Is SMB 1.0 more vulnerable at the client level or server level
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.
That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?
Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.
It still provides security, because even if that Windows 10 machine has SMB 1 on globally, as long as that Windows 10 machine is purely for this task, it is still doing a lot to isolate the XP machine, which is where the real risk is. SMB 1 isn't all that scary and can be protected in other ways (VPN for example, even on the LAN.) The Windows 10 machine need not ever attempt an SMB 1 connection unless compromised. Simply having SMB 1 enabled on Windows 10 in no way makes it even a modicum as dangerous as having XP on the network directly.
It's actually a lot of security. Enough? No, probably not. But a lot? Yes. It goes a really long way beyond putting XP on the network directly with IP level exposure.
You can protect against SMB 1 on the Windows 10 box in two additional ways. First, allow no outbound connections except the one to the XP box. Second, don't have any devices on the network offering SMB 1 enabled shares. SMB 1 turned on, then, will have no effect unless the network and that box are already otherwise compromised in which case, SMB 1 isn't a concern anyway.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
I'd assume that the drivers for this camera are just built for a 32-bit system. I'd not be surprised if the camera didn't actually work with Windows 10.
They easily don't, but they easily do. Windows 10 32bit is one option. Seems like it would be worth testing.
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
You can attempt to run Windows 10 and connect the camera and see if you can trick it into thinking that it is Windows XP, for example. Might not work, but probably worth trying.
This is the best idea, as there is not point in even trying to do this with Windows 7 since it is also about out of support, and thus also a HIPAA non-compliant issue.
I've made a number of shit ass software products work on Windows 10 over the years with the help of compatibility mode.
-
Yeah, Windows 10 32bit (we are assuming 32bit XP as 99% of installs were) + XP Compatibility has a really decent chance of working.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
-
So if it were possible to upgrade to 10, I would have to first upgrade to 7 and then upgrade to 10 correct? I can't remember if XP to 7 required a clean install.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
USB printer directly attached
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
USB printer directly attached
SUCK IT! @JaredBusch
BAM!
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
USB printer directly attached
SUCK IT! @JaredBusch
BAM!
Don't be a dick. You assumed, I did not.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
Don't be a dick. You assumed, I did not.
I assumed correctly based on common knowledge about HIPAA. You assumed some magic was occurring for them to get the files off of this XP system to something that can print.
-
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
I didn't read the entire thread but best practice for the above is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot. -
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
Don't be a dick. You assumed, I did not.
I assumed correctly based on common knowledge about HIPAA. You assumed some magic was occurring for them to get the files off of this XP system to something that can print.
No, there are all kinds of machines in medical that print images that need subsequently scanned. You made a wild assumption and got lucky.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
-
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
I didn't read the entire thread but best practice for the above is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.That works for general security, but HIPAA doesn't allow for it even when done "well".
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
or SFTP or FTPS.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
Solves the SMB 1 issue which is not the real issue. Does not solve the Windows XP connected to another device issue that causes your HIPAA violation.
FTP would be "better", but not enough better to actually matter.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
Still would be a HIPAA violation. As that would be an relatively uncontrolled means of egress for the files.
