Security Concerns on Windows

SyncBack Touch is a cross-platform (Windows, macOS, Linux and Android) file server for use with SyncBackPro and SyncBackSE. For technical support visit http://support.2brightsparks.com/
JohnBates
Newbie
Newbie
Posts: 2
Joined: Sun Apr 09, 2006 1:09 pm

Security Concerns on Windows

Postby JohnBates » Fri Apr 17, 2015 11:00 am

When you first install SyncBack Touch on a Windows server it installs and starts a Windows service running on port 8080 and with full access to the filesystem. Until you are able to connect to the machine with a copy of SyncBackPro and change the configuration, say to another port or to add a password, the server filesystem is left wide open to anyone with a copy of SyncBackPro.

If they manage to reach the server before you do then they are able to read (or worse) overwrite files on the server - this seems like an unnecessary security issue.

Wouldn't it be far safer to force the installer of SyncBack Touch on the Windows machine to enter a secure password before the service is started?

Also, wouldn't it safer to allow the service to run under a restricted account to further restrict the access that it has to the filesystem - for example, to make it readonly.

User avatar
Kostas
2BrightSparks Staff
2BrightSparks Staff
Posts: 432
Joined: Thu Sep 18, 2014 2:08 am

Re: Security Concerns on Windows

Postby Kostas » Sat Apr 18, 2015 12:23 am

Hi,

You can define a password during installation by using command line parameters:

SyncBackTouch_Setup.exe /Password="secret"

You can read more about the installation parameters in the SyncBackPro's Help File (under SyncBack Touch entry).

For the moment there is no parameter to allow changing the service account but this can be done manually after installation by using the Windows Services tool. Keep in mind that a restricted service account may disable SyncBack Touch's use of VSS which it depends on for copying open/locked files.

Thanks,
Kostas
[2bs]

JohnBates
Newbie
Newbie
Posts: 2
Joined: Sun Apr 09, 2006 1:09 pm

Re: Security Concerns on Windows

Postby JohnBates » Sun Apr 19, 2015 9:00 am

That's good. I'm glad the option is there. But it wasn't apparent to me when I installed the software. I'd like it to have been something that the installation program forced me to enter - it just seems so dangerous to default to being open to everyone.

I hear what you are saying about the use of a restricted service account and the effect that it might have on the way that backup works but one thing that I would like to see would be the ability to choose the service account at installation time so that, for example, I could choose an account that gave me read-only access to the filesystem which would give me the confidence to know that the software that I had just installed on my remote server could do no damage as a result of an incorrectly configured profile. You will know much more than me about such things but I was thinking of something along the lines of the Windows "Backup Operators" group which, if I recall/understand correctly has read only access to the filesystem.

As you say, these are all things that can be achieved manually by some someone who wants to. Nevertheless, I think that you might get negative press from a reviewer who notices that security hole regarding the default blank password.

User avatar
Kostas
2BrightSparks Staff
2BrightSparks Staff
Posts: 432
Joined: Thu Sep 18, 2014 2:08 am

Re: Security Concerns on Windows

Postby Kostas » Tue Apr 21, 2015 8:31 am

Hi,

We've just released a new beta for SyncBack Touch v1.0.23.0 which allows setting the user account/password during installation.

http://www.2brightsparks.com/assets/sof ... _Setup.exe

You will need to run the installer via command line, e.g: SyncBackTouch_Setup.exe /ServAccName="machine\username" /ServAccPass="password"

Options:

/ServAccName="machine\username"

This is the Windows user account that SyncBack Touch should use for the Windows service. If this isn't specified then SyncBack Touch will use the System account. This is optional. For local user names, the user account name can be also set as ".\username"

/ServAccPass="password"

This is the password for the Windows user account that SyncBack Touch should use for the Windows service.

Thanks,
Kostas
[2bs]

student
Newbie
Newbie
Posts: 4
Joined: Fri Nov 13, 2015 3:32 am

Re: Security Concerns on Windows

Postby student » Fri Nov 13, 2015 3:43 am

I agree entirely with JohnBate's security concerns. Default open access to the root directory is asking for trouble.

Also, as the file server is running as a service (I understand there are reasons for this), it runs automatically at startup and is more complicated to turn off. Consequently, there is poorer control and awareness over whether the service is running or not. Furthermore, there is no option to limit the file server to a certain drive or directory.

