11

I have to back up some data from windows 7 machines over the internet, and I rarely use windows so am distrustful of it in general. Specifically:

  1. Is there any sort of check that the server is the same as it was last time, so you have some assurance you are not being MITM attacked, before giving authentication information?
  2. Is authentication information (e.g., passwords) sent in plaintext to eavesdroppers (ala telnet/ftp)?
  3. Is the data sent in plaintext to eavesdroppers?
  4. If I only setup a read-only share for one user (who has no other permissions), have I opened myself up to any other security holes?

This isn't high security stuff -- just backup of routine small business data (should not contain billing/financial/confidential stuff, though cannot guarantee), but I'm trying to see if I need to setup a VPN or choose try running rsync under windows.

AviD
  • 72,138
  • 22
  • 136
  • 218
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • For regular backups you can setup Bacula which runs encrypted and for sure if would be much more faster than CIFS. – jirib Mar 15 '12 at 20:51

1 Answers1

9
  1. no, you could be MITM'd unless you're using AD and/or IPsec
  2. passwords are encrypted
  3. the data is in the clear
  4. yep, it's a nightmare to keep on top of Windows SMB/CIFS holes. You also have to watch for being brute-forced. Even if you limit it to one account, that account has access to all the data, and privilege escalation on SMB is not unheard of.

The VPN would be simplest if you're locked to SMB. You don't want to expose your clients to the Internet anyway, so VPN to the firewall for all of this kind of traffic.

mgjk
  • 7,535
  • 2
  • 20
  • 34
  • 1
    3.) data encryption is supported in SMB 3.0 introduced with Windows 8 and Windows Server 2012. It might be available for Win7 to as an update (some confirm or deny, please). – David Balažic Sep 07 '16 at 16:55