Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22
  1. #11
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,267

    Default

    Yes, for backups to be safe they must be in a separate authentication context. Any directly attached USB drives, or network shares will be encrypted.

    I've yet to see one that will get around something like Shadow Protect, because it can backup to a share that's password protected outside of the user's permissions. And because the bug doesn't know to get the credentials out of the backup software, and the user cannot get in there, the backups are safe. But the conventional wisdom is any backup that doesn't include offsite retention with a time delay doesn't work.
    Kyawa likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #12
    Master Untangler Kyawa's Avatar
    Join Date
    Dec 2016
    Location
    Maryland
    Posts
    199

    Default

    So cloud?

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,267

    Default

    Quote Originally Posted by Kyawa View Post
    So cloud?
    If it has some sort of time based retention. If it just syncs up changes and overwrites what's there, it's useless.

    So, an actual backup, and not dropbox.
    Kyawa likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Master Untangler Kyawa's Avatar
    Join Date
    Dec 2016
    Location
    Maryland
    Posts
    199

    Default

    Thanks. Maybe I'll start another thread about offsite backup services.

  5. #15
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,251

    Default

    Windows 7 (or server 2008 R2) to 10 backup OS tool over an external USB Drive, create a no filesystem (like a tape), hide to ransomware. Is disaster recovery complaint and free!!
    The world is divided into 10 kinds of people, who know binary and those not

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,267

    Default

    Anything running on an infected system via USB will get locked, sorry Windows Backup will not work.

    Now USB drives on a server with backups taken by the server, and clients don't have access to are "ok", but still not great. Typically speaking these bugs get a station, they don't actually infect a server they just lock up files on it. So as long as the backup set isn't shared to any workstations you're usually ok.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    360

    Default

    Huh, port 3389 Remote Desktop Connection...Wha?

    "WannaCry Ransomware Infects Actual Medical Devices, Not Just Computers"
    https://www.bleepingcomputer.com/new...ust-computers/
    https://www.siemens.com/cert/pool/ce...ssb-421479.pdf
    Last edited by f1assistance; 05-19-2017 at 10:47 AM.
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,267

    Default

    The worm will attempt to login to RDP, it's only a risk if you give out admin passwords to your boxes. It's not a service level exploit like it is with the SMB shares. Though, I suppose such is possible via any exposed service. But it is considered a best practice to limit RDP access to specific stations. We use the same thinking around here all the time when it comes to Untangle's SSH.

    No one should be running publicly exposed RDP without something like DUO, two factor is the only way forward now. SSH really benefits from two factor as well, but certificate based auth is sufficient.

    TLDR, put the stations users are using on their own VLAN away from servers and important stuff. You know, DMZ things... That's a bit overkill for SMB, but for the NHS... they should have known better.
    Last edited by sky-knight; 05-19-2017 at 10:54 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Newbie
    Join Date
    Mar 2017
    Posts
    12

    Default

    Quote Originally Posted by f1assistance View Post
    Huh, port 3389 Remote Desktop Connection...Wha?
    Common broad security considerations and recommendations.

    MS17-010 is about remote command execution and remote administrative privilege so they keep telling people to disable remote administration services. In most bulletins they advise to close internet exposure of TCP 21,22,23, too. Obviously if you got RCE via the SMB protocol on a Windows box, you can easily remotely administer it in so many ways that RDP would simply be a commodity.

    What really upsets me is that most medical equipment running Windows is running a version of Windows Embedded which is, simply put, Windows XP. Yes, the same end-of-life/end-of-support OS for anybody else, is still used almost everywhere disguised as a Windows Embedded variant. And what is the largest install base of Windows Embedded apart from the medical area? Banking: think POS, ATM and payment gateways.

  10. #20
    Newbie
    Join Date
    Mar 2017
    Posts
    12

    Default

    Quote Originally Posted by sky-knight View Post
    ... it's only a risk if you give out admin passwords to your boxes. It's not a service level exploit like it is with the SMB shares.
    RCE and SYSTEM access via SMB will immediately give access to, at least, the SAM. Which means NTLM hashes of local accounts. Moreover, if your remotely accessible is a Windows 8.1/Windows 2012 R2 and following and you enabled restricted admin mode, you can login without knowing the password, just using the NTLM hash as per the pass-the-hash vector.

    Two factor authentication will be a viable solution if it cannot be disabled via the registry. Otherwise, a SYSTEM access via SMB could be used to setup common accessibility backdoors (e.g.: sethc.exe) to be used even via RDP connection, thus allowing an attacker to launch regedit before logging in.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2