A better alternative would be an application that turns on and off the service at user request. Some of the documentation refers to a stand-alone (zipped) version of SyncBack Touch. Where can I download this? I am willing to sacrifice the benefits of the service for an application I can open and shut down as required.

I love SyncBack and am a Pro licence holder, but very concerned about the power and safety of Touch. At the moment, I will either uninstall it or run manually/force close the service after use.

wnyhiker
Newbie
Newbie
Posts: 9
Joined: Wed Dec 23, 2015 1:16 pm

Re: Security Concerns on Windows

Postby wnyhiker » Tue Dec 29, 2015 1:25 pm

does this security issue also apply to a home computer on a home network? In other words, does installation create a security hole for people outside the home network or is only a problem for a "server"?

student
Newbie
Newbie
Posts: 4
Joined: Fri Nov 13, 2015 3:32 am

Re: Security Concerns on Windows

Postby student » Tue Dec 29, 2015 10:31 pm

It would depend upon your firewall settings and the nature of the network to which you are connected. If you were on a trusted home network that was protected from the internet by a router firewall (such as a NAT firewall) and from local intrusion by a WPA2-protected wireless network, then the risk of any harm is small. If your home network was compromised by a virus/trogan/poorly configured router firewall, this protection would be lost.

The point is that this is something reasonably easy to fix. Most file sharing software allocates a particular directory to share by default. Additional directories can be added as required. This is better than sharing the root directory (which includes all system files, etc.) by default.

Secondly, there should be an easier option to turn on and off the SyncBack Touch service as needed. At present, this can be achieved in Windows using "Services". The SyncBack Touch service startup can be changed from automatic (i.e. on Windows startup) to manual. Then whenever you perform a sync, "Services" can be opened and the SyncBack Touch service manually started before sync and then stopped after sync.

Using the password facility described by Kostas is also very important and will mitigate much of the risk. That said, unless the password is very very strong, starting and stopping the service as needed and limiting access to important system files (unless this is required for backup) is the best form of protection.

wnyhiker
Newbie
Newbie
Posts: 9
Joined: Wed Dec 23, 2015 1:16 pm

Re: Security Concerns on Windows

Postby wnyhiker » Thu Dec 31, 2015 3:02 pm

thanks for clarifying that for me.

student
Newbie
Newbie
Posts: 4
Joined: Fri Nov 13, 2015 3:32 am

Re: Security Concerns on Windows

Postby student » Tue Jul 12, 2016 1:15 am

I thought I'd add a solution that I've just instituted to improve the security of SyncBack Touch on Windows. SyncBack Touch runs as a Windows service, which enables access to all of the files on your Windows PC all of the time. Unless you have set-up a SyncBack Touch password or firewall, this is a security risk when you are on public networks or if your home network is compromised.

To mitigate the risk, I have setup a quick system that enables me to start and stop the SyncBack Touch service manually whenever I need to run a sync. This can be done in the Services panel manually, but I wanted to use batch files to do this more quickly and with less clicks. I link to the batch files in my application launcher and so can start and stop the SyncBack Touch service with a few key strokes.

(1) Disable automatic startup of SyncBackTouch Service:
  • Open up the Windows Start Screen or Start Menu, type in services.msc and hit the Enter key to bring up the Services panel.
  • Find the SyncBack Touch service (names SyncBackTouch), right click it and then left-click Properties.
  • In the Properties menu, change Startup type from "automatic" to "manual".
(2) Create batch file to start the SyncBack Touch Service:
  • General overview of creating an empty batch file.
  • We use these command line parameters for starting and stopping services from Microsoft.
  • The batch file needs to be run as an administrator to work. I used this script to raise a UAC prompt so that the batch file can run as an administrator.
  • Following these instructions, I created a batch file with the following code to start the SyncBack Touch service whenever I want to sync:

    Code: Select all

    @echo off
    :: BatchGotAdmin (Run as Admin code starts)
    REM --> Check for permissions
    >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
    REM --> If error flag set, we do not have admin.
    if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
    ) else ( goto gotAdmin )
    :UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
    "%temp%\getadmin.vbs"
    exit /B
    :gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"
    :: BatchGotAdmin (Run as Admin code ends)
    :: Your codes should start from the following line

    net start SyncBackTouch
(3) Create batch file to stop the SyncBack Touch Service:
  • Similar to step 2, I created a batch file with the following code to stop the SyncBack Touch service whenever I have finished syncing:

