Hi guys
I was wondering how secure am i if i have a veracrypt drive that i share via windows to the network computers?
Is windows folder share secure enough if i use a strong password? or is it pretty easy to bypass via some exploits?
thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
thanks for replying me
i am referring to the security of the windows share itself. i mean, if i mount it as admin on the host computer, apply security restriction only to be read for admins, and then share it over the network (with the right priviledges, ofc). will then an unauthorised (and very skilled let's assume) person that gains access to other computer in the network be able to "crack" the windows share authentication on this host computer? or the windows share protocol is very safe?
thank you
Last edit: xxx 2020-05-28
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What versions are you using of Windows, and of Veracrypt, on the PC that you intend to mount a VC volume to, and then share over the network? In trying to run a few tests on this issue (since this is not something I normally do), I have discovered that with the latest version of VC (v1.24-Update6), on W10 v1909, if I share a mounted VC volume even with 'Everyone' having Change and Read permissions, I get 'Windows cannot access ...' ('You do not have permission ...') error messages; however, if I do the same thing on a W7 PC, I can access it with no problem.
Can you confirm you can share a mounted VC volume from a W10 PC over the network at all? (Create a test 100MB volume, and try, if you don't already know the answer.)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@Adrian, I'll take a back seat to anyone when it comes to network troubleshooting, but a longtime quirk of VeraCrypt network shares is that they cannot be mounted as removable ("/m rm" on a command line) and shared successfully in my experience. I first noticed it when the share was on Win10, and I can't remember seeing it with Win7. I just now confirmed it with a VMware network, sharing a mounted container on the Win10 host (running VeraCrypt 1.24.u6) and connecting with a Win7 VM guest. It's still quirky. If that's not your issue, I'll gladly move to the back seat again.
@xxx, if the crux of your question is whether or not VeraCrypt somehow adds security to your network share, the answer is no. Once an encrypted partition or container is mounted for on-the-fly decryption and shared, you're completely at the mercy of your network firewalls and OS for security. VeraCrypt is all about the security of physical media. If that's not your question, then you'll likely find much better informed answers in a network security forum.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
a. @Gary: thanks for diagnosing the issue with sharing a mounted VC volume over the network from W10, which didn't affect W7 (but also did W8 when I did my testing). (By default ie in GUI Setting > Preferences I always have 'Mount .. as removable ..' ticked.)
b. @xxx: now I can reliably share a mounted VC volume with 'Everyone' having Change and Read permissions from any of my PCs, I'll run a few tests, and post some thoughts on the matter you raise. (I should have some time today or tomorrow.)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
yes, my question was solely about windows share security, not related to veracrypt, as it would already be decrypted.
i know that it is not veracrypt related, but i thought as this forum was about security itself, some people would have some ideas about other kind of security down the chain :)
thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
a. There can be no absolute guarantee that some 'very skilled' person won't be able to 'crack' windows share authentication. Computer security is a game of cat and mouse between the 'white hats' and the 'black hats', the former trying to prevent the latter being the first to discover flaws in code and exploiting it, rather than repairing it.
b. That being said, as long as you don't use SMBv1 on your network (which had flaws allowing arbitrary code execution, and helped the rapid spread of the 'WannaCry' ransomware across networks), you should be able to rely on the security of Windows networking as much as you can rely on any other security mechanism you use.
c. However, your main security problem is other users, rather than protocols!
d. The problem is simply that, like with the password/PIM/keyfile to mount the VC volume, if anyone who knows it is careless with keeping it secret, your security is completely compromised.
e. Windows share security is (normally, using SMB) based solely on username and password matching (unlike Windows file permissions, which depend on unique Security Identifiers (SIDs) and passwords.
f. So, you could mount a VC volume on a host PC, giving full control only to 'SYSTEM' and named Admins in a specially created 'VC-Users' group, and share it giving Change and Read permissions to only the VC-Users group, and even a standard user on another PC would have Modify permissions on the mounted volume if they knew (or could guess) the username and password of any of the Admins in the VC-Users group on the host PC, or if anyone had saved such details in Credential Manager on the client PC.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
thanks for answering me
this is what i wanted to hear, that the windows security is normally "good enough" :)
i am using windows 10, si it should be smb 3
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi guys
I was wondering how secure am i if i have a veracrypt drive that i share via windows to the network computers?
