Windows Server 2003 & Windows 11

britechguy

britechguy

Well-Known Member
Reaction score
4,028
Location
Staunton, VA
Let me preface this with I am looking for two different kinds of guidance:

1. Getting the new machines with Windows 11 Pro able to communicate with a server running Windows Server 2003 (and there are Win10 boxes already doing this, but that I had no role in setting up) in the safest possible way for the time being.

2. Putting together an upgrade plan, whether with another later version of Windows Server or other NAS.

The client for whom I purchased the new computers has, it turns out, Windows Server 2003 running for his shared storage. Needless to say, that's going to have to be upgraded to something else, but that is not in the cards in the very near term. Ideas and suggestions as to what might be the best solution for a tiny, one-site business for networked storage for the office computers and CAD-CAM workstations (4 computers in all) would be appreciated.

In the very near term, I need to get the new Win11 boxes able to communicate with that Windows Server 2003 for their shared files. I have done some research but there is (as usual) conflicting information about the best way to do this and I know that there are many here who have much more experience is this arena than I do. Until whatever replacement might be settled upon comes on the scene, I need for the new computers to be able to "talk to" the Windows Server 2003 instance to get at their shared shop files so any guidance as to how this is best (and with ease in mind) achieved would be appreciated.
 
By talking I presume you mean access SMB shares. You will most likely need to install SMBv1 feature. It has its risks, but I dont believe 2003 supports any newer SMB protocols so you are limited to the device sharing the files.
 
putz said:
You will most likely need to install SMBv1 feature. It has its risks, but I dont believe 2003 supports any newer SMB protocols so you are limited to the device sharing the files.
Click to expand...

That's what everything I've seen has said, but with "allow SMB v1" rather than needing to install it.

It immediately struck me that in this case "the newer has to bend to the older" since the other way around is not possible.
 
Yeah, enable not install. This is a risk management exercise at its core. You need to determine how big their attack surface is vs the probability of becoming a target to begin with.

attack surface - how many different ways can a black hat "get into" their LAN.

target - what are they doing which might attract the attention of black hats. There's all kind of things users don't think about. Such as participating in sharing and social can leave an IP that the posting has come from. Providing outbound services like a webite, FTP (file sharing), email, etc that is viewable to the public.
 
Yep, install Windows Feature on Win11, SMBv1, and POOF it works.

Terrible idea... because you need to remove it later or leave the Win11 systems vulnerable. But that is what you do.
 
I am very much of the "let history be your guide" philosophy when it comes to probability of attack. This small machine shop has been operating "as is" literally for decades now, without incident, and I have no reason to believe that will not continue to be the case.

They've also actually followed the 3, 2. 1, rule as far as backups, with one being in a cloud backup service.

At a later point in time, if the file sharing were to change, then it's easy enough to disable SMBv1 just like it was enabled to allow what's there already to keep functioning.

Thanks to all for the confirmation that this is "the one way" that this can be made to work given what exists right now.
 
britechguy said:
They've also actually followed the 3, 2. 1, rule as far as backups, with one being in a cloud backup service.
Click to expand...
Make sure the backups get tested on a regular basis. A backup isn't a backup until it's been confirmed to work. Over the years I've seen several disasters unfold because everyone assumed (we know what that spells right?) it worked because there were no errors during the backup process.
 
Good that they have their backups.

The old " has been operating "as is" literally for decades now, without incident" philosophy......well, I've been doing this IT gig for SBMs for around 30 years in my area. I've known a lot of businesses for at least as long. Seen a lot of them (that I didn't manage)...run without good security practices......for years...decades...."until"....boom! It happens.

Lots of exploits and other bad stuff can simply rip through SMB1 networks like a hot knife through butter. And it's not just things like ransomware which can make itself known like a tornado. But other bad things which intentionally can linger...and slowly...watch, and gather, and enable other bad things to happen over time. Bad guys aren't always in a rush, they're often patient..and can let things sit on a network for many months...year even...quietly gathering info that lets them do OTHER things to the people there.

