That's not how exploits work. Someone has a malicious app on my phone does not mean they necessarily have all of my data and pics, nor does it mean you're completely fucked. The point is to stop the attack chain as early as possible. Seriously, here's a book for you:There are zero open ports to the net on a windows pc behind a firewall. All these ports listening on your private network are irrelevant.
Your entire posts assumes that your network is compromised and someone has access to it, in that case your are completely fucked so who cares of they also have access to your BI pc. Honestly, in your mind you are thinking, oh shit, if someone has control over my cell phone with all my private data and pics, I must work diligently to prevent them from accessing a windows pc on my network??
Even if this is a concern, they can more easily gain access to the Dahua NVR than a windows pc that has been unpatched for years.
Please enlighten me as to how NIST and CISA are incorrect?PS: the print spooler vulnerability CANNOT be executed on a machine that is not already compromised. You are talking about a machine running blue iris, AI and maybe a time server. How is it getting compromised via the print spooler vulnerability.
That's not what I said, I said:Its laughable that you think a dahua NVR is MORE secure. You are talking about a manufacture that IGNORES known vulnerabilities disclosed to it and possibly builds some of them into its code intentionally. Then at the 2 year mark they intentionally stop providing firmware marking the unit EOL....
Please re-read and carefully parse it. Windows has multiple orders of magnitude more code exposed to the internet, it is expected that it will have more vulnerabilities as even as good as Microsoft code quality is, it's not over 100x better.Windows system is incredibly chatty, especially a desktop OS but Server operating systems are not immune, and has far more and more severe vulnerabilities than a Chinese NVR, they're just not necessarily public yet.
Will you please enlighten me how it's insane to perform step 1 to basic Windows security?But if you want to be insane, any windows user can simply allow windows to install updates and it will do so on its own, or you can do so every few months.
Yes you could, but that's still at best mediocre practice. BI and the cameras should be on their own VLANs with a firewall between, this is not the case for an NVR and its cameras as the NVR is already micro-segmented.You can also easily place the BI pc and cams on their own vlan.
Other people make guides to it:That's the beauty of it, YOU as the end user can choose what you want to do with a windows pc. The security updates are available. There is absolute no need to start shutting down services that are running on the other 5 windows machines in the house. That is why there is no guide for it.
"Shocking?" You're kidding, right?It was one of the most shocking things to me when I joined was that looking through the BI guides, there's no guide on how to either segment your network (starting from a principled approach) or secure a Windows system running Blue Iris.
If I wasn't clear, I was refering to IPCamTalk's guides, not Blue Iris (or any other vendor) itself, because I've also had very few guides like that come along, usually from Juniper, Cisco, Microsoft, the really big players and written because they employ PhD's and writing the books is a side job. IPCamTalk is a bunch of user-generated content that really should cover all of those cases though."Shocking?" You're kidding, right?
Since I've been using, buying, building and maintaining personal computers, networks and similar devices beginning in 1973, I don't recall buying a PC, router, modem, switch, PC component, etc. that came with any instructions other than perhaps how to plug it in and turn it on, but certainly no exhaustive "how-to" guide.
I recall on occasions a device would have a reference in it regarding security or application advisories but a guide on "how to segment your network" or "secure a Windows system" ? If there were any, they didn't impress me enough to be of any use or to to be able to recall their existence.
Perhaps that's why there are TONS of "how-to" books and online articles that address that. It's not the duty of a software product's developer to instruct on how to secure your network....that is akin to expecting an automotive aftermarket parts builder of exhaust systems to instruct you on how to drive the car you install their system on.
In other words, you've read the THOUSANDS of pages of this forum, many of which address what you speak of, long BEFORE you joined 5 days ago, you've read those THOUSANDS of pages SINCE you joined 5 days ago OR......you're clairvoyant and know that NONE of what you speak of is addressed in those THOUSANDS of pages in IPCT.If I wasn't clear, I was refering to IPCamTalk's guides, not Blue Iris
If they are addressed, they're not above the fold in any of the stickied posts in the BI section or Cybersecurity section, or IP Cam Talk WikiIn other words, you've read the THOUSANDS of pages of this forum, many of which address what you speak of, long BEFORE you joined 5 days ago, you've read those THOUSANDS of pages SINCE you joined 5 days ago OR......you're clairvoyant and know that NONE of what you speak of is addressed in those THOUSANDS of pages in IPCT.
Which is it?
I got tons of usefull information in between, I am very grateful for this!Excellent discussion.