How to make SMB1 as safe as possible?

HCHTech

HCHTech

Well-Known Member
Reaction score
4,203
Location
Pittsburgh, PA - USA
I have an optometrist client with a couple of retina cameras that require SMB1 to store their images. Right now, there is an ancient Win7 computer running headless in their network closet for that purpose, but this isn't a long-term solution.

Of course they don't want to replace the cameras ($$), so I'm wondering what might be the best way to minimize the risk here.

I could use a NAS or Linux computer for the storage destination, and block HTTP/HTTPS traffic from that device with the firewall, while restricting traffic from the cameras to only that destination, I suspect. That would allow the rest of the workstations (Win10) to access that share with SMB2/3.

We have a firewall at the edge, and our standard MAV & MEDR on all of the workstations. There is no server, just a workgroup with a half-a-dozen workstations.

What else would you recommend?
 
Treat it like an orange zone on your network....isolated from the production network. SMB1 is like a huge puddle of gasoline...just waiting for someone to drive by and flick a cigarette out the car window onto it. So....contain the explosion...so that nothing else can get hit by the fire.

Having Windows 7 alone is...enough reason to isolate that computer. Stuck with SMB1 on...quadruples that risk.

So the cameras have to talk to the Win7 rig. Easy enough to isolate those in VLAN, and depending on how you're doing that, in the firewall too.
But..do any computers from the main network..also have to talk to that Win7 rig? If so...I'd not be comfortable with that, even if the Win10 rigs are only SMB2/3...they're still communicating with the SMB1 share...I'm not sure I'd be comfortable with that. I'd probably want to have some isolated Win10 rigs as part of that orange zone just to access it, and not talk to the main network.
 
HCHTech said:
Of course they don't want to replace the cameras
Click to expand...
Too bad. Eventually technology becomes obsolete and needs to be replaced. They can like it or lump it and if they choose the latter then I'm not working with them.

I'm all for keeping ancient technology working so long as it's not connected to a network. As soon as networking enters the equation, there's no choice but to replace or update the systems.
 
Yes, I'm with you. We're hoping to get updated cameras in next year's budget - this is not a new problem, as you might imagine. That why I was thinking moving the storage device to something running Linux would help a bit in the interim. They do need access to the images from other computers, that's the problem. If it were contained, I'd just unhook the thing from the network altogether and have it store the images directly. I have an XP computer running a C&C machine at a woodworker client doing this. Completely isolated, and we just do what is need to keep that machine going.
 
HCHTech said:
I have an XP computer running a C&C machine at a woodworker client doing this.
Click to expand...

We have a manufacturing client that has an old old Brown 'n Sharp machine..connected to an NT 4 Workstation! (they also have a few new ones). Same...not even on the network, just isolated, and they sneaker-net over the drawings via disk.

Anyways, if your Win10 rigs that need to touch it...I tried doing a bit of Google, and I don't have much info on...how malware launches from SMB1 and what it can touch. I'd like to say "Well, if the other computers don't have SMB1 enabled...they're only 2/3, it can't harm them!". But....I'm not sure about that. I'd like to say "Well, if the other computers only have SMB2/3 enabled..and they're fully patched, they can't be touched". That's "probably true?"

...I know that...Microsoft released patches to SMB1 that fixed the vulns that WannaCry exploited. But..I'm not sure what else exploited it, I just know that it became prudent to disable it. I can't say with confidence that there are no other exploits out there that can still exploit SMB1.

For this client, I'd probably want to have top notch Biz Continuity services for DR/backup. "Just in case...."
 
HCHTech said:
I have an XP computer running a C&C machine at a woodworker client doing this. Completely isolated, and we just do what is need to keep that machine going.
Click to expand...

This is way more common than many here probably imagine. There is a TON of software that was only written, once, way back when and that really can't run under newer versions of Windows.

But provided the machine in question is completely isolated from the internet and any network, it's just fine to continue using it as long as you can. The nature of the work it's used to control has not changed, and replacing a configuration like this, while it works, is an unnecessary expense.
 
Philippe said:
Don't forget virtualization.
Click to expand...