Antivirus software is more effective when its hosts are fully patched/updated. Less effective when the hosts are not.

Malware is more often brushed aside like water off a ducks back when on fully patched/updated systems.

I see people often say "My network is safe". Heh..more often than not..it's not the case.

The IT guy for businesses should look at this as..."What is running on that old 2k3 server? Why is that server there? What's it going? What's it serving up on the network?"

*If it's a program, some line of business software...it must be an old outdated version. Running on old outdated database versions, which may themselves start having issues with modern client OS's. Not to mention probably out of support from the vendor. Isn't that data important to the business owner? What would happen to the business if it lost that data? If you had to call the software vendor to troubleshoot some problem would they still help you with that old version?

*If the server is just hosting folders and files...well, the decision is easy peasy drop dead simple within milliseconds....move those off of that old dinosaur and put them into a modern and much more secure platform. Many forms of cloud hosting that make this easy (of course M365 is my go to, but there are also things like DropSuite for Business, BoxDrive, Egnyte, the list goes on and on..... Or heck...if the owners insist of keeping a foot in the 1990's....replace with at least a more modern little local hosting solution like a NAS....many low cost options out there for that, and they can automate offsite backup.
 
Yeah... do it like it's always been done...

Tell that to the small mortgage office that called me in a panic after they burned through half the phone book looking for someone... ANYONE to help them.

Someone must have clicked on something, granted access which then spread laterally to all systems, and by the time I'm on the phone the user in question is reporting someone is typing in an email on their machine to send, and their lenders have already slammed the door shut due to obvious issues.

How do we fix this?

Well...

You turn off every device you own.
You do a complete security audit of your entire cloud attack surface, reset all passwords on everything, implement strong phishing resistant MFA (no texting you idiots)
You buy an entire new fleet of computers, because the malware is probably baked into your SSD or mainboard firmware at this point, so you can't trust anything you currently operate.
And you reconfigure everything from bare scratch nothing while forgetting you have any data on the old machines.
And when I said everything, I also meant all switches and routers and wireless access points too. THOSE can be breached, and often are because companies like yours never maintain them.

THEN

You contact law enforcement.
You contact the state board.
You tell all your customers that you've been breached.
You cry because your general liability insurance won't cover you.
You lament the fact that you were too stupid to get cyber security insurance. (not that they'd cover you either)

And in the end? Because you handled PII incorrectly, the owner faces potential jail time while the rest of you go looking for new jobs because the place you're at is about to file bankruptcy and go out of business.

The other end of my phone was very quiet. This process took about an hour of my life to complete. And I said now that you understand what's happened, how big of a screw up this is. Do you understand why no one was willing to help you? You're BEYOND all help at this point, and if I were charging you'd be out around $10,000 to get your five machine network back online, and that's ten grand everyone knows you'll never be able to pay. So they just politely get you off the phone.

The only reason I'm here is you used to attend church with me, so you're getting the straight dose of friendly neighbor. This company doesn't belong to you, go find a new job and run.

Doing things as have always been done is how a company dies... oh, and further context? This was THIS WEEK. I'll get another one next month or so, they always find me. Which seems to keep going even though I've shutdown my MSP because I couldn't get this stupid market to listen. They're only willing to do so after the breach, and at that point... it's too late.
 
Thanks to all for your input.

In the very near term I need to get everything working with the existing infrastructure then look at replacing the infrastructure beyond the new CAD-CAM workstations and office computers.

This will definitely be a "stepwise refinement" situation. There's zero possibility of an all at once and all or nothing makeover.

I'd love nothing more than for that Windows Server 2003 machine (which, by the way, is used for nothing except storage/sharing as far as I can tell - but it is the primary storage vessel for the shop) to not be part of the mix, but that's not my decision to make or option to change in the very near term.

