Is SMB 1.0 more vulnerable at the client level or server level
- 
 The encrypted USB drive may be the most appropriate method to do this. Is this XP system in a locked cabinet and only accessible via a lock and key? I ask because if just anyone could plug a USB into this system, then you have other issues to content with. 
- 
 @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine). Correct? using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example? KVM was shorthand for me having to type out a keyboard, mouse and monitor. I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know) What does HIPAA have to do with thumbdrives? Data transfer methods are what hipaa cares about, not the medium. And? The only mention I recall reading - feel free to post a specific law saying otherwise - is that PHI must be encrypted when going over a non trusted network. 
- 
 @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine). Correct? using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example? KVM was shorthand for me having to type out a keyboard, mouse and monitor. I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know) What does HIPAA have to do with thumbdrives? HIPAA auditors have (in my experience hearing of them) cranky over thumb drives. Sure - now that I will agree with, but those same auditors are just making shit up.. because they totally forgo things like CD-Roms/DVDs, Google Drive, OneDrive, SMB shares, etc 
- 
 @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: The client needs to take images that are on the camera (XP machine) and upload to their EMR. 
 Current process is the images are printed, scanned, uploaded to EMR.That process uses a lot of human time and degrades the images quite a lot. Seems like they weren't so concerned about the cost when they bought it and chose to do that. This seems crazy financially. Bottom line, though, there isn't a good answer for this. But it's not your fault or your problem. And no doctor acting this way thinks that $80K is enough money to worry about. How many doctors offices - not hospitals - doctors offices have you been brought into, said that to them, and didn't get tossed on your ear - and instead they actually said something like " oh geez damn Scott - you're right - we were totally stupid when we bought this and not think about the future ramifications of OS support, etc. Now that our eyes are open, here, here's a damned near blank check - please fix our systems?" And this a serious question - because I want their names so I can call them and use them as a reference to sell that idea to my guys, or at least my boss. You treat it like a blank check to fix systems. That's why they don't listen to you. You present it as "this is expensive, but we can do it right". That makes no sense to them... how can expensive be right? I show how good decisions cost less and talk money, not tech or "doing it right". You are thinking that this is an IT problem, but it's a business problem. Treat it as such and it's really, really hard for even doctors to claim that they hate making money when those are the words that they have to use. making money - i.e. not getting sued when something bad happens? I don't get how they make more money by being compliant. 
- 
 @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level: @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR. That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you? Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has. AWWW - if that's true - I take back everything I said.. I did completely mean to mention this - can you disable SMB v1 for a given NIC in Windows 10... if you can't then you haven't mitigated the issue, and you can't do it. He's mitigated the actual security issue, not the false one. But not the violation. There are three issues being kicked around... - Using SMB 1 is a red herring issue, not the real concern here.
- Using XP is a security concern as it is not patched. This is the real concern (that is mitigated.)
- The HIPAA violation of an unpatched, unsupported OS on the network.
 Is number 3 an actual violation? I don't think it is... I think if you have mitigation, then 3 isn't a real thing. Unless you have a specific code in the law to point to saying otherwise. 
- 
 @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine). Correct? using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example? KVM was shorthand for me having to type out a keyboard, mouse and monitor. I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know) What does HIPAA have to do with thumbdrives? Data transfer methods are what hipaa cares about, not the medium. And? The only mention I recall reading - feel free to post a specific law saying otherwise - is that PHI must be encrypted when going over a non trusted network. Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).23 Nothing about a network, CD/DVD or any other sort of media. Meaning that pretty much anything goes, so long as there is a policy and proceedure (and from the main description) "The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form." Meaning that they don't actually offer any solutions, so long as the process is sound and secures PII. 
- 
 @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine). Correct? using a KVM would be only a tiny fraction of the functionality. how will they store and back up these images, for example? KVM was shorthand for me having to type out a keyboard, mouse and monitor. I assume that the USB ports on this XP system are superglue'd close and that just using a thumb drive to move the files between these systems isn't an option (because of HIPAA I know) What does HIPAA have to do with thumbdrives? Data transfer methods are what hipaa cares about, not the medium. And? The only mention I recall reading - feel free to post a specific law saying otherwise - is that PHI must be encrypted when going over a non trusted network. Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).23 Nothing about a network, CD/DVD or any other sort of media. Meaning that pretty much anything goes, so long as there is a policy and proceedure (and from the main description) "The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form." Meaning that they don't actually offer any solutions, so long as the process is sound and secures PII. Thank you for making my point - no where does it say that your USB drives MUST be encrypted, no where does it say your local LAN has to be encrypted (yeah, I know no one has even hinted at this), etc.. You have to have mitigations in place. If Windows 10 is able to be setup as securely as Scott said earlier - than yeah.. the solution he presented should be viable. FYI - no reason a licensed Windows 10 machine would be needed here. A raspberry pie with SMB v1 and some other transfer protocol should be able to do this license free. A script could run on the XP or R-Pie to look for files, then copy them to the Pie, the pie could have a script to copy them somewhere else. The whole setup could be behind a firewall that only allows outbound traffic, no inbound access what so ever (well, not counting the traffic that flows back as verification of the sending of the files from the Pie to where ever it's pushing them. 
