If you disabled windows 10's update service

[[DHT]Osiris]

Theres other technet articles which say explicitly that Win10 is not vulnerable. Because I think SMBv1 was disabled from Win8 onwards. I can't be bothered to find out now since every google hit about smb seems to be about the wannacrypt worm.

If Win10 is patched, its for the better. Microsoft is probably fed up and wants to kill SMBv1 for good.

Just checked a VM i've got of a (mostly) default Win10 installation, SMB1.0 is enabled by default. See this:
https://support.microsoft.com/en-us...r-2008-r2,-windows-8,-and-windows-server-2012
Specifically toward the bottom of that page, it shows how to gracefully disable SMB1 in Win8.1/10, and Server 2012R2/2016.

 

[Red Squirrel]

Probably from backdoors in manufacturer firmware like the recent Asus/Huawei issues. Or poorly customised Telco firmware with backdoors built in, hardcoded passwords, etc to simplify maintenance. Or could just be a simple case of users not knowing how to change the default admin password.

Wouldn't that still require a port to be opened to the outside though, ex: would a port scan not pick that up? Though I guess if it's a backdoor they'd probably make it require port triggering or something so it would be harder to find unless you know to look for it.

Hopefully Pfsense has no backdoors as it's what I use.

 

[Rifter]

At this point i dont even trust SOHO routers, better to get your own hardware and run a good firewall like pfsense or ddwrt, sophos, etc.

Anyone directly connecting a windows pc to the internet deserves what they get.

 

[IronWing]

Just for giggles, assume I'm a moron. I buy a DSL modem/router. The router has the latest firmware. I run Win Defender on every PC. I connect to the router via wireless, I use the MAC filtering on the router. I accept the router defaults for pretty much everything else. I use WPA/WPA2(?) + TKIP, whatever that is. Is this considered "directly connecting" or would direct connecting be using a DSL modem w/o the router?

 

[ch33zw1z]

Standard dsl device like you're saying is more than likely also your router. Firewalls are typically built in, and NAT provides some help.

Change wpa2 to AES.

Your IP is probably something private like 192.168.1.x, and that means you're not directly connected

 

[mindless1]

I'll never do windows updates automated, just apply SP1 and sometimes SP2 to a Windows version all in one go with a partition backup first, unless I have a specific present problem that one addresses. So far I have had no such problems related to security. Chalk it up to NAT, routers running DD-WRT and configured beyond defaults, good habits, browser add-ons, whatever.

The thing is, I am not at high risk. I also don't lock my back door when roaming around my property, but I would if it were high risk not to do so. Heck, right now I have a house window open and godzilla could just climb right in and set everything on fire, lol.

 

[Red Squirrel]

Just for giggles, assume I'm a moron. I buy a DSL modem/router. The router has the latest firmware. I run Win Defender on every PC. I connect to the router via wireless, I use the MAC filtering on the router. I accept the router defaults for pretty much everything else. I use WPA/WPA2(?) + TKIP, whatever that is. Is this considered "directly connecting" or would direct connecting be using a DSL modem w/o the router?

Naw generally you should be safe as they are behind a NAT, but as mentioned some SOHO routers may have backdoors.

NAT is not meant for security but it will have a side effect of offering security as you simply can't connect to anything that's behind it without any port forwarding (or some kind of backdoor in the router), so even a really crappy NAT router is better than nothing.

Just make sure the admin portal is turned off for the WAN interface but I've never run into a router that has it on by default. (but still check!)

You could also run a port scan of your external IP using a separate server/service but keep in mind that a properly crafted backdoor would probably use UDP or port triggering. I'm not sure if it's possible to do reliably do a UDP port scan due to the nature of how it works. You sort of can, but I think a smart backdoor protocol could probably still make the port appear as closed by sending the reject packet if it does not get a specific payload.