Author Topic: FEI DCOM issue  (Read 2044 times)

Probeman

  • Emeritus
  • *****
  • Posts: 1827
  • Never sleeps...
    • John Donovan
Re: FEI DCOM issue
« Reply #15 on: October 24, 2018, 10:22:55 am »
Hi John,
Yeah, keeping all these computers updated and backed up is more of a pain than it should be for sure.

I have not heard of a "variance process" but if we keep the computer on a private network they really don't care.  The problem then becomes keeping the anti-virus and backup software licenses updated.

I mention anti-virus because not all viruses come from the Internet, we've had students bring them in on USB sticks.  And some of our Norton Ghost installs need to check for a current subscription or they won't run backups. That's how we killed the DCOM on the Quanta MPC last month.  Next time I try that I will install a separate network card for the campus network to be used temporarily.

More pain will come after next year when the campus will want us to update our Win7 computers to Win10. Fortunately while upgrading from WinXP requires a clean install of Win7 or Win10 and re-installation of all apps, our IT person says that upgrading from Win7 to Win10 is pretty straight forward as the apps will not need to be re-installed. We'll see!  One issue I foresee is the shared folder issue when our Win2K Quanta MPC needs to connect to a computer on the Internet for file sharing due to the SMB v1 vs. SMB v2 issue previously described.

The other issue is that Symantec does not currently have a Ghost backup/recovery version for Win10.  So we're using the built-in Windows backup, but according to our IT person it's non-trivial to utilize Win10 Backup to restore a crashed hard drive- which can be a real life saver in the lab for computers with complex installs of OEM software for instrument operation. 

Hard drives are more reliable than ever, but still Norton Ghost has been utilized several times in the last 5 to 10 years out of a dozen or so computers that I manage.

I've heard about the Win10 update issues, but I haven't been personally affected yet. That said I only have Win10 on one of our file servers and it only needs to run an FTP server. Plus I do have Win10 on my personal laptop, but I only use it when traveling.  Hopefully Microsoft will get its act together before we are forced to update all our workstations from Win7 to Win10 next year.

The best news is that CalcZAF, Probe for EPMA and Probe Image all seem to run fine on Windows 10, so that's a relief at least!
« Last Edit: October 24, 2018, 10:25:53 am by Probeman »
The only stupid question is the one not asked!

JonF

  • Professor
  • ****
  • Posts: 35
Re: FEI DCOM issue
« Reply #16 on: October 24, 2018, 01:05:30 pm »
Looks like you might be able to turn smb v1 back on in win 10:

https://support.microsoft.com/en-gb/help/4034314/smbv1-is-not-installed-by-default-in-windows

Or you can fiddle with the smb v2 requirements so that it plays nice with smb v1.

Probeman

  • Emeritus
  • *****
  • Posts: 1827
  • Never sleeps...
    • John Donovan
Re: FEI DCOM issue
« Reply #17 on: October 24, 2018, 09:13:17 pm »
Looks like you might be able to turn smb v1 back on in win 10:

https://support.microsoft.com/en-gb/help/4034314/smbv1-is-not-installed-by-default-in-windows

Or you can fiddle with the smb v2 requirements so that it plays nice with smb v1.

Holy crap!   :o

How come my IT person didn't know this?    >:(

Thanks, Jon.
The only stupid question is the one not asked!

Probeman

  • Emeritus
  • *****
  • Posts: 1827
  • Never sleeps...
    • John Donovan
Re: FEI DCOM issue
« Reply #18 on: October 26, 2018, 11:33:44 am »
Looks like you might be able to turn smb v1 back on in win 10:

https://support.microsoft.com/en-gb/help/4034314/smbv1-is-not-installed-by-default-in-windows

Or you can fiddle with the smb v2 requirements so that it plays nice with smb v1.

Our IT guy said that if we turn SMB v1 back on a Windows10 system, the campus will still cut off Internet access to that computer. I don't know exactly how they detect SMB v.1 is available, but I suspect that modifying SMB "so it plays nice with smb v1" would result in the same response from them.

I know, I know, they're just trying to protect us...
« Last Edit: October 26, 2018, 01:05:20 pm by Probeman »
The only stupid question is the one not asked!

jrminter

  • Professor
  • ****
  • Posts: 50
Re: FEI DCOM issue
« Reply #19 on: October 27, 2018, 08:53:52 am »
Ned Pile (The "owner" of SMB at Microsoft ) published this explanation of why he thought it was necessary to quit using SMB1: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/.

The key quote:

Quote
The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above. All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!

