ROCK on NUC - Network file sharing a security risk?

Your wireless security is more than most would do…some still don’t run any security on their ssid, never mind hiding it or using MAC filtering.

Home environment must sometimes bow to use the lowest common denominator for file sharing etc as legacy devices will struggle otherwise.

I’m not sure what you mean by “this security thing.” From what I read, Windows has had “SMBv2” since Vista (that’s the client version, or “situation”), which is ancient history. Windows has had “SMBv3” since Windows8 (again, client), which is maybe 4 years old. These protocols cannot be turned off except by explicit action, so I assume that most Windows users do employ those protocols.

“Most people do not even run home SMB with a password.”

It’s harder to evaluate this statement. I for one use authentication by id/password. If it is true that most people have no such authentication, that’s really bad practice. To my mind, Roon shouldn’t be encouraging that practice by offering no secure alternatives (that is, some kind of authentication).

Mind you, it’s too late now for Roon to make a secure alternative the default (too many installations, too much disruption), but Roon would be better in offering a secure alternative, a choice, an opt-in.

1 Like

…And that is the problem. The way to look at it is that anyone clever enough to break into and access your home network will not be troubled by your ‘security’ measures:
wifi encyption can be cracked easily or bypassed
MAC addresses can be spoofed
ISP routers are notoriously cheap nasty insecure (and often unsecured) things

And if they get in the first thing they will do is take over your router and turn all the security off. In a home environment I would be worried about them stealing all my online banking details and passwords, not accessing ROCK to copy some of my music. Enterprise security is a whole different ball game though involving ‘defence in depth’. Multiple layers of security so that even if you can get in undetected, you can’t get at anything.

My WIN 10 has just had the Fall Creators Update and is still able to access ROCK shares. They could have turned this on as a security update though, but the fuss over SMB1 was some time ago and likely to have been done before this update.

It sounds like your system went through the Windows 10 Fall Creators Update, because that tightened SMB use (see https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709). As you found, you can undo the tightening. That’s not something I’d do unless I had no alternative; but Roon seems to offer no alternative.

Roon ought to at least tell Microsoft it uses SMB1 and has no plans to go to SMB2. For that purpose, refer to https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/.

2 Likes

It’s way beyond time that this was addressed. It currently seems a strong reason not to use Rock.

2 Likes

While SMBv1 is deprecated technology, I don’t think I would go so far as to say it is a showstopper.

SMB v3 has been requested a number of times in the Roon OS 2.0 thread, so perhaps it may finally arrive.

Agreed, that is an issue, if your organisation locks down your work PC and you can’t do filesharing with it to your Nucleus or ROCK/PC. I’m in the fortunate position that while I have work accounts on my PC, the organisations that they belong to do not manage my PC - it remains mine.

Ha, was just about to reply to this thread when I saw that I already had, 5 years ago! So the question is how many ROCK/Nucleus users have had SMB1 vulnerabilities taken advantage of by hackers or a virus?

The joys of locked down systems.

Nucleus uses ROCK, so most probably it does.

I think lighter, easier and turn key are already very diminished returns, especially if it works only on certain hardware. Installing core on Linux or Windows should not be harder than flashing ROCK.

While yeah it should support SMB2/3, enterprise deployments are hardly the Roon target demographic

But it is, and maintaining the OS long-term is yet another level. (I know you don’t agree with that, but I am convinced that this is because you are too good with computers)

(It is, however, mildly amusing that some people think the Nucleus “sounds” better after deploying one of the most chattiest network protocols on the planet. There is something to that network noise after all :wink: )

I misinterpreted the size, but it’s still a business and while I appreciate that many business owners will run it in their office, it’s probably still not the main target market.
(In a simple home network, if there is ransomware on the network they have lost already. SMB1 on the ROCK won’t change that much).

But I agree that something better should be added in 2.0

Yeah, definitely, even if only because enabling it is getting more and more difficult or soon even impossible, as you say.
We know that Roon are working on RoonOS 2.0 and I’ll be very surprised if this isn’t addressed. Maybe it should have happened earlier.

1 Like

I have not had to enable SMB1 to connect to a ROCK share in Windows 10. But previously I have had to open up the passwordless guest account access to remote shares in SMB2/3 in Windows in order to connect to a ROCK share.

To avoid the problem of enabling guest account access for shares in Windows I have mounted my ROCK\DATA share on my NAS, then I connect to the NAS mounted share in Windows. This means I do not have to enable SMB1 in Windows or enable guest access.

My NAS does not use SMB1, and yet it can also connect to the ROCK\DATA share directly.

So are we sure SMB 1 actually is a requirement to connect to ROCK\DATA?

Yeah maybe, Ive tried to restrict it to SMB2/3 though as you can see from the screen grab above. Do you know what other protocols ROCK supports? It must support at least one of the protocols my NAS is able to use?

Actually I’m going to repy to myself here, I think I have proof SMB1 is not required, bear with me…

My ROCK install is running on a NUC 8i3

My Roon Remote is running Windows 10 22H2. Windows is configured thus;

SMB1 not installed:

Insecure Guest Authentication disabled:

And with this configuration I CANNOT connect to \\ROCK\DATA as expected:

However, if i just change the insecure guest authentication registry key to 1:

Now I CAN access \\ROCK\DATA from Windows 10 with no SMB1 installed:

Id be interested if anyone else has the same result!

Isn’t enabling that worse than SMB1?

I dont think so, it allows outgoing connections to SMB shares to send empty password. But I agree it is not ideal for sure. That is why I use my NAS mount method, to prevent it being necessary at all.

EDIT: Also I am 99% sure SMB1 enables this setting by default which is probably why it makes things work when it is installed!

EDIT: Yes it does, from the link I posted above

1 Like

It also means unencrypted transfers and possibly other side effects. I don’t know how ROCK works, but you should be able to set security on its shares.