0

Is it possible to only send files from a win10 machine (A), patched to disable SMBv1/CIFS client with 1803, to a very old device (B) using passwordless SMBv1 (strictly)?

I was thinking along the lines of smbclient or curl or some other smb-capable file-transfer (open source) application for win10.

Will I need special privileges on computer A? Firewall? I do not want to tick the dreaded "Enable SMBv1/CIFS client" tickbox as this, as I understand it, will leave the machine exposed again to WannaCry.

If this is not possible or security risks are high can I setup a linux box to send the files instead of the win10? The other side (B) can not be upgraded. It is strictly SMBv1 passwordless.

bliako
  • 147
  • 6

1 Answers1

1

One possibility could be, as @Leshy mentioned, to skip Windows' file sharing protocol completely, although I would complement his answer with a strong recommendation to ensure you use one of the encrypted SFTP or FTP/S protocols rather than plain old FTP. If security is a concern you will not want to be sending logon credentials and files in plain-text over the network.

Another potential solution could be to set up a more protected relay server ("R") between A and B, which could be configured with the regular SMBv3 server protocol but still have the SMBv1 client installed. Have the user copy files from A to R, and then run a script invoking robocopy or xcopy to copy from R to B, for example.

Mikael H
  • 4,868
  • 2
  • 8
  • 15
  • yes, setting R (either as a NAS, a linux box or a raspberry box) is a good option but I want to try the "common-sense" option first and run a smb-client on "A". So bottomline is: 1) will a 3rd-party smb-client (`curl`) will work on win10 without ticking any security boxes and without admin? or 2) if I tick the "SMBv1/CIFS client" box, will that entail a security risk? Or is it equivalent to installing `curl` on "A"? – bliako Jan 08 '20 at 10:37
  • Security on "B" is of no concern - or rather it is beyond repair, It is a valuable CNC machine controlled by a mickymouse M$DOS which runs SMBv1 only. Upgrading it or installing FTP on it, is pure theory. because the machine is on-production, plus with M$ the lower the version the better ;) If it were me I would put all Linux everywhere and increase productivity by 2x and security by 4x. These guys since April/2018 (1803 patch appeared) have lost network contact with machine and use ... for 20 months now ... floppy disks ... and M$ washes hands by "are you sure you want to tick SMBv1 box?" – bliako Jan 08 '20 at 10:47
  • thanks for your input! I will keep posted. I will know in a few hours when I go there. – bliako Jan 08 '20 at 10:47
  • I have posted a more [general question here](https://serverfault.com/questions/998099/install-smbv1-client-on-win10-without-admin-or-compromising-security) hope that's ok with site policy – bliako Jan 08 '20 at 11:30
  • Floppy disk transfer is actually a secure, if tedious, mitigation. Not a total air gap, which would be necessary if you turned SMB1 on. – John Mahowald Jan 08 '20 at 16:50
  • Nothing worked! I have discovered though that MS-DOS 6.22 machine has only one port opened: 139. Port 445 is closed. I do not know if this means MSCLIENT on CNC machine is broken (how?) or that SMBv1 old protocol does not use port 445 at all and this is a matter of finding an old client to talk to it. `smbclient` version 3 (from 2005) did not work though. What I ended up doing is to use own file transfer application written for MS-DOS 6.22 - M$ is out and I am very happy with it. And I have password-protected access to the machine (not encrypted with SSH but not clear-text either). – bliako Jan 11 '20 at 14:06