Technologies Begging to be Ransomwared
-
@travisdh1 said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Why do you think network shares can't be used with NextCloud? Windows can use webdav to connect to a network share, and they fixed the speed issues it has in Windows 8 (Windows 7 webdav was so slow it was unusable).
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
So if you're going to go that route - why change? I mean other than there are no licenses involved.
-
@dashrender said in Technologies Begging to be Ransomwared:
@travisdh1 said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Why do you think network shares can't be used with NextCloud? Windows can use webdav to connect to a network share, and they fixed the speed issues it has in Windows 8 (Windows 7 webdav was so slow it was unusable).
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
So if you're going to go that route - why change? I mean other than there are no licenses involved.
Because it removes AD. Sure the infected user can still infect the mapped drive. But that's it. No AD giving access to everything.
-
@dashrender said in Technologies Begging to be Ransomwared:
I'd love to see some proposed replacement solutions to this situation.
Consider a one to one device to user.
Consider a one user to many devices.
Consider many devices to one user.
Assume the ability to lock the workstation is a requirement in all cases.
These questions are always hard because in all those cases the technology above may or may not be doing something important. All of these exist commonly without AD. The assumption that AD and mapped drives are someone intrinsic doesn't make any sense. Given that, it's knowing what you expect exactly from AD or mapped drives.
It's like saying "well how do you replace a car in getting from San Diego to Tokyo". Well since there is no obvious need for a car to get between those two points, it's understanding how you are imagining a car to be used that makes all of the difference to answer your question.
-
@dashrender said in Technologies Begging to be Ransomwared:
Direct IP printing to printers (I'm wondering what exists to secure this?)
Mostly... NOT using direct IP printing to printers.
Also, printers are super insecure so generally no one cares because almost no one secures printers physically anyway.
-
@dashrender said in Technologies Begging to be Ransomwared:
Centralized management would be through RMM solution
Nothing wrong with that, but why go to RMM? I've never seen any company do this.
-
@dashrender said in Technologies Begging to be Ransomwared:
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface.
What? Why? No major solution requires or even hints at that. This is a huge leap in requirements.
Like... going to the store requires that you take a blimp. Wait, a what? Why would it even occur to you to have a requirement like that, it's so counterintuitive and out of left field.
Why would you just work with local folders like normal?
-
@dashrender said in Technologies Begging to be Ransomwared:
Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them.
Not like a mapped drive, they cannot. Totally different. Still a risk to be considered, but an extremely different one. This is the dangerous kind of thinking that makes people feel like mapped drives might make sense when they simply do not.
-
@dashrender said in Technologies Begging to be Ransomwared:
Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Most of these technologies (and mostly with mapped drives, too) there are ways to have this be extremely transparent. But mapped drives tend to expose the file server in ways that sync clients do not.
-
@jaredbusch said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
@travisdh1 said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Why do you think network shares can't be used with NextCloud? Windows can use webdav to connect to a network share, and they fixed the speed issues it has in Windows 8 (Windows 7 webdav was so slow it was unusable).
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
So if you're going to go that route - why change? I mean other than there are no licenses involved.
Because it removes AD. Sure the infected user can still infect the mapped drive. But that's it. No AD giving access to everything.
Exactly. It's AD + Mapped Drives that becomes the biggest problem. The two together exacerbate security issues to an extreme degree. The idea is this transparent access to everything, from everywhere, in file form. It's like having all the money just in a big pile on the kitchen table. Of course it is quick and easy and convenient. And all those things also mean hard to track and secure.
-
@dashrender said in Technologies Begging to be Ransomwared:
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
At a protocol level, yes. In any meaningful way, no. Mapped drives from NextCloud are quite different than mapped drives from Windows. You can go to great lengths to make them behave similarly, but by default, they are quite different with security wins going strongly to NextCloud (or similar tech.)
-
@dashrender said in Technologies Begging to be Ransomwared:
I'd love to see some proposed replacement solutions to this situation.
Consider a one to one device to user.
Consider a one user to many devices.
Consider many devices to one user.
Assume the ability to lock the workstation is a requirement in all cases.
The problem here is that naturally AD and mapped drives do nothing to aid these situations. So you can "replace them" simply by "never having them." It's literally that simple.
Imagine the question in reverse. Ask "since all these things are handled to easily without AD or mapped drives, tell me how I could use these MS technologies and still have all these things I've always had without them!"
Seems silly, right? All of those use cases have no dependency or special tie to AD. AD doesn't "do" anything special. It's not like replacing gluten in a dough recipe where it performs a specific and necessary task that has to have an alternative if you use gluten (and gluten serves no purpose but that one thing.) AD has no role in those scenarios, so asking for the replacement has no clear answer because there's no problem to solve.
-
@dashrender said in Technologies Begging to be Ransomwared:
Assume the ability to lock the workstation is a requirement in all cases.
In your particular scenario, I suspect that there is no need for this. You need to lock applications, but not the screen. Doing a physical lock, rather than a logical one, seems counterintuitive. What function does this serve as the data and data sharing requirements are naturally and appropriately handled elsewhere without blanking the screen. Nothing wrong with having a screen lock, but why is the operating system considered important to hide rather than data?
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
You need to lock applications, but not the screen
There is no function in any EMR to lock the application so nothing is visible.
Would be a nice feature. So the easy answer if you lock the screen.
-
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.
Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.
This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.
-
@jaredbusch said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
You need to lock applications, but not the screen
There is no function in any EMR to lock the application so nothing is visible.
Would be a nice feature. So the easy answer if you lock the screen.
There is, just choosing the wrong EMR is the bigger issue. Plus they use RDP, so another layer of locking options.
-
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
Consider many devices to one user.That's the same thing, twice.
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.
Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.
This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.
You missed one part though - the creating that user's account on all of those devices.
AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.
I'll absolutely give you that scripting solves the rest of the issues - i.e. mapped printers, NC/GD, etc.
But what do you do about creating the user accounts themselves?
A key requirement for me is that a user be able to lock the computer while apps are running to prevent anyone else from gaining access to those apps.
If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
Consider many devices to one user.That's the same thing, twice.
yeah, I realize that now... I've updated my first post.
-
@dashrender said in Technologies Begging to be Ransomwared:
You missed one part though - the creating that user's account on all of those devices.
AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.So does decentralized. Centralized doesn't stop it, but also doesn't enable it. AD isn't giving you that ability, you always have it. You just use AD, so you perceive AD as providing a feature. That's the sales pitch for AD.... selling you things you already had and probably don't really want.
Not that central password management isn't nifty keen, but it's also a ransomware vector. So I don't want it. not that I don't want to pay for it, I do not want it installed in my environment. I can do it for free without Windows AD and I don't, because I see having it deployed to be a negative that adds risk and management overhead.
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
-
@dashrender said in Technologies Begging to be Ransomwared:
If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.
Windows session for the same effect?