Yeah, sounds good, but doesn't work in practice. I spent a week once trying to get a P2V machine to legally activate. Then a bit of research/googling shows that doing this with an OEM license (which every single computer I ever see in my end of the market has) is against the TOS. So it works as long as you are comfortable using a cracked key or some other such nonsense for a client solution.
 
What I would do is separate it onto it's own separate network, whether via vlans or physically.

Get a NAS or w/e with 2 NICs. One connected to the isolated network and then one connected to a second network. On the second network the NAS is restricted to only communicate with however it's going to export the data. If this is syncing with another NAS then that's all it can do, if it's uploading to an Azure Storage Account, then that's all it can do. And then access to the data is done from this third location. The NAS with SMB1 enabled does not communicate on SMB at all outside of the isolated network.
 
YeOldeStonecat said:
I don't see virtualization helping to secure anything, it spread via SMB shares on the same network. Virtualized guests that have SMB shares are...still on the same network.
Click to expand...
OK. Do you know if the "shared folder" of VirtualBox use SMB? IIRC it doesn't...
 
HCHTech said:
[...] doing this with an OEM license (which every single computer I ever see in my end of the market has) is against the TOS.
Click to expand...
I'm pretty sure it's OK with the XP pro license, and it activates perfectly. For other OS you may have to buy a new license & downgrade rights.
 
Keeping SMBv1 alive on a business network is like putting lipstick on a pig.

However, if you must, then I would eliminate the Win7 box as a first step. Win7 is a huge security risk all by itself. You can help future-proof them by replacing the Win7 box with a modern NAS that can still have SMBv1 enabled.

The 2nd risk I see is you have no simple way to determine if the newer clients have SMBv1 enabled just so they can communicate with the Win7 machine. At best they will be using SMBv2.1. You'd need to touch each newer client to ensure they do not have SMBv1 enabled! And with a NAS you could force them to use SMBv3.

Finally, the attached post gives a starting point on using Firewall rules to effectively limit the usage of SMBv1 to only the extent it's necessary. Sure, it's time-consuming to lock down the network but it's part of their cost of business by keeping those old cameras alive.

techcommunity.microsoft.com

How to Secure SMB Traffic in Windows

Secure your Windows environment from inbound, outbound, and lateral SMB movement. A guest post from the owner of SMB, Ned Pyle.
techcommunity.microsoft.com techcommunity.microsoft.com
 
So these old cameras only support SMB for file transfer? Not FTP? One thing I'd consider would be to spin up a Raspberry PI to use as an intermediary then pass to a W10 machine. All exploits require the ability to interact with the underlying OS to successfully exploit the weak link and that's much more limited in Linux than a deprecated MS OS.
 
Philippe said:
I'm pretty sure it's OK with the XP pro license, and it activates perfectly. For other OS you may have to buy a new license & downgrade rights.
Click to expand...
The key is it's an OEM license. So the bulk of the licensing lies with the OEM and not MS. I just don't know if an OEM allows a P2V on a different hardware layer on another of it's OEM boxes.
 
Markverhyden said:
So these old cameras only support SMB for file transfer? Not FTP? One thing I'd consider would be to spin up a Raspberry PI to use as an intermediary then pass to a W10 machin
Click to expand...
That's why I was proposing that a NAS might be a good choice = linux for storage destination. I don't have time or inclination to figure out building or maintaining a Raspberry PI for a client. I sent a detailed email to the head doctor last week explaining the problem, and the temporary ways we might mitigate some of the risk, but also putting the writing on the wall for replacing the device.
 
You must log in or register to reply here.

Similar threads

HCHTech
MacOS Ventura - how to make the equivalent of mapped drives?
Replies
4
Views
579
Markverhyden
Markverhyden
thecomputerguy
Adding EDR to my stack and how to sell it.
Replies
6
Views
607
Sky-Knight
Sky-Knight
timeshifter
Any tips on getting Crucial scanner to work again - or a replacement?
2
Replies
26
Views
14K
frase
frase
HCHTech
Let's talk about VLANs!
Replies
16
Views
2K
YeOldeStonecat
YeOldeStonecat
HCHTech
How to screw up with class - :-)
Replies
5
Views
1K
HCHTech
HCHTech
Back
Top