@openit said in Free alternative for OpenDNS, with minimal info on what's going on?:

Hi there,

I am looking to add one more layer for security by securing DNS at our office for free, if possible.

I had a look on OpenDNS (free available only for Home), Quad9 (free for business, but no information on what's going on - reports/dashboard), Comodo Dome Shield (free one is limited for 300k dns queries).....

I'm looking for free, even if there's no control to add black list/policies, default policies are fine, but need little info/dashboard on what's going on through our Network.

Thanks!
NXFilter is a good solution. It is not free but pretty inexpensive. It also supports AD and LDAP so you can be granular at the pc level or even the user level.

Nxfilter.org

@dafyre said in Any way to pass through pci fax modem in hyper-v:

@syko24 said in Any way to pass through pci fax modem in hyper-v:

@dafyre said in Any way to pass through pci fax modem in hyper-v:

@Pete-S said in Any way to pass through pci fax modem in hyper-v:

Fax usually just needs a modem, which could be connected over serial or usb.

If the software requires windows fax server then it will probably work with any type of fax device that windows supports.

Something like this:
https://www.usr.com/products/56k-dialup-modem/usr5637/

Don't know what pass through options there are in Hyper-V so you have to check that.

Anyway, fax communication protocols are old so it doesn't really requires anything special in the form of hardware.
Looking at amazon I see USB modems from like $15 or so.

And you could potentially look at some kind of USB over IP solution to get the USB modem into the VM, no matter which server it's located on.

The software vendor specifically says they only support Mainpipe fax cards. There is some kind of add on software that Mainpipe includes that allows it to work properly with their software.

Don’t know if this is just marketing BS.
http://www.mainpine.com/fax-service-provider-iqfsp.php

I can probably get the $15 usb fax card. But then I run the risk of the vender telling me they don’t support that card and waste more of my time.

@dafyre said in Any way to pass through pci fax modem in hyper-v:

@Pete-S said in Any way to pass through pci fax modem in hyper-v:

Fax usually just needs a modem, which could be connected over serial or usb.

If the software requires windows fax server then it will probably work with any type of fax device that windows supports.

Something like this:
https://www.usr.com/products/56k-dialup-modem/usr5637/

Don't know what pass through options there are in Hyper-V so you have to check that.

Anyway, fax communication protocols are old so it doesn't really requires anything special in the form of hardware.
Looking at amazon I see USB modems from like $15 or so.

And you could potentially look at some kind of USB over IP solution to get the USB modem into the VM, no matter which server it's located on.

The software vendor specifically says they only support Mainpipe fax cards. There is some kind of add on software that Mainpipe includes that allows it to work properly with their software.

@scottalanmiller said in Any way to pass through pci fax modem in hyper-v:

Or #4, surprise them with the fact it is 2019 and they don't need fax

I have a ticket in with the software company to see if they have a efax option but I doubt it.

@scottalanmiller said in Any way to pass through pci fax modem in hyper-v:

@syko24 said in Any way to pass through pci fax modem in hyper-v:

The fax feature requires running Windows Fax Server and having a specific $600+ pci fax card installed.

WTAF

That was my response too. The fax cards, depending on number of lines/ports, range from $600-$4000.

I setup a new server for a client two months ago. Hyper-V Server 2016 is installed and I have 2 Windows Server 2016 VMs.
(Their software is not compatible with 2019 for some reason, hence the 2016 install) The client has been running their software for 2 months now and just decided that they want to use some fax feature their software offers. The fax feature requires running Windows Fax Server and having a specific $600+ pci fax card installed. I am trying to figure out the least painful route to make this work for them.

The options I can think of are:

1. Somehow passthrough the card to the VM from the host if possible.

2. Or export the VMs, reinstall Windows Server 2016 on the host, add hyper-v role, add Windows Fax Server, import the VMs back. I feel like this is not allowed though because the host install can only have hyper-v role installed and nothing else.

3. Or tell the client they need to purchase another Windows Server License and install on a basic desktop with the pci card added to it.

Let me know what you guys think or if you have any other suggestions.

Thanks

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

@Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . .

If you are asking me then yes they have a service that destroys the images/documents.

huh - must be a pretty big office then... hardly seems worth a service to pickup your shredding. Our staff shreds their bins worth of PHI themselves.

Iron mountain is pretty damn cheap and it takes the liability off of the practitioner.

They do use IronMountain. I don't know the cost off the top of my head but it's not that much.

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

Which I'm positive that this doctors office is paying for secure document destruction right? Peoples pictures/scans getting printed off and then rescanned and saved to a EMR. . .

If you are asking me then yes they have a service that destroys the images/documents.

@Dashrender said in Is SMB 1.0 more vulnerable at the client level or server level:

@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.

That's certainly a "better than nothing" setup. But if it were me, I'd not put myself at risk to protect the decision makers who took on this risk. That makes no sense. Why would you assume that risk for them? They clearly don't care, why do you?

Actually, no, it provides no security, because you enable SMB1 globally for Windows 10, not per NIC. This would cause that machine to then attempt other client connections with SMB1, as well as accept SMB for the admin shares or anything else it has.

AWWW - if that's true - I take back everything I said.. I did completely mean to mention this - can you disable SMB v1 for a given NIC in Windows 10... if you can't then you haven't mitigated the issue, and you can't do it.