@Sky-Knight: We can all pull up horror stories on demand. What running a mortgage company, with tons of really sensitive client information, has in common with running a machine shop, which really doesn't, eludes me. I'm not worried about my client's client's data, just theirs at the moment. And I'm also going to meet them where they are and work with them over time, which is how business is actually done here where I live. I'm not going into a setting and designing everything from scratch and I cannot go in and simply say "you're replacing everything, now," because that's simply not going to happen (no matter who they worked with).

You've got to meet many small businesses "where they are" not where you'd like for them to be. A very small business has a very small budget, for anything.
 
@britechguy All businesses have PII somewhere, otherwise they aren't processing payments, and therefore are out of business.

The rest of the place can be left to the dogs in this case, but the machine tracking the finances needs to be isolated for that logic to hold.

The SMBs on the S side of the coin? They're all going under soon... that's why I got out.

If it's not the fact they don't invest in themselves correctly... which is why they STAY on the S side of the SMB... They're stupid enough to buy from Godaddy and are losing the game there too. It's truly endless.
 
@Sky-Knight

I am truly thankful for your advice, but I am equally thankful that I am not as fatalistic as you are.

"Little Guys" will still be around long after I'm dead and none of them is ever likely to be technologically armored in the way massive companies are. That's just the way it is, and shall remain.
 
britechguy said:
@Sky-Knight

I am truly thankful for your advice, but I am equally thankful that I am not as fatalistic as you are.

"Little Guys" will still be around long after I'm dead and none of them is ever likely to be technologically armored in the way massive companies are. That's just the way it is, and shall remain.
Click to expand...

The problem is... they don't need to be. I'm not talking about turning them into a fortress, I'm talking about them at least bothering to lock the door.

Godaddy is a terrible company to do business with, but it continues.
Microsoft as always has a solution for everything, but you need to know WTF you're doing or you're in huge trouble.
Google thinks endpoint devices are passe.
Apple is... well Apple.

This entire game is rigged, and I can secure a 5 machine network + cloud service for <$1000 up front. I got out of the game because I couldn't get SMBs to see that $1000 as a necessary investment. So yeah, I'm done. But, I'm also done being nice. Pay up or burn down, that's where I am now.

You think that MFA all the things is a fortress... it is not. Deploying a SIEM, SOAR, BDR, and XDR is a fortress.

Having a fully matched and supported fleet of machines, with functional AV, and cloud services backed with proper MFA is the bare minimum.

Anything less than that isn't a walled garden, it's a patch of dirt with half dead hedges around it. Literally indefensible.
 
Last edited:
Sky-Knight said:
Having a fully matched and supported fleet of machines, with functional AV, and cloud services backed with proper MFA is the bare minimum.
Click to expand...

You were wise to get out, because you are never going to get this, ever, in most of the SMB space.

I accept what I have to work with as what I have to work with, be that with a residental or business client. And I do what I'm asked to do and offer them advice about what they should be doing, but it's entirely up to them whether or not they do it. I'm not their ecosystem architect, nor do I wish to be in any meaningful sense.

There is a very big difference between being a break-fix or "setup what needs setting up, and nothing more" service provider and an MSP. I elected not to ever enter the MSP space because I don't want to be the ecosystem architect nor take on the liability that comes with it.

If someone want's a new printer setup, I set up a new printer. If someone wants 4 new computers set up to interact with their existing infrastructure, that's what I do (while mentioning that an infrastructure upgrade is long overdue). I give advice and guidance, the clients make the call about whether they want to pursue changes, or not. For the way I do business, and the people and businesses I routinely deal with, that's precisely the way it should be. I am responsible for getting the result the client wants, now, and nothing more.
 
@timeshifter

Thanks. Having specific solutions, and preferably ones that would remove another computer (the server) from the mix is something useful that I can present to the client.

Personally, I think they "way overbuilt" themselves at the time all of this was originally put into place. Anything that can end up simplifying the ecosystem as a whole is a very good thing indeed.

I really need to dig in to how much data they actually have stored on that server, which has not been the focus, yet.

As is so often the case when it comes to my client base, be it a small business or residential client, scope creep kicks in as the job goes along. But even when it does, they generally have an order of precedence regarding what gets done and in what order that they want to stick to if at all possible.

