Is SMB 1.0 more vulnerable at the client level or server level
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
USB printer directly attached
SUCK IT! @JaredBusch
BAM!
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?
No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.
Suck it.
Read more slowly. They print the images. They scan the printed images in.
Nothing in there states the images come from this system, that was bought for the camera, not for the printing.
How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.
So @syko24 how are they printing these images?
USB printer directly attached
SUCK IT! @JaredBusch
BAM!
Don't be a dick. You assumed, I did not.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
Don't be a dick. You assumed, I did not.
I assumed correctly based on common knowledge about HIPAA. You assumed some magic was occurring for them to get the files off of this XP system to something that can print.
-
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
I didn't read the entire thread but best practice for the above is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot. -
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
Don't be a dick. You assumed, I did not.
I assumed correctly based on common knowledge about HIPAA. You assumed some magic was occurring for them to get the files off of this XP system to something that can print.
No, there are all kinds of machines in medical that print images that need subsequently scanned. You made a wild assumption and got lucky.
-
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
-
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
I didn't read the entire thread but best practice for the above is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.That works for general security, but HIPAA doesn't allow for it even when done "well".
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
or SFTP or FTPS.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
Solves the SMB 1 issue which is not the real issue. Does not solve the Windows XP connected to another device issue that causes your HIPAA violation.
FTP would be "better", but not enough better to actually matter.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
Still would be a HIPAA violation. As that would be an relatively uncontrolled means of egress for the files.
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
I didn't read the entire thread but best practice for the above is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.That works for general security, but HIPAA doesn't allow for it even when done "well".
Ah, that's too bad.
-
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
Still would be a HIPAA violation. As that would be an relatively uncontrolled means of egress for the files.
So really the answer is that XP on any network no matter how segregated is not doable.
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
Why in God's green earth would you deploy XP today? Or would you continue to operate Windows XP?
The system it runs has an $80,000 camera on it
Also this seems insane that the customer has an $80,000 camera, but can't or won't purchase an updated system to run it.
Medical equipment. That was the price of the current camera. The newer ones are even more ridiculous.
They paid that much and didn't work out a support agreement? How do people do their purchasing so poorly?
Dude - where have you been? This happens constantly - and damned near continuously!
We were in the market to buy a new CT machine last year. ALL but one vendor was using Windows 7, and a few even claimed they had no, zero, zip, zich, nadda plans on going to Windows 10. It's crazy - huge companies too, like Toshiba.
The reality of these systems is that the vendors rarely if ever actually update them beyond initial deployment - they should be on a disconnected network whenever possible.
-
If you could use SFTP / FTPS, and then use a Linux box as the connector, this would improve actual security. You could even use a Raspberry Pi velcrod right onto the XP box to make this physically convenient. But bottom line, the XP box is a problem if you attach it to anything and no trickery, firewall, port isolation, protocol, encryption, or otherwise is going to make it not a violation.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:
@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:
I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.
Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.Does not solve the need for SMB1
Just thinking about it, what if FTP were an option?
Still would be a HIPAA violation. As that would be an relatively uncontrolled means of egress for the files.
So really the answer is that XP on any network no matter how segregated is not doable.
Correct. Only by having XP off network completely does it become acceptable to HIPAA.
-
Summary of the HIPAA Security Rule
Just so it's posted.
-
@Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:
We were in the market to buy a new CT machine last year. ALL but one vendor was using Windows 7, and a few even claimed they had no, zero, zip, zich, nadda plans on going to Windows 10. It's crazy - huge companies too, like Toshiba.
Things like this seem insane. Are you saying that no hospital in the country can have their CT scanners supported? That's not plausible. I have a feeling that something about your vendor selection process involved ruling out real world working solutions and only seriously considering the dregs.
-
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
If you could use SFTP / FTPS, and then use a Linux box as the connector, this would improve actual security. You could even use a Raspberry Pi velcrod right onto the XP box to make this physically convenient. But bottom line, the XP box is a problem if you attach it to anything and no trickery, firewall, port isolation, protocol, encryption, or otherwise is going to make it not a violation.
I was kind of thinking that too. If there was another machine supporting SMB1 - SMB3 between the XP and 10 machine then the 10 machine would not need to run SMB1. Again I think it's a lost cause.
-
@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:
@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:
If you could use SFTP / FTPS, and then use a Linux box as the connector, this would improve actual security. You could even use a Raspberry Pi velcrod right onto the XP box to make this physically convenient. But bottom line, the XP box is a problem if you attach it to anything and no trickery, firewall, port isolation, protocol, encryption, or otherwise is going to make it not a violation.
I was kind of thinking that too. If there was another machine supporting SMB1 - SMB3 between the XP and 10 machine then the 10 machine would not need to run SMB1. Again I think it's a lost cause.
Yeah, if purely "better security" was the goal, your thinking is good. But because of HIPAA, certain things are just black and white. No one is saying that HIPAA is sensible, it just is what it is.
If this was just a case of needing "reasonable security better than what any normal medical practice has" then you'd be golden. But sadly it's not.
