ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Is SMB 1.0 more vulnerable at the client level or server level

    Scheduled Pinned Locked Moved IT Discussion
    122 Posts 11 Posters 9.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @syko24
      last edited by

      @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

      @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

      If you could use SFTP / FTPS, and then use a Linux box as the connector, this would improve actual security. You could even use a Raspberry Pi velcrod right onto the XP box to make this physically convenient. But bottom line, the XP box is a problem if you attach it to anything and no trickery, firewall, port isolation, protocol, encryption, or otherwise is going to make it not a violation.

      I was kind of thinking that too. If there was another machine supporting SMB1 - SMB3 between the XP and 10 machine then the 10 machine would not need to run SMB1. Again I think it's a lost cause.

      Yeah, if purely "better security" was the goal, your thinking is good. But because of HIPAA, certain things are just black and white. No one is saying that HIPAA is sensible, it just is what it is.

      If this was just a case of needing "reasonable security better than what any normal medical practice has" then you'd be golden. But sadly it's not.

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

        @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

        The client needs to take images that are on the camera (XP machine) and upload to their EMR.
        Current process is the images are printed, scanned, uploaded to EMR.

        That process uses a lot of human time and degrades the images quite a lot. Seems like they weren't so concerned about the cost when they bought it and chose to do that. This seems crazy financially.

        Bottom line, though, there isn't a good answer for this. But it's not your fault or your problem. And no doctor acting this way thinks that $80K is enough money to worry about.

        How many doctors offices - not hospitals - doctors offices have you been brought into, said that to them, and didn't get tossed on your ear - and instead they actually said something like " oh geez damn Scott - you're right - we were totally stupid when we bought this and not think about the future ramifications of OS support, etc. Now that our eyes are open, here, here's a damned near blank check - please fix our systems?"

        And this a serious question - because I want their names so I can call them and use them as a reference to sell that idea to my guys, or at least my boss.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • DustinB3403D
          DustinB3403
          last edited by

          The issue isn't just XP, it's everything related to the transfer of the images. Networked, USB device, Floppy drive (lol) or any other means requires that the data be secured*.

          I used an * on purpose - because even HIPAA is completely in the dark on how to do that.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @DustinB3403
            last edited by

            @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

            @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

            @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

            So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).

            Correct?

            using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example?

            KVM was shorthand for me having to type out a keyboard, mouse and monitor.

            I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know)

            What does HIPAA have to do with thumbdrives?

            DustinB3403D 2 Replies Last reply Reply Quote 0
            • DustinB3403D
              DustinB3403 @Dashrender
              last edited by

              @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

              @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

              @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

              @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

              So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).

              Correct?

              using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example?

              KVM was shorthand for me having to type out a keyboard, mouse and monitor.

              I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know)

              What does HIPAA have to do with thumbdrives?

              Data transfer methods are what hipaa cares about, not the medium.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403 @Dashrender
                last edited by

                @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

                @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).

                Correct?

                using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example?

                KVM was shorthand for me having to type out a keyboard, mouse and monitor.

                I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know)

                What does HIPAA have to do with thumbdrives?

                HIPAA auditors have (in my experience hearing of them) cranky over thumb drives.

                scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                • DustinB3403D
                  DustinB3403
                  last edited by DustinB3403

                  Would installing a solution like Veracrypt on both workstations and creating an encrypted volume on a Thumb drive pass a HIPAA audit if it used AES-256?

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @syko24
                    last edited by

                    @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

                    If there was another machine supporting SMB1 - SMB3 between the XP and 10 machine then the 10 machine would not need to run SMB1.

                    That's not really the security concern that it sounds like. Everyone has this panic about SMB 1 being enabled, but it's actually not a threat to you in this scenario unless you were also doing something else bad along with it. On its own, enabling SMB 1 doesn't cause any risk because there is no non-compromised scenario where it could be used. Since you'd already be compromised for it to get used, being compromised over SMB 1 isn't a problem.