    Code: Select all

    @echo off
    :: BatchGotAdmin (Run as Admin code starts)
    REM --> Check for permissions
    >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
    REM --> If error flag set, we do not have admin.
    if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
    ) else ( goto gotAdmin )
    :UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
    "%temp%\getadmin.vbs"
    exit /B
    :gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"
    :: BatchGotAdmin (Run as Admin code ends)
    :: Your codes should start from the following line

    net stop SyncBackTouch
(4) Create shortcuts to the batch files:
  • You can put shortcuts on your desktop or start menu for easy access.
  • If you are using an application launcher, you can point it to the batch files for quick access.
Any feedback or easier solutions appreciated. To me, SyncBack Touch is a very handy way of syncing over a network, but the use of a windows service without a frontend makes it very cumbersome to manage.

User avatar
Kostas
2BrightSparks Staff
2BrightSparks Staff
Posts: 432
Joined: Thu Sep 18, 2014 2:08 am

Re: Security Concerns on Windows

Postby Kostas » Tue Jul 12, 2016 7:04 am

Hi,

Thank you for the feedback.

At this moment SyncBack Touch for Windows doesn't offer any facility for starting/stopping the service and the only way to do so is manually, as you've described (via Services applet or command line).

We think that one of the advantages of Touch for Windows as a service is that it can be available anytime to give the user a hassle-free experience when using SyncBackPro/SE with Touch.

SyncBack Touch uses a propriety interface for its communication protocol plus all data transmission is encrypted, so it is highly unlikely that anyone can connect to it unless using SyncBackPro/SE. If a user wants to make sure that noone else connects to SyncBack Touch, then he/she can configure it in three different ways in regards to authentication:

1) It can be configured to simply accept a user defined password, during installation or afterwards. SyncBack will connect to the device and provide that password. If the password is correct then it can use the device. This is the default (with any empty password) and is ideal for home use and is available to both SyncBackSE and SyncBackPro.

2) It can be configured to connect to a remote SyncBack Management Service and verify that the username and password supplied by SyncBack is correct. This is ideal for business/enterprise use as the usernames and passwords are centrally managed. SyncBackSE cannot use this option.

3) SyncBack Touch can be installed to allow impersonation. This means SyncBackPro connects using the usernames and passwords of Windows accounts on the computer SyncBack Touch is running on. This is also ideal for business/enterprise use as the usernames and passwords are the same Windows usernames and passwords that are already used by users on their Windows computers. This also adds an extra layer of security because when SyncBackPro connects to Touch then they only have access to the files and folders on the Touch device that Windows allows them access to. SyncBackSE cannot use this option.

Thanks,
Kostas
[2bs]

student
Newbie
Newbie
Posts: 4
Joined: Fri Nov 13, 2015 3:32 am

Re: Security Concerns on Windows

Postby student » Tue Jul 12, 2016 7:25 am

Thanks Kostas. From your post and the documentation, it's clear that there is a secure way to use SyncBack Touch.

The key issue is that the default settings (no password, root drive access) are not secure. Many users will not be familiar running a program with command line parameters, so will be left with an insecure setup (and not aware of it).

Perhaps some consideration could be given to randomly generating a strong password on "standard" (i.e. non-business or enterprise) installation and asking the user to copy this down for later use in SyncBack Pro. The wizard in SyncBack Pro could then prompt for the password by default.

As it stands, it's only a matter of time before some exploits the weak default settings (although I accept that other barriers exist, such as the proprietary protocol, etc.). At the very least, some warning about ensuring a secure installation in the post-installation readme might be helpful.

User avatar
Kostas
2BrightSparks Staff
2BrightSparks Staff
Posts: 432
Joined: Thu Sep 18, 2014 2:08 am

Re: Security Concerns on Windows

Postby Kostas » Tue Jul 12, 2016 9:21 am

Thank you for your suggestion. We'll put some thought on it and see what we can do about it. 8)

Kostas
[2bs]


Return to “SyncBack Touch”



Who is online

Users browsing this forum: No registered users and 1 guest