Is windows folder share secure enough if i use a strong password? or is it pretty easy to bypass via some exploits?
thanks
nobody has an oppinion on windows share security?
Network share documentation: https://www.veracrypt.fr/en/Sharing%20over%20Network.html
thanks for replying me
i am referring to the security of the windows share itself. i mean, if i mount it as admin on the host computer, apply security restriction only to be read for admins, and then share it over the network (with the right priviledges, ofc). will then an unauthorised (and very skilled let's assume) person that gains access to other computer in the network be able to "crack" the windows share authentication on this host computer? or the windows share protocol is very safe?
thank you
Last edit: xxx 2020-05-28
What versions are you using of Windows, and of Veracrypt, on the PC that you intend to mount a VC volume to, and then share over the network? In trying to run a few tests on this issue (since this is not something I normally do), I have discovered that with the latest version of VC (v1.24-Update6), on W10 v1909, if I share a mounted VC volume even with 'Everyone' having Change and Read permissions, I get 'Windows cannot access ...' ('You do not have permission ...') error messages; however, if I do the same thing on a W7 PC, I can access it with no problem.
Can you confirm you can share a mounted VC volume from a W10 PC over the network at all? (Create a test 100MB volume, and try, if you don't already know the answer.)
@Adrian, I'll take a back seat to anyone when it comes to network troubleshooting, but a longtime quirk of VeraCrypt network shares is that they cannot be mounted as removable ("/m rm" on a command line) and shared successfully in my experience. I first noticed it when the share was on Win10, and I can't remember seeing it with Win7. I just now confirmed it with a VMware network, sharing a mounted container on the Win10 host (running VeraCrypt 1.24.u6) and connecting with a Win7 VM guest. It's still quirky. If that's not your issue, I'll gladly move to the back seat again.
@xxx, if the crux of your question is whether or not VeraCrypt somehow adds security to your network share, the answer is no. Once an encrypted partition or container is mounted for on-the-fly decryption and shared, you're completely at the mercy of your network firewalls and OS for security. VeraCrypt is all about the security of physical media. If that's not your question, then you'll likely find much better informed answers in a network security forum.
a. @Gary: thanks for diagnosing the issue with sharing a mounted VC volume over the network from W10, which didn't affect W7 (but also did W8 when I did my testing). (By default ie in GUI Setting > Preferences I always have 'Mount .. as removable ..' ticked.)
b. @xxx: now I can reliably share a mounted VC volume with 'Everyone' having Change and Read permissions from any of my PCs, I'll run a few tests, and post some thoughts on the matter you raise. (I should have some time today or tomorrow.)
yes, my question was solely about windows share security, not related to veracrypt, as it would already be decrypted.
i know that it is not veracrypt related, but i thought as this forum was about security itself, some people would have some ideas about other kind of security down the chain :)
thanks
a. There can be no absolute guarantee that some 'very skilled' person won't be able to 'crack' windows share authentication. Computer security is a game of cat and mouse between the 'white hats' and the 'black hats', the former trying to prevent the latter being the first to discover flaws in code and exploiting it, rather than repairing it.
b. That being said, as long as you don't use SMBv1 on your network (which had flaws allowing arbitrary code execution, and helped the rapid spread of the 'WannaCry' ransomware across networks), you should be able to rely on the security of Windows networking as much as you can rely on any other security mechanism you use.
c. However, your main security problem is other users, rather than protocols!
d. The problem is simply that, like with the password/PIM/keyfile to mount the VC volume, if anyone who knows it is careless with keeping it secret, your security is completely compromised.
e. Windows share security is (normally, using SMB) based solely on username and password matching (unlike Windows file permissions, which depend on unique Security Identifiers (SIDs) and passwords.
f. So, you could mount a VC volume on a host PC, giving full control only to 'SYSTEM' and named Admins in a specially created 'VC-Users' group, and share it giving Change and Read permissions to only the VC-Users group, and even a standard user on another PC would have Modify permissions on the mounted volume if they knew (or could guess) the username and password of any of the Admins in the VC-Users group on the host PC, or if anyone had saved such details in Credential Manager on the client PC.
thanks for answering me
this is what i wanted to hear, that the windows security is normally "good enough" :)
i am using windows 10, si it should be smb 3