More ammunition against turning off password protected sharing

**habik** · 11-01-2017, 08:50 AM

Re: More ammunition against turning off password protected sharing

Originally posted by rthonpm

From Bleeping Computer: Hackers Can Steal Windows Login Credentials Without User Interaction

To summarise, configuring SMB sharing without the use of a password opens a vulnerability that has been patched only in Windows 10 that allows a malicious agent to steal Windows credentials by use of a specially crafted file.

I've been on the record here for not turning off password protected sharing, so I wanted to make sure that techs who have put unprotected shares in customer environments to know that this may be an issue.

Is like having a fire alarm without batteries in it or having safe with combination on post stick note sat on top.

Sent from my Mi A1 using Tapatalk

**bsm2** · 11-03-2017, 04:22 PM

Re: More ammunition against turning off password protected sharing

If there all ready in the customers network they have MUCH more to worry about then SMB Scanning

**rthonpm** · 11-06-2017, 07:06 PM

Re: More ammunition against turning off password protected sharing

While it's true that if an attacker is already in your network unprotected shares aren't at the top of your issues, having them at all is just inviting trouble. Good security is all about defence in depth: even if someone manages to get network access, there are steps to take to slow them down or prevent them from gaining access to more important systems. An unsecured FTP or SMB share is just an easy target to eliminate. Even better is to use Access Based Enumeration along with SMB sharing (only available on servers) since that can even limit the amount of data that's visible inside of a specific share depending on the account used.

We're often asked to get a feature on a MFP working, sometimes taking shortcuts like turning off password protected sharing work against the best interests of the customer. Sometimes, it's better to protect the customer from their own ignorance: a complaint about not using a function beats out a lawsuit from the customer over a breach of information.

**KenB** · 11-06-2017, 08:02 PM

Re: More ammunition against turning off password protected sharing

Originally posted by rthonpm

While it's true that if an attacker is already in your network unprotected shares aren't at the top of your issues, having them at all is just inviting trouble. Good security is all about defence in depth: even if someone manages to get network access, there are steps to take to slow them down or prevent them from gaining access to more important systems. An unsecured FTP or SMB share is just an easy target to eliminate. Even better is to use Access Based Enumeration along with SMB sharing (only available on servers) since that can even limit the amount of data that's visible inside of a specific share depending on the account used.

We're often asked to get a feature on a MFP working, sometimes taking shortcuts like turning off password protected sharing work against the best interests of the customer. Sometimes, it's better to protect the customer from their own ignorance: a complaint about not using a function beats out a lawsuit from the customer over a breach of information.

Another little tidbit: If the customer ultimately does get hacked, that will absolutely get escalated to the top person in their IT department. That person, who normally carries quite a bit of weight in the company, will NOT care to hear that there was an unprotected share in the interest of getting MFP scanning working. At that point, YOU become the bad guy, regardless of circumstances.

**peter42** · 11-06-2017, 10:42 PM

Re: More ammunition against turning off password protected sharing

Have an focus at our most important clients, small business,
1 or two businesschiefs, 3 to 8 workers, no IT-Staff,
all IT-hardware bought from Wallmart.

An example, most of NAS-devices have a "public" share.

In most of my customers installations they use this unprotected share for anything, they dont wont to store on their own protected devices.
Its nice, to create in "public" subfolders, like
Incoming, Outgoing, Important.....

Three of them got in the last year the full protection service of malware, all files in NAS/Public/* had been crypted, letters and emails, production plans and so on.

This has nothing to do with our intention, to help these people, to scan with our products to a designatet folder.
But, if i found out, they use this devices without protection, i told them, have an IT-Spec.

Shure, its easy for me, to make scan working fast at the moment, but if that client is
malworked over night in its IT, we look hard forward for the next leasing and service money.

We are not at all perfect IT-gurus, but we can see some things, that is not healthy
for our clients and when something strage happens, we loose that client.

As the Movie titel said, "Open Eyes wide shut" and a little smalltalk is welcome
at every custumer instead makes scan work and thats it.
It needs only 10 min.
We are not teacher, we are moving HelpDesks on the road.
But talking to custumer is important, nice daytalk can enjoy your own satisfactory,
telling customer, hey, here you have a risk, that can save lives. ;-)

Greetings Peter

**peter42** · 11-06-2017, 10:48 PM

Re: More ammunition against turning off password protected sharing

Have an focus at our most important clients, small business,
1 or two businesschiefs, 3 to 8 workers, no IT-Staff,
all IT-hardware bought from Wallmart.

An example, most of NAS-devices have a "public" share.

In most of my customers installations they use this unprotected share for anything, they dont wont to store on their own protected devices.
Its nice, to create in "public" subfolders, like
Incoming, Outgoing, Important.....

Three of them got in the last year the full protection service of malware, all files in NAS/Public/* had been crypted, letters and emails, production plans and so on.

This has nothing to do with our intention, to help these people, to scan with our products to a designatet folder.
But, if i found out, they use this devices without protection, i told them, have an IT-Spec.

Shure, its easy for me, to make scan working fast at the moment, but if that client is
malworked over night in its IT, we look hard forward for the next leasing and service money.

We are not at all perfect IT-gurus, but we can see some things, that is not healthy
for our clients and when something strage happens, we loose that client.

As the Movie titel said, "Open Eyes wide shut" and a little smalltalk is welcome
at every custumer instead makes scan work and thats it.
It needs only 10 min.
We are not teacher, we are moving HelpDesks on the road.
But talking to custumer is important, nice daytalk can enjoy your own satisfactory,
telling customer, hey, here you have a risk, that can save lives. ;-)

Greetings Peter

More ammunition against turning off password protected sharing

More ammunition against turning off password protected sharing

Comment

Comment

Comment

Comment

Comment

Comment