Is SMB 1.0 more vulnerable at the client level or server level
-
So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).
Correct?
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
Why in God's green earth would you deploy XP today? Or would you continue to operate Windows XP?
The system it runs has an $80,000 camera on it
Also this seems insane that the customer has an $80,000 camera, but can't or won't purchase an updated system to run it.
Medical equipment. That was the price of the current camera. The newer ones are even more ridiculous.
They paid that much and didn't work out a support agreement? How do people do their purchasing so poorly?
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
Why in God's green earth would you deploy XP today? Or would you continue to operate Windows XP?
The system it runs has an $80,000 camera on it
Also this seems insane that the customer has an $80,000 camera, but can't or won't purchase an updated system to run it.
Medical equipment. That was the price of the current camera. The newer ones are even more ridiculous.
Okay, so how much is the added insurance of using an ancient OS to run this? What's the potential lawsuit when this system is compromised?
Again that's why I am asking the question. Does this process allow for a compromise? I mean if someone can get all the way to the camera system through the Windows 10 machine, isn't the Windows 10 machine already compromised?
Yes, if you connect an XP machine to anything you risk being compromised AND it is a HIPAA violation. So if that is taking images of patients, you have legal issues with that camera setup.
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
Why in God's green earth would you deploy XP today? Or would you continue to operate Windows XP?
The system it runs has an $80,000 camera on it
Also this seems insane that the customer has an $80,000 camera, but can't or won't purchase an updated system to run it.
Medical equipment. That was the price of the current camera. The newer ones are even more ridiculous.
They paid that much and didn't work out a support agreement? How do people do their purchasing so poorly?
Have you heard of this thing called Health Insurance?
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.
XP is from 2001. 18 year old OS!
That it is old is not the issue, that it is out of support and not getting the required patches is the technical issue from a HIPAA perspective.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.
Understood. If there is an option that allows the client to keep using their working equipment I would like to present it to them. I know the easy answer is to tell someone cough up another $80,000 for something. If it was as simple as buy a new $1,000 computer I would recommend it. The price tag for some equipment is just gouging though. I know it is a reality of running a business.
That they need to cough up for a supported, working machine that is legally applicable to a medical practice is something that they decided when they worked out the support deal on the current one. The XP era had HIPAA and keeping the OS maintained and patched was something that they knew at the time. Don't take on personal liability by recommending something like this. If they demand that you do it against your recommendations, get that in writing that you didn't get a choice. But certainly don't offer it.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).
Correct?
The client needs to take images that are on the camera (XP machine) and upload to their EMR.
Current process is the images are printed, scanned, uploaded to EMR.
What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).
Correct?
using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example?
-
This post is deleted! -
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
The client needs to take images that are on the camera (XP machine) and upload to their EMR.
Current process is the images are printed, scanned, uploaded to EMR.That process uses a lot of human time and degrades the images quite a lot. Seems like they weren't so concerned about the cost when they bought it and chose to do that. This seems crazy financially.
Bottom line, though, there isn't a good answer for this. But it's not your fault or your problem. And no doctor acting this way thinks that $80K is enough money to worry about.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.
That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).
Correct?
using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example?
KVM was shorthand for me having to type out a keyboard, mouse and monitor.
I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know)
-
Remember to think about whistleblowers.... installing something like this means that you are always afraid of one. Whether it is management that decides to make you a scapegoat, an employee meaning to hurt the clinic, anyone in the clinic with a bone to pick with you, or a customer who realizes that XP has been used and is pissed at the negligence with their data... it's unlikely, but so easy that someone will call you in and you personally would be the one at fault here as the clinic isn't pushing you to do this.
This is like AJ Syndrome. Simply don't do it. Not worth it. Not in the least.
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.
Understood. If there is an option that allows the client to keep using their working equipment I would like to present it to them. I know the easy answer is to tell someone cough up another $80,000 for something. If it was as simple as buy a new $1,000 computer I would recommend it. The price tag for some equipment is just gouging though. I know it is a reality of running a business.
That they need to cough up for a supported, working machine that is legally applicable to a medical practice is something that they decided when they worked out the support deal on the current one. The XP era had HIPAA and keeping the OS maintained and patched was something that they knew at the time. Don't take on personal liability by recommending something like this. If they demand that you do it against your recommendations, get that in writing that you didn't get a choice. But certainly don't offer it.
@scottalanmiller - I appreciate the feedback. If it can't be done then it can't be done. I can accept that and the client has to as well. Again my goal was to try and come up with a solution that would remove unnecessary steps and make things more streamlined.
-
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.
That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?
Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.
Understood. If there is an option that allows the client to keep using their working equipment I would like to present it to them. I know the easy answer is to tell someone cough up another $80,000 for something. If it was as simple as buy a new $1,000 computer I would recommend it. The price tag for some equipment is just gouging though. I know it is a reality of running a business.
That they need to cough up for a supported, working machine that is legally applicable to a medical practice is something that they decided when they worked out the support deal on the current one. The XP era had HIPAA and keeping the OS maintained and patched was something that they knew at the time. Don't take on personal liability by recommending something like this. If they demand that you do it against your recommendations, get that in writing that you didn't get a choice. But certainly don't offer it.
@scottalanmiller - I appreciate the feedback. If it can't be done then it can't be done. I can accept that and the client has to as well. Again my goal was to try and come up with a solution that would remove unnecessary steps and make things more streamlined.
It's an admirable goal. And if you can come up with a HIPAA compliant solution, then more power to you. It's not that this is really all that risky, it's that the XP connected to Windows 10 hits a black and white HIPAA rule that you'd not be able to talk your way out of it.
You can attempt to run Windows 10 and connect the camera and see if you can trick it into thinking that it is Windows XP, for example. Might not work, but probably worth trying.
-
I'd assume that the drivers for this camera are just built for a 32-bit system. I'd not be surprised if the camera didn't actually work with Windows 10.
Most hardware is usually compatible and in the worst case you'd use the compatibility layer to trick it.
Still raises so many red flags, but not my hat.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.
That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?
Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.
It still provides security, because even if that Windows 10 machine has SMB 1 on globally, as long as that Windows 10 machine is purely for this task, it is still doing a lot to isolate the XP machine, which is where the real risk is. SMB 1 isn't all that scary and can be protected in other ways (VPN for example, even on the LAN.) The Windows 10 machine need not ever attempt an SMB 1 connection unless compromised. Simply having SMB 1 enabled on Windows 10 in no way makes it even a modicum as dangerous as having XP on the network directly.
It's actually a lot of security. Enough? No, probably not. But a lot? Yes. It goes a really long way beyond putting XP on the network directly with IP level exposure.
You can protect against SMB 1 on the Windows 10 box in two additional ways. First, allow no outbound connections except the one to the XP box. Second, don't have any devices on the network offering SMB 1 enabled shares. SMB 1 turned on, then, will have no effect unless the network and that box are already otherwise compromised in which case, SMB 1 isn't a concern anyway.