This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Re: Lost contact with NAS after upgrading Windows 10
Yes, I can access the NAS shares from file explorer, so it appears the setup is ok.
I have finished the first 50 pages of the software manual. I will finish the rest and look through the backup faq to see if I can find out why backup does not work.
Re: Lost contact with NAS after upgrading Windows 10
@StephenB wrote: The concerns over SMB1 are more critical for enterprises than they are for home networks. I suggest just installing the SMB1 client for now. Later on you could upgrade to a newer NAS (which would also have up to date security patches), and then re-purpose your current NAS as a backup NAS.
Dear Stephen,
Curiosity question: Are there patches or firmware updates available for these legacy NAS addressing the SAMBA vulnerabilities which caused the security warnings? All the SAMBA SMB 1.0/CIFS fixes and back-ports are available for a longer time, since about the vulnerability warnings.
"Important We strongly recommend that you do not reinstall SMBv1. This is because this older protocol has known security issues regarding ransomware and other malware."
Note that other major vendors have backported or updated SAMBA to non-vulnerable SMB 1.0/CIFS implementations for many or decade years old NAS models.
Re: Lost contact with NAS after upgrading Windows 10
Certainly there are multiple views on the security aspects, but this is how I see it.
There are other insecure protocols that are commonly deployed on both home networks and enterprise networks. FTP, NFS and even RSYNC are some examples. These are just as problematic as SMB 1.0 - they simply aren't targetted as much by ransomware.
And using SMB 3.0 (or more generally user authenticaton and encryption) doesn't eliminate the threat, it just makes it a bit easier for the attacker. If your home PCs all have write access to the NAS (using saved credentials), then using SMB 3.0 doesn't provide any additional protection at all. Since that's generally the case for home users, I don't see much additional risk in enabling the SMB 1 client on home networks. Enterprises are a different matter, since most user PCs don't have credentials to all of the on-line storage. And SMB should be disabled on public networks (for instance hot spots).
Since disabling SMB 1.0 doesn't mitigate the threat, you still need to account for ransomware attacks in your backup plan and your network security. Anti-malware software on the PCs can help. Disaster recovery is also part of it. Many Cloud backup providers have ransomware detection, and even if they miss it they generally should have enough retention to allow you to roll back to before the attack. Off-site backups are another approach. I've chosen to disable SMB altogether on backup NAS (including my legacy NAS - which are used as tertiary backups) - they only have rsync enabled. If I see the ransomware attack in time, I can disable the backup jobs on those NAS, and that gives me an additional recovery option (likely quicker than recovering everything from the cloud).
Curiosity question: Are there patches or firmware updates available for these legacy NAS addressing the SAMBA vulnerabilities which caused the security warnings? All the SAMBA SMB 1.0/CIFS fixes and back-ports are available for a longer time, since about the vulnerability warnings.
ReadyNAS 4.1.16, 4.2.31 and 5.3.13 were all released on May 30th, 2017, and in all cases the only change was a backport fix for CVE-2017-7494 (https://kb.netgear.com/000038792/RAIDiator-Version-4-1-16-Sparc). This is sometimes called "SambaCry" because it is a similar vulnerability to the one exploited by WannaCry.
So Netgear was backporting Samba fixes before they closed down software on the legacy NAS. They haven't released any firmware since then, and since they've already publicly announced that there will be no more updates I don't expect that to change.
FWIW, SMB isn't the only concern with legacy NAS. There are plenty of other security updates (ssl, apache, etc) that require backporting since the older linux builds are not longer being updated. Backports for Samba wouldn't be enough. Basically it's a bad idea to forward ports to these devices, I don't think it's safe to allow inbound access over the internet.