                    SMB 1 is bad, but in this case is simply a red herring. Don't enable it if you don't need it. But don't panic about it either, you have actual security concerns to deal with that affect you in ways that this does not. SMB 1 being enabled, AFAIK, has no HIPAA concern nor reasonable security concern so you are safe from audit and a negligence issue. You'd simply document why it is enabled, and how you ensure it isn't activated and you are covered. And if you think disabling SMB 1 does something big, remember that disabling is nothing compared to not using at all. And a compromised system can turn SMB 1 back on, anyway.

                    TUrning SMB 1 off is really just about preventing accidents in a case like this.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @DustinB3403
                      last edited by

                      @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                      Would installing a solution like Veracrypt on both workstations and creating an encrypted volume on a Thumb drive pass a HIPAA audit if it used AES-256?

                      You mean and not putting it on th enetwork? Probably.

                      DustinB3403D 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @DustinB3403
                        last edited by

                        @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                        @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

                        @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                        @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                        @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                        So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).

                        Correct?

                        using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example?

                        KVM was shorthand for me having to type out a keyboard, mouse and monitor.

                        I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know)

                        What does HIPAA have to do with thumbdrives?

                        HIPAA auditors have (in my experience hearing of them) cranky over thumb drives.

                        Keep in mind that HIPAA audits and HIPAA compliance are unrelated. Failing a HIPAA audit means nothing, it's only failing to be compliant that puts you at risk.

                        1 Reply Last reply Reply Quote 0
                        • DustinB3403D
                          DustinB3403 @scottalanmiller
                          last edited by

                          @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                          @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                          Would installing a solution like Veracrypt on both workstations and creating an encrypted volume on a Thumb drive pass a HIPAA audit if it used AES-256?

                          You mean and not putting it on th enetwork? Probably.

                          Yeah, completely leave the XP system off of the network, but install Veracrypt on the XP system (and Windows 10 system) then create an encrypted volume on a USB drive that whenever the images get transferred the files are encrypted at rest.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @syko24
                            last edited by

                            @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

                            @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                            @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

                            @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                            The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.

                            Understood. If there is an option that allows the client to keep using their working equipment I would like to present it to them. I know the easy answer is to tell someone cough up another $80,000 for something. If it was as simple as buy a new $1,000 computer I would recommend it. The price tag for some equipment is just gouging though. I know it is a reality of running a business.

                            That they need to cough up for a supported, working machine that is legally applicable to a medical practice is something that they decided when they worked out the support deal on the current one. The XP era had HIPAA and keeping the OS maintained and patched was something that they knew at the time. Don't take on personal liability by recommending something like this. If they demand that you do it against your recommendations, get that in writing that you didn't get a choice. But certainly don't offer it.

                            @scottalanmiller - I appreciate the feedback. If it can't be done then it can't be done. I can accept that and the client has to as well. Again my goal was to try and come up with a solution that would remove unnecessary steps and make things more streamlined.

                            That's just it - it clearly can be done, and you found mitigation for it. I'm not suggesting that you do it, but in my mind you would be following the law, just like you are currently following the law by having the machine be completely isolated. You mitigated risks to a 'reasonable' degree. The problem - as Scott and Dustin will so quickly point out is, who decides what reasonable is? The answer is the auditor who gets the claim against you/the clinic when someone complains.

                            So... you could hire a HIPAA attorney who will sign off on your work-a-round and then be there to defend you if/when that time comes. It's likely this attorney would cost loads less than $80K for a new camera system.

                            1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @JaredBusch
                              last edited by

                              @JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

                              @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                              @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

                              What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.

                              That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?

                              Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.

                              AWWW - if that's true - I take back everything I said.. I did completely mean to mention this - can you disable SMB v1 for a given NIC in Windows 10... if you can't then you haven't mitigated the issue, and you can't do it.

                              scottalanmillerS syko24S 2 Replies Last reply Reply Quote 0
                              • DustinB3403D
                                DustinB3403
                                last edited by

                                XP is even supported.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

                                  @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                                  @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

                                  The client needs to take images that are on the camera (XP machine) and upload to their EMR.
                                  Current process is the images are printed, scanned, uploaded to EMR.