- 
 @Dashrender I don't think it makes the point as much as you think it does, because the data needs to be secured (which I'm sure somewhere in the specifics of the documentation) says "the data needs to be encrypted". Which SSL is encrypted, but the files aren't encrypted when printed, likely they aren't encrypted when on the XP or Windows 10 system either. There are certainly a means to doing this, but I think adding the network, just adds complexity. 
- 
 @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level: @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR. That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you? Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has. AWWW - if that's true - I take back everything I said.. I did completely mean to mention this - can you disable SMB v1 for a given NIC in Windows 10... if you can't then you haven't mitigated the issue, and you can't do it. What about firewall rules to specific IP addresses? Like everything else... good for security, but doesn't address the core issue. 
- 
 Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . 
- 
 @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . If you are asking me then yes they have a service that destroys the images/documents. 
- 
 @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender I don't think it makes the point as much as you think it does, because the data needs to be secured (which I'm sure somewhere in the specifics of the documentation) says "the data needs to be encrypted". Which SSL is encrypted, but the files aren't encrypted when printed, likely they aren't encrypted when on the XP or Windows 10 system either. There are certainly a means to doing this, but I think adding the network, just adds complexity. No, it does not say it must/needs to be/etc encrypted. It says you are responsible for it, but how you handle that responsibility is up to you... with the bespoken difference for PHI traveling over untrusted (think internet) networks, in which case it does specifically say it must be encrypted. The big thing a lot of scare companies love to throw around is the 'requirement' to encrypt all laptops. There is no such requirement - what there is, is a pass to anyone who looses a laptop where all PHI is encrypted. These are the kinds of differences Scott loves to point out all the time. 
- 
 @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . If you are asking me then yes they have a service that destroys the images/documents. huh - must be a pretty big office then... hardly seems worth a service to pickup your shredding. Our staff shreds their bins worth of PHI themselves. 
- 
 @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . If you are asking me then yes they have a service that destroys the images/documents. huh - must be a pretty big office then... hardly seems worth a service to pickup your shredding. Our staff shreds their bins worth of PHI themselves. Iron mountain is pretty damn cheap and it takes the liability off of the practitioner. 
- 
 @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . If you are asking me then yes they have a service that destroys the images/documents. huh - must be a pretty big office then... hardly seems worth a service to pickup your shredding. Our staff shreds their bins worth of PHI themselves. Iron mountain is pretty damn cheap and it takes the liability off of the practitioner. Not really, but it does allow the practitioner to assign those resources that were shredding before to hopefully do something of greater value. 
- 
 @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . If you are asking me then yes they have a service that destroys the images/documents. huh - must be a pretty big office then... hardly seems worth a service to pickup your shredding. Our staff shreds their bins worth of PHI themselves. Iron mountain is pretty damn cheap and it takes the liability off of the practitioner. They do use IronMountain. I don't know the cost off the top of my head but it's not that much. 
- 
 @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . If you are asking me then yes they have a service that destroys the images/documents. huh - must be a pretty big office then... hardly seems worth a service to pickup your shredding. Our staff shreds their bins worth of PHI themselves. Iron mountain is pretty damn cheap and it takes the liability off of the practitioner. They do use IronMountain. I don't know the cost off the top of my head but it's not that much. Two lucky guesses in a single topic, I'm on a roll! 
- 
 @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Why in God's green earth would you deploy XP today? Or would you continue to operate Windows XP? The system it runs has an $80,000 camera on it Also this seems insane that the customer has an $80,000 camera, but can't or won't purchase an updated system to run it. Medical equipment. That was the price of the current camera. The newer ones are even more ridiculous. Windows XP and PHI.... What could go wrong? 
- 
 @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . If you are asking me then yes they have a service that destroys the images/documents. huh - must be a pretty big office then... hardly seems worth a service to pickup your shredding. Our staff shreds their bins worth of PHI themselves. So do people who use most of those services. What the services do is not necessarily offsite shredding, although that does exist for sure, but offsite disposal so that people can't dumpster dive you to reassemble your shredded documents. 
- 
 @scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level: @Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level: @syko24 said in Is SMB 1.0 more vulnerable at the client level or server level: @DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level: Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . . If you are asking me then yes they have a service that destroys the images/documents. huh - must be a pretty big office then... hardly seems worth a service to pickup your shredding. Our staff shreds their bins worth of PHI themselves. So do people who use most of those services. What the services do is not necessarily offsite shredding, although that does exist for sure, but offsite disposal so that people can't dumpster dive you to reassemble your shredded documents. Yeah, I suppose if you need to be that secure - that's the way to go. 



