"Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets — particularly hospitals — had yet to update their systems."
What Microsoft's software should be updated now to protect against this particular attack? Windows? Windows at the end user machines? The servers?
Could someone share a "What should I do now to protect myself" guide, please?
The same way you protect those network drives from an employee accidentally or intentionally deleting everything.
Limited permissions work, backups work, journaling data storage systems with an ability to rollback all changes work.
In most environments nowadays I guess there's no valid reason to have a literal "network drive" - if your users don't need to wrangle terabyte-sized data blobs, most environments can afford the overhead to have the company document/file sharing to happen in some system that stores full history of changes, and where normal users can not remove that history even if they're malicious or infected with malware. Probably even Dropbox or its competitors would be sufficient for that, no need to go to the more enterprisy vendors.
Not really, ultimately if someone has write to your network drive, it's not any different than malware having it. The best solution is a good backup and protecting your hosts from being infected as much as possible.
I believe some people were trying to do rate limiting and traversal detection, which should be possible, but also is common in many tools, like running grep or find on a network share, so it's far from a perfect solution. It could also probably be avoided by clever malware if it were to be widely deployed.
The main one is to have _all_ machines patched through windows update. That is what will protect you.
SMBv1 is an outdated protocol, in which there have been some severe vulnerabilities disclosed in the last few weeks, hence why I recommended to get rid of it at the same time.
That being said, the vulnerability being exploited here is in SMBv2, hence why patching all machines is crucial.
If you are working with SCCM and 20,000+ clients (computers), you will know that all machines will never be patched. It just does not happen. On any given large network there will always be a certain number of unpatched clients. There are a myriad of reasons for patching to fail, from advertisement errors to installation issues, to machines simply being offline (and later coming back online).
You are right that this is often the reality of things. Some systems also will just never be patched because the software running on them stops working if you do and the vendor cannot or will not provide an update that addresses this.
However, in such cases it becomes crucial to have e.g. proper network segmentation in place to help mitigate the risk.
Unfortunately, at this time, there are seldom perfect solutions when it comes to security and a patching scenario can only do so much. In this case, patches are available, but the day a ransomware starts using proper 0-day we'll see a different scenario play out.
It therefore remains important to also keep focus on the reduction of attack surface, and the reduction of software complexity, besides resolving individual technical vulnerabilities.
What Microsoft's software should be updated now to protect against this particular attack? Windows? Windows at the end user machines? The servers?
Could someone share a "What should I do now to protect myself" guide, please?
Thanks!