I'm not certain how likely such an attack is, but I see why IT organizations are concered... I don't see any easy answers...

JonF

  • Professor
  • ****
  • Posts: 35
Re: FEI DCOM issue
« Reply #20 on: October 27, 2018, 09:14:12 am »
Yeah, I'd guess so. They'll be disabling smb v1 because its got a fairly big security hole, linked to a lot of the more recent ransomware attacks.

Essentially, you've got the Win2k box on the Quanta that can only communicate via smb.v1, a support PC that needs smb.v1 to communicate with the Win2k Quanta PC and a requirement that all university network connected PCs have smb.v1 disabled and a minimum of smb.v2. Bit of a tricky one!

The only way I could think of doing it would require a second support PC (assuming that you can't enable smb.v1 on a per interface basis, which samba in Linux may be able to do), something along the following lines:

Quanta (Win2k)  -smb.v1-> 1st Support PC (Win7,10w/smb.v1/Linux) -smb.v2-> 2nd Support PC (Win10 w/smb.v1 disabled) -smb.v2-> University Network

Both support PCs would need at least two NICs. The first support PC would be able to communicate via both smb.v1 and smb.v2, the 2nd support PC via smb.v2 and above. You could have the data cascading through the support PCs (possibly deleted from the 1st support PC to remove the storage requirement, depending on how you have the data policy configured). You could also make all the shares read only, adding an extra bit of protection. 

To get round the requirement for regular antivirus updates, I'd disable all USB ports (via group policy) and ban USB pen drive access to any of the instrument or support PCs, making everyone pull the data from the network share (whether 2nd support PC or a data store on the university network), and preferably have the 1st support PC as a Linux machine also acting as a hardware firewall. I'd image a working version of the Quanta PC win2k installation, and keep that in a safe place and ensure that all the data that changes is sent off the instrument PC (removing the Norton Ghost requirement).

If going with windows for the support PCs, I'd recommend getting a backup/copy program that supports the volume shadow copy service, or write a script that creates the copy, robocopy to the network share then deletes the shadow copy - this should avoid any issues with locking a file currently having data written to it.




JonF

  • Professor
  • ****
  • Posts: 35
Re: FEI DCOM issue
« Reply #21 on: December 03, 2018, 01:26:19 am »
The only way I could think of doing it would require a second support PC (assuming that you can't enable smb.v1 on a per interface basis, which samba in Linux may be able to do), something along the following lines:

I was just googling something else and came across the answer to this: yes, you can bind samba to interfaces under Linux and have multiple instances of samba installed. The SMB settings in Windows are set for the whole OS (rather than NIC specific).

Linux is probably the way I'd go with this - it'll give you more flexibility on the networking side of things. I'd set up a linux server with two physical NICs - one internal to the lab with SMBv1 enabled to talk to the quanta; and one facing the external network with SMBv1 disabled.


A Windows-only alternative would be to run a virtual machine with an SMBv1 enabled guest having access only to the internal NIC and the host OS pushing the data to offsite storage. 

Probeman

  • Emeritus
  • *****
  • Posts: 1827
  • Never sleeps...
    • John Donovan
Re: FEI DCOM issue
« Reply #22 on: December 04, 2018, 11:56:48 am »
The only way I could think of doing it would require a second support PC (assuming that you can't enable smb.v1 on a per interface basis, which samba in Linux may be able to do), something along the following lines:

I was just googling something else and came across the answer to this: yes, you can bind samba to interfaces under Linux and have multiple instances of samba installed. The SMB settings in Windows are set for the whole OS (rather than NIC specific).

Linux is probably the way I'd go with this - it'll give you more flexibility on the networking side of things. I'd set up a linux server with two physical NICs - one internal to the lab with SMBv1 enabled to talk to the quanta; and one facing the external network with SMBv1 disabled.


A Windows-only alternative would be to run a virtual machine with an SMBv1 enabled guest having access only to the internal NIC and the host OS pushing the data to offsite storage.

You are smart!    :)

Seriously, it may come to running a virtual machine as Windows 10 only supports SMBv2. For now we are OK as Windows 7 supports both SMB versions.  But IT tells us that Windows 7 will only be supported until the end of 2019.  Of course I've noticed that Microsoft is still releasing security updates for Windows XP, so maybe it won't happen that fast.

Then one has to consider that Microsoft has been struggling with some recent Windows 10 updates...  Anyway, hopefully by the time we have to update this Windows 7 support computer to Windows 10, we'll get a new FEG SEM with new instrument software and won't have to run Windows 2000!   ;D

Hey, one can always dream, right?
The only stupid question is the one not asked!