Is SMB 1.0 more vulnerable at the client level or server level
-
Remember to think about whistleblowers.... installing something like this means that you are always afraid of one. Whether it is management that decides to make you a scapegoat, an employee meaning to hurt the clinic, anyone in the clinic with a bone to pick with you, or a customer who realizes that XP has been used and is pissed at the negligence with their data... it's unlikely, but so easy that someone will call you in and you personally would be the one at fault here as the clinic isn't pushing you to do this.
This is like AJ Syndrome. Simply don't do it. Not worth it. Not in the least.
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.
Understood. If there is an option that allows the client to keep using their working equipment I would like to present it to them. I know the easy answer is to tell someone cough up another $80,000 for something. If it was as simple as buy a new $1,000 computer I would recommend it. The price tag for some equipment is just gouging though. I know it is a reality of running a business.
That they need to cough up for a supported, working machine that is legally applicable to a medical practice is something that they decided when they worked out the support deal on the current one. The XP era had HIPAA and keeping the OS maintained and patched was something that they knew at the time. Don't take on personal liability by recommending something like this. If they demand that you do it against your recommendations, get that in writing that you didn't get a choice. But certainly don't offer it.
@scottalanmiller - I appreciate the feedback. If it can't be done then it can't be done. I can accept that and the client has to as well. Again my goal was to try and come up with a solution that would remove unnecessary steps and make things more streamlined.
-
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.
That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?
Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.
Understood. If there is an option that allows the client to keep using their working equipment I would like to present it to them. I know the easy answer is to tell someone cough up another $80,000 for something. If it was as simple as buy a new $1,000 computer I would recommend it. The price tag for some equipment is just gouging though. I know it is a reality of running a business.
That they need to cough up for a supported, working machine that is legally applicable to a medical practice is something that they decided when they worked out the support deal on the current one. The XP era had HIPAA and keeping the OS maintained and patched was something that they knew at the time. Don't take on personal liability by recommending something like this. If they demand that you do it against your recommendations, get that in writing that you didn't get a choice. But certainly don't offer it.
@scottalanmiller - I appreciate the feedback. If it can't be done then it can't be done. I can accept that and the client has to as well. Again my goal was to try and come up with a solution that would remove unnecessary steps and make things more streamlined.
It's an admirable goal. And if you can come up with a HIPAA compliant solution, then more power to you. It's not that this is really all that risky, it's that the XP connected to Windows 10 hits a black and white HIPAA rule that you'd not be able to talk your way out of it.
You can attempt to run Windows 10 and connect the camera and see if you can trick it into thinking that it is Windows XP, for example. Might not work, but probably worth trying.
-
I'd assume that the drivers for this camera are just built for a 32-bit system. I'd not be surprised if the camera didn't actually work with Windows 10.
Most hardware is usually compatible and in the worst case you'd use the compatibility layer to trick it.
Still raises so many red flags, but not my hat.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.
That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?
Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.
It still provides security, because even if that Windows 10 machine has SMB 1 on globally, as long as that Windows 10 machine is purely for this task, it is still doing a lot to isolate the XP machine, which is where the real risk is. SMB 1 isn't all that scary and can be protected in other ways (VPN for example, even on the LAN.) The Windows 10 machine need not ever attempt an SMB 1 connection unless compromised. Simply having SMB 1 enabled on Windows 10 in no way makes it even a modicum as dangerous as having XP on the network directly.
It's actually a lot of security. Enough? No, probably not. But a lot? Yes. It goes a really long way beyond putting XP on the network directly with IP level exposure.
You can protect against SMB 1 on the Windows 10 box in two additional ways. First, allow no outbound connections except the one to the XP box. Second, don't have any devices on the network offering SMB 1 enabled shares. SMB 1 turned on, then, will have no effect unless the network and that box are already otherwise compromised in which case, SMB 1 isn't a concern anyway.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
I'd assume that the drivers for this camera are just built for a 32-bit system. I'd not be surprised if the camera didn't actually work with Windows 10.
They easily don't, but they easily do. Windows 10 32bit is one option. Seems like it would be worth testing.
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
You can attempt to run Windows 10 and connect the camera and see if you can trick it into thinking that it is Windows XP, for example. Might not work, but probably worth trying.
This is the best idea, as there is not point in even trying to do this with Windows 7 since it is also about out of support, and thus also a HIPAA non-compliant issue.
I've made a number of shit ass software products work on Windows 10 over the years with the help of compatibility mode.
-
Yeah, Windows 10 32bit (we are assuming 32bit XP as 99% of installs were) + XP Compatibility has a really decent chance of working.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
-
So if it were possible to upgrade to 10, I would have to first upgrade to 7 and then upgrade to 10 correct? I can't remember if XP to 7 required a clean install.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
USB printer directly attached
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
USB printer directly attached
SUCK IT! @JaredBusch
BAM!
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
USB printer directly attached
SUCK IT! @JaredBusch
BAM!
Don't be a dick. You assumed, I did not.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
Don't be a dick. You assumed, I did not.
I assumed correctly based on common knowledge about HIPAA. You assumed some magic was occurring for them to get the files off of this XP system to something that can print.
-
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
I didn't read the entire thread but best practice for the above is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.