                                  That process uses a lot of human time and degrades the images quite a lot. Seems like they weren't so concerned about the cost when they bought it and chose to do that. This seems crazy financially.

                                  Bottom line, though, there isn't a good answer for this. But it's not your fault or your problem. And no doctor acting this way thinks that $80K is enough money to worry about.

                                  How many doctors offices - not hospitals - doctors offices have you been brought into, said that to them, and didn't get tossed on your ear - and instead they actually said something like " oh geez damn Scott - you're right - we were totally stupid when we bought this and not think about the future ramifications of OS support, etc. Now that our eyes are open, here, here's a damned near blank check - please fix our systems?"

                                  And this a serious question - because I want their names so I can call them and use them as a reference to sell that idea to my guys, or at least my boss.

                                  You treat it like a blank check to fix systems. That's why they don't listen to you. You present it as "this is expensive, but we can do it right". That makes no sense to them... how can expensive be right?

                                  I show how good decisions cost less and talk money, not tech or "doing it right". You are thinking that this is an IT problem, but it's a business problem. Treat it as such and it's really, really hard for even doctors to claim that they hate making money when those are the words that they have to use.

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @DustinB3403
                                    last edited by

                                    @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

                                    I'd assume that the drivers for this camera are just built for a 32-bit system. I'd not be surprised if the camera didn't actually work with Windows 10.

                                    Most hardware is usually compatible and in the worst case you'd use the compatibility layer to trick it.

                                    Still raises so many red flags, but not my hat.

                                    With that in mind - specifically install Windows 10 32 bit then try it.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

                                      @JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

                                      @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                                      @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

                                      What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.

                                      That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?

                                      Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.

                                      AWWW - if that's true - I take back everything I said.. I did completely mean to mention this - can you disable SMB v1 for a given NIC in Windows 10... if you can't then you haven't mitigated the issue, and you can't do it.

                                      He's mitigated the actual security issue, not the false one. But not the violation. There are three issues being kicked around...

                                      1. Using SMB 1 is a red herring issue, not the real concern here.
                                      2. Using XP is a security concern as it is not patched. This is the real concern (that is mitigated.)
                                      3. The HIPAA violation of an unpatched, unsupported OS on the network.
                                      DustinB3403D DashrenderD 2 Replies Last reply Reply Quote 0
                                      • DustinB3403D
                                        DustinB3403 @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                                        @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

                                        @JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

                                        @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                                        @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

                                        What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.

                                        That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?

                                        Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.

                                        AWWW - if that's true - I take back everything I said.. I did completely mean to mention this - can you disable SMB v1 for a given NIC in Windows 10... if you can't then you haven't mitigated the issue, and you can't do it.

                                        He's mitigated the actual security issue, not the false one. But not the violation. There are three issues being kicked around...

                                        1. Using SMB 1 is a red herring issue, not the real concern here.
                                        2. Using XP is a security concern as it is not patched. This is the real concern (that is mitigated.)
                                        3. The HIPAA violation of an unpatched, unsupported OS on the network.

                                        Which all 3 can be fixed like this

                                        1. Don't use SMB 1
                                        2. Don't connect XP to the network
                                        3. See point 2
                                        1 Reply Last reply Reply Quote 0
                                        • syko24S
                                          syko24 @Dashrender
                                          last edited by

                                          @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

                                          @JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

                                          @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

                                          @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

                                          What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.

                                          That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?

                                          Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.

                                          AWWW - if that's true - I take back everything I said.. I did completely mean to mention this - can you disable SMB v1 for a given NIC in Windows 10... if you can't then you haven't mitigated the issue, and you can't do it.

                                          What about firewall rules to specific IP addresses?

                                          DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                                          • DustinB3403D
                                            DustinB3403
                                            last edited by

                                            Using an encrypted medium to transfer the files may work, but it would mean that the Tech (or Doctor or whoever) would have to remember a password to decrypt the data/drive.

                                            Which they may not want to do, but likely falls into the HIPAA compliant category.

                                            1 Reply Last reply Reply Quote -1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 7 / 7
                                            • First post
                                              Last post