Addendum: I find it interesting how that Amazon listing calls that Synology DiskStation NAS "personal cloud storage." I guess if one defines anything that's available via networking that's not a part of the machine that's storing data on it "the cloud" it would be, but who uses that definition? If it's on my LAN (much like the current Windows Server is) then it's not "cloud storage" in any meaningful sense of that phrase. My own N in NAS is not cloud storage.
 
Last edited:
Sky-Knight said:
Godaddy is a terrible company to do business with, but it continues.
Click to expand...

By the way - my client does do business with them and has for years. I have no burning desire to change that, either. There are certain things where "leave well enough alone" definitely applies.

One step at a time, and know when you should just step away. I don't have to agree with everything any given client does or does not choose to do. I'm not responsible for those choices, either.
 
Take their Production machines off the Internet. Take their finance/accounting/banking machine off the Production network so it can remain smbv1 disabled. Use a Kiosk machine for the workers who need limited Internet access.
 
britechguy said:
By the way - my client does do business with them and has for years. I have no burning desire to change that, either. There are certain things where "leave well enough alone" definitely applies.

One step at a time, and know when you should just step away. I don't have to agree with everything any given client does or does not choose to do. I'm not responsible for those choices, either.
Click to expand...
arstechnica.com

GoDaddy says a multi-year breach hijacked customer websites and accounts

Three breaches over as many years all carried out by the same threat actor.
arstechnica.com arstechnica.com

The gift that keeps on giving...

I have confirmed this breach has spread to Godaddy provided M365 tenants.

I've been yelling about this one breach for ages, proved it was happening over a half decade ago. I was told I was nuts, and it just... keeps... going...

They're USELESS.

Also, if you deployed it without a signed waiver that was written by a lawyer... you're one phone call away from doom. Because you are liable, whether you want to accept that or not.

As for the Synology, it's called cloud storage because there are ways to make it cloud accessible. I DO NOT RECOMMEND YOU DO SO.

Those things need updates and patching too, and are usually even more neglected than Windows boxes.
 
@Sky-Knight,

I long ago gave up on hand-wringing, of any sort, about data breaches. I have no control over them, zero, and they are a fact of life and have been for many years now. There are no service providers, private or government, who have never, ever had any data breaches of any kind.

I choose to focus on what I can actually control, and running away from any provider, of anything, that's ever had a data breach soon leaves you with an abacus and a clay tablet.

And as to, "Those things need updates and patching too, and are usually even more neglected than Windows boxes," well, 'twas ever thus. Once people and entities have systems that "do what I need 'em to" and they've been using them without incident for periods of years, they are, like most things so behaved, ignored. Any one of us could set up a new client with the truly latest and greatest, then walk away, and it will suffer the same fate.

I'm not lying awake at night thinking that any court is going to hold me liable for anyone's house burning down (literally or metaphorically) because I happened to walk through the door at some point and install a printer or set up a couple of computers for them. Unless it was a part of the scope of the job I was hired to do, it's not my problem, legally or otherwise. I also still work in an area (as in geographic area) where business is done "on a handshake" and will continue to be done that way. I'll live with that just fine, and have now for heading into 2 decades. [I also keep all business related email messages where I give clients specific information that they can either act on or not. Whether they do, or not, is their choice and responsibility, not mine. I advise, they decide.]
 
You must log in or register to reply here.

Similar threads

frase
Windows 11 updates issue with certain apps
Replies
6
Views
267
frase
frase
HCHTech
Any Adobe alternative for server installs?
Replies
11
Views
340
SAFCasper
SAFCasper
LordX
Windows 11 - the closed Windows 7/8 key 'loop hole'
2 3
Replies
48
Views
3K
LordX
LordX
Big Jim
site to site vpn with draytek routers
Replies
6
Views
256
YeOldeStonecat
YeOldeStonecat
NviGate Systems
Found My New Windows 11 Test Machine
Replies
1
Views
250
fincoder
fincoder
Back
Top