What about firewall rules to specific IP addresses?

@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

If you could use SFTP / FTPS, and then use a Linux box as the connector, this would improve actual security. You could even use a Raspberry Pi velcrod right onto the XP box to make this physically convenient. But bottom line, the XP box is a problem if you attach it to anything and no trickery, firewall, port isolation, protocol, encryption, or otherwise is going to make it not a violation.

I was kind of thinking that too. If there was another machine supporting SMB1 - SMB3 between the XP and 10 machine then the 10 machine would not need to run SMB1. Again I think it's a lost cause.

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:

I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.

Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.

Does not solve the need for SMB1

Just thinking about it, what if FTP were an option?

Still would be a HIPAA violation. As that would be an relatively uncontrolled means of egress for the files.

So really the answer is that XP on any network no matter how segregated is not doable.

@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

@Pete-S said in Is SMB 1.0 more vulnerable at the client level or server level:

I have dealt with these kind of system many times - systems that can't be upgraded or can't be made to support newer protocols.

Best practice is to isolate them from the network as much as possible and whitelist IP's that are allowed access.
So I suggest sticking the camera and XP behind a hardware firewall and set up rules for what ports are allowed to be accessed from what IP addresses. I'm sure you can close it down a lot.

Does not solve the need for SMB1

Just thinking about it, what if FTP were an option?

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

@JaredBusch said in Is SMB 1.0 more vulnerable at the client level or server level:

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

But they have a printer attached to this system, I assume this is USB as well, right? Or is this system already networked?

No one said that. you are conflating everything worse than @Dashrender. Stop assuming shit, and spam replying with no useful info.

@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.

Suck it.

Read more slowly. They print the images. They scan the printed images in.

Nothing in there states the images come from this system, that was bought for the camera, not for the printing.

How do you think they are printing the images? Using a USB drive to grab the files from this XP workstation first? We all know that USB drives are a massive HIPAA no-no.

So @syko24 how are they printing these images?

USB printer directly attached

So if it were possible to upgrade to 10, I would have to first upgrade to 7 and then upgrade to 10 correct? I can't remember if XP to 7 required a clean install.

@scottalanmiller said in Is SMB 1.0 more vulnerable at the client level or server level:

@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.

Understood. If there is an option that allows the client to keep using their working equipment I would like to present it to them. I know the easy answer is to tell someone cough up another $80,000 for something. If it was as simple as buy a new $1,000 computer I would recommend it. The price tag for some equipment is just gouging though. I know it is a reality of running a business.

That they need to cough up for a supported, working machine that is legally applicable to a medical practice is something that they decided when they worked out the support deal on the current one. The XP era had HIPAA and keeping the OS maintained and patched was something that they knew at the time. Don't take on personal liability by recommending something like this. If they demand that you do it against your recommendations, get that in writing that you didn't get a choice. But certainly don't offer it.

@scottalanmiller - I appreciate the feedback. If it can't be done then it can't be done. I can accept that and the client has to as well. Again my goal was to try and come up with a solution that would remove unnecessary steps and make things more streamlined.

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

So @syko24 the goal is to allow the customer to remotely access a file share from an XP machine over the network (presumably because it's easier than having a KVM attached to this XP machine).

Correct?

The client needs to take images that are on the camera (XP machine) and upload to their EMR.

Current process is the images are printed, scanned, uploaded to EMR.

What I would like to do is Windows 10 machine (1 nic connected to network, 1 nic connected via crossover cable) to the XP machine, moves the files off the XP and onto the server share where the files can then be uploaded to the EMR.

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

The vulnerability comes from maintaining a 12 year old OS on your network in any way shape and form. If it's hosting a share (so another system can grab the files from it) there is added risk.

Understood. If there is an option that allows the client to keep using their working equipment I would like to present it to them. I know the easy answer is to tell someone cough up another $80,000 for something. If it was as simple as buy a new $1,000 computer I would recommend it. The price tag for some equipment is just gouging though. I know it is a reality of running a business.

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

Why in God's green earth would you deploy XP today? Or would you continue to operate Windows XP?

The system it runs has an $80,000 camera on it

Also this seems insane that the customer has an $80,000 camera, but can't or won't purchase an updated system to run it.

Medical equipment. That was the price of the current camera. The newer ones are even more ridiculous.

Okay, so how much is the added insurance of using an ancient OS to run this? What's the potential lawsuit when this system is compromised?

Again that's why I am asking the question. Does this process allow for a compromise? I mean if someone can get all the way to the camera system through the Windows 10 machine, isn't the Windows 10 machine already compromised?

@coliver said in Is SMB 1.0 more vulnerable at the client level or server level:

This sounds like scientific/educational equipment. Most likely that vendor either doesn't exist anymore or the system update is to just buy another 80,000$ camera.

Current process is that they print all images and then scan them in. I was just looking to save some steps but not cause a security issue for them.

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

@syko24 said in Is SMB 1.0 more vulnerable at the client level or server level:

@DustinB3403 said in Is SMB 1.0 more vulnerable at the client level or server level:

Why in God's green earth would you deploy XP today? Or would you continue to operate Windows XP?

The system it runs has an $80,000 camera on it

Also this seems insane that the customer has an $80,000 camera, but can't or won't purchase an updated system to run it.

Medical equipment. That was the price of the current camera. The newer ones are even more ridiculous.