Try Puppet 
Search Puppet.com
Why Puppet

Puppet is the industry standard for IT automation.

Manage and automate more infrastructure and complex workflows in a simple, yet powerful way.

Customers
Open source
Cloud & Hybrid Automation

Accelerate your cloud journey with an enterprise automation platform for your hybrid estate.

Continuous Compliance

Enforce compliance across hybrid infrastructure with policy as code and model-driven automation.

Scaling DevOps

Modernize faster with Puppet DevOps consulting and infrastructure as code.

Use Cases
Integrations
Products
Pricing & PackagingGet Puppet Enterprise

First 10 Nodes are free!

Custom consulting services

Get you up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

Professional services
TrainingOpen source
Support
Puppet Compass Logo
Puppet Compass

Puppet Compass is your source for tools and best practices to address common business challenges.

Get Started
Resource library
State of DevOps Report

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

Puppet Events
Join us for a Puppet event

It's our community that makes Puppet great. Connect with Puppet users and employees.

Virtual Events
Community
Connect
Puppet Events
About Us

Puppet frees you to do what robots can’t. We make automation software because you’ve got better things to do.

Company
Press & news
Our voiceWorking at Puppet

Detecting and remediating WannaCry

by Carl Caum|15 May 2017
See more posts about: Industry News, Product and Tips & How To

You’re probably aware of WannaCry, the ransomware infecting vulnerable Windows systems around the globe. (If you’re not, this article is a good starting place.)

As IT organizations scramble to learn what they can about WannaCry, many are finding it difficult to know if and where they’re vulnerable, let alone how to remediate vulnerable systems. This post should help you deal quickly with WannaCry.

Detecting WannaCry

Detecting whether or not you’re vulnerable to WannaCry is fairly straightforward. You simply need to know which patch level you’re at now. However, getting the patch level for every Windows system isn’t all that simple.

Luckily, you have Puppet. Puppet includes Facter, a tool for collecting metadata on hosts. We have written a Puppet module called puppetlabs/detect_wannacry that includes an external fact which detects whether a host is vulnerable to WannaCry. Puppet will distribute that external fact to every node on your infrastructure. From there, we can use Puppet Query Language to query which systems are vulnerable.

Add the following line of code to your Puppetfile in order to include the puppetlabs/detect_wannacry module in your Puppet code base.

mod 'puppetlabs-detect_wannacry'

The detect_wannacry module includes a fact called wannacry_vulnerable that will have a value of either true or false.

Use the following Puppet Enterprise Orchestrator command to push the fact to every Windows node and collect the fact values:

puppet job run --query 'inventory[certname] { facts.os.name = "windows" and nodes { deactivated is null } }' --concurrency 40

(You can learn more about Orchestrator here.)

Now collect a list of the vulnerable systems with the following PQL query:

puppet query 'inventory[certname] { facts.wannacry_vulnerable = "true" }'

Remediating with Puppet

The quickest way to remediate is simply to disable SMBv1. SMBv1 is an old SMB protocol, and it's likely it can safely be disabled. Please first verify that this is the case for your infrastructure. It’s also important to note that fully disabling the SMBv1 protocol on Windows requires a reboot.

Add the following profile to manifests/wannacry.pp in your profile module:

class profile::wannacry {
  #Tested on Windows 2012 R2
  
  exec { 'Disable SMBv1 Protocol':
    command   => "Set-SmbServerConfiguration -EnableSMB1Protocol $false -force",
    provider  => powershell,
    unless    => "if (Get-SmbServerConfiguration | Select EnableSMB1Protocol) { exit 0 } else { exit 1 }",
  }
  
  exec { 'Remove SMBv1 Feature':
    command   => "Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol",
    provider  => powershell,
    unless    => "if (Get-WindowsOptionalFeature -Online -FeatureName smb1protocol) { exit 0 } else { exit 1 }",
  }
}

Commit the code and deploy it to the Puppet Enterprise master with the puppet code command. (For more information about the 'puppet code' command, go here.)

Finally, create a node group in the Puppet Enterprise web UI called “WannaCry” and make a rule that matches any nodes with the wannacry_vulnerable fact value of true, and assign the class profile::wannacry to it.

WannaCry Image 1

WannaCry Image 2

A note on patching

The best way to remediate WannaCry is to properly patch your vulnerable systems. However, not everyone has mature patch management practices in place, and sometimes verifying and orchestrating the patch can take valuable time. As soon as you can, the following patches should be applied to fully remediate WannaCry:

Windows Server 2008

  • KB4012212

Windows Server 2012

  • KB4012217
  • KB4015551
  • KB4019216

Windows Server 2012 R2

  • KB4012216
  • KB4015550
  • KB4019215

Windows Server 2016

  • KB4013429
  • KB4019472
  • KB4015217
  • KB4015438
  • KB4016635

Last words on WannaCry

WannaCry is an example of why being prepared for a major vulnerability at any moment is critical to your ongoing IT operations. WannaCry isn’t the first global threat to come down the pike, and it certainly will not be the last. Having a reliable, easy-to-use configuration management system in place gives you a massive advantage when threats like WannaCry occur.

Carl Caum is a senior technical marketing manager at Puppet.

Learn more

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.