| <#
|
| Rollback "altes Hardening 2025-06-26"
|
| - entfernt hartes SMB2-Disable (Registry)
|
| - setzt LanmanServer-Dienst zurück
|
| - prüft SMB2-Status + (optionale) Core-Firewall-Regeln
|
| Hinweis: Als Administrator ausführen – Reboot empfohlen!
|
| #>
|
|
|
| Write-Host "=== Rollback startet ===`n"
|
|
|
| # ------------------------------------------------------------
|
| # 1. Hartes SMB2-Disable in der Registry entfernen
|
| # ------------------------------------------------------------
|
| $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
|
| if (Get-ItemProperty -Path $regPath -Name SMB2 -ErrorAction SilentlyContinue) {
|
| Remove-ItemProperty -Path $regPath -Name SMB2 -Force
|
| Write-Host "Registry-Wert SMB2 entfernt."
|
| } else {
|
| Write-Host "Kein SMB2-Disable-Wert in der Registry gefunden."
|
| }
|
|
|
| # ------------------------------------------------------------
|
| # 2. SMB2/3 serverseitig aktivieren (nur falls Cmdlet vorhanden)
|
| # ------------------------------------------------------------
|
| $smB2Enabled = $null # Platzhalter, wird unten gefüllt
|
|
|
| if (Get-Command -Name Get-SmbServerConfiguration -ErrorAction SilentlyContinue) {
|
| try {
|
| $smbConf = Get-SmbServerConfiguration
|
| $smB2Enabled = $smbConf.EnableSMB2Protocol
|
| if (-not $smB2Enabled) {
|
| Set-SmbServerConfiguration -EnableSMB2Protocol $true -Force
|
| $smB2Enabled = $true
|
| Write-Host "SMB2/3 serverseitig aktiviert (Set-SmbServerConfiguration)."
|
| } else {
|
| Write-Host "SMB2/3 war bereits aktiv."
|
| }
|
| } catch {
|
| Write-Warning "Get/Set-SmbServerConfiguration meldete einen Fehler: $($_.Exception.Message)"
|
| }
|
| } else {
|
| Write-Host "Cmdlet Get-SmbServerConfiguration nicht vorhanden – Client-OS? SMB2/3 ist auf modernen Clients ohnehin standardmäßig aktiv."
|
| $smB2Enabled = $true # wir gehen davon aus
|
| }
|
|
|
| # ------------------------------------------------------------
|
| # 3. LanmanServer-Dienst auf „Manual“
|
| # ------------------------------------------------------------
|
| if (Get-Service -Name LanmanServer -ErrorAction SilentlyContinue) {
|
| try {
|
| Set-Service LanmanServer -StartupType Manual
|
| Write-Host "LanmanServer -> Starttyp Manual gesetzt."
|
| } catch {
|
| Write-Warning "Set-Service konnte LanmanServer nicht ändern: $($_.Exception.Message)"
|
| }
|
| } else {
|
| Write-Warning "Dienst LanmanServer nicht gefunden (Workstation-SKU?)."
|
| }
|
|
|
| # ------------------------------------------------------------
|
| # 4. Firewall-Regeln (Core Networking) zählen – sprachunabhängig
|
| # ------------------------------------------------------------
|
| $coreRuleCount = 0
|
| try {
|
| $coreRuleCount =
|
| Get-NetFirewallRule -Direction Inbound -ErrorAction Stop |
|
| Where-Object { $_.DisplayGroup -match 'Core Networking' -or $_.DisplayGroup -match 'Kernnetz' } |
|
| Measure-Object | Select-Object -ExpandProperty Count
|
| } catch {
|
| Write-Warning "Get-NetFirewallRule fehlgeschlagen: $($_.Exception.Message)"
|
| }
|
|
|
| # ------------------------------------------------------------
|
| # 5. Zusammenfassung
|
| # ------------------------------------------------------------
|
| Write-Host "`n=== Verifikation ==="
|
| Write-Host ("SMB2/3 aktiv (serverseitig): ".PadRight(38)) $smB2Enabled
|
| $startType = (Get-Service LanmanServer -ErrorAction SilentlyContinue).StartType
|
| Write-Host ("LanmanServer Starttyp: ".PadRight(38)) $startType
|
| Write-Host ("Inbound-Regeln 'Core Networking': ".PadRight(38)) $coreRuleCount
|
|
|
| if (-not $smB2Enabled) {
|
| Write-Warning "SMB2/3 scheinbar noch deaktiv – bitte manuell prüfen oder nach Neustart erneut testen."
|
| }
|
| if ($coreRuleCount -lt 10) {
|
| Write-Warning "Nur $coreRuleCount Core-Networking-Regeln gefunden. Bei Netzwerk-Problemen ggf. 'netsh advfirewall reset' ausführen."
|
| }
|
|
|
| Write-Host "`nRollback abgeschlossen – bitte Rechner neu starten, damit alle Änderungen wirksam werden." -ForegroundColor Green
|