type | Function |
|---|---|---|
| Server Roles Detection and Grouping for NinjaOne | Solution | This document details the procedure for categorizing servers into suitable groups according to their installed roles. The above SMB1 solution compound condition is dependent on this solution to run properly so that it can trigger the alert for them once the roles for the SMB1 is detected and stored to the Custom field - cPVAL Roles Detected. |
Implementation
To implement this solution, follow the steps below:
-
Import the Solution - Server Roles Detection and Grouping for NinjaOne. Ensure that the below contents are imported:
- Script - Windows Server Roles Detection
- Custom field - cPVAL Roles Detected
- Group - cPVAL Windows Server
- And the Script - Windows Server Roles Detection is scheduled so that Custom field - cPVAL Roles Detected is updated with the
SMB1 Serverroles.
-
Import the Automation SMB1 Access Audit And Detection automation into the Ninja environment. This script enables SMB1 access auditing (if disabled) and scans for SMB1 access attempts in the last hour.
-
Import the Compound Condition SMB1 Traffic Audit. This will trigger an alert when SMB1 is enabled and recent access attempts are detected.
FAQ
Q1. What does this solution detect?
It detects whether the SMB1 protocol is enabled on a server and checks for any recent SMB1 access attempts (Event IDs 1001 or 3000) within the last hour.
Q2. Do I need to enable any settings manually before using this solution?
No manual configuration is required. The automation will automatically enable SMB1 access auditing if it’s currently disabled.
Q3. What kind of alert does this solution generate?
The compound condition triggers an alert when SMB1 is enabled and there are recent SMB1 access attempts, helping identify potential security risks.
Q4. How often does the detection run?
The automation checks the event logs for the past hour.
Q5. Can I modify the time range for log scanning?
Yes. The time window (currently 1 hour) can be adjusted in the PowerShell script if you want to monitor a longer or shorter period.
Q6. What happens if SMB1 auditing is already enabled?
If SMB1 auditing is already active, the script simply proceeds to log scanning without making any changes.
Q7. Will this solution disable SMB1 or block access automatically?
No, this solution only audits and detects SMB1 usage. It does not disable SMB1 or block any connections.
Q8. Where can I view the detection results or alerts?
Results are logged within the Ninja environment, and tickets can be configured.
Q9. What should I do if SMB1 activity is detected?
If activity is detected, review the source of the access. It’s recommended to disable SMB1 if it’s not required, as it poses a known security risk.
Changelog
2026-05-12
- Updated the script to include the exit code feature for the Ninja to function properly during compound conditions script results check.
- Added FAQs
2025-10-29
- Initial version of the document