Blog
Categories:
File Sharing on Windows Networks
The original LAN Manager and the resulting Small Message Block (SMB) became practically the standard for file and printer sharing on local networks. Unfortunately, backward compatibility means only one thing. Despite the changes the protocol has undergone, it is still possible to use its worst possible features. Apart from the security problems related to access to user account protection (more in the article dealing with authentication), there is mainly the problem with integrity protection and confidentiality protection. This problem was solved only in recent versions.
File and printer sharing
Of course, the first versions of operating systems needed to start communicating with the surrounding systems. The use of network interfaces thus allowed the start of data sharing in organizations. In environments built on technologies of companies IBM, Intel and Microsoft, it was the Small Message Block[3]. It has been with us since 1986. Unfortunately, its original version no longer complies with current security requirements, yet it is still used massively today. Whether it is obsolete technologies of login, permission allocation, or requirements to protect the integrity and confidentiality of data. In addition, the original version of the protocol allowed transport over the NetBIOS protocol, which is by no means famous for its security. For simplicity, here is a table mapping an overview of all existing versions of the protocols, the communication ports used, the supported operating systems and other details. Among the important ones are, for example, the already mentioned cryptographic protection of the transferred data from being read or modified by an unauthorized person. All these settings must be adhered to on extended systems, whether it is Apple macOS[1] Linux with Samba[2] or the already mentioned Microsoft[3](alphabetically sorted). However, despite all efforts, there is one more important issue to consider. The authentication mechanisms used in file sharing vary, and different versions of these protocols support different login procedures. This topic is covered in another article.
| Protocols | Operating systems | Features |
| SMB 1.0 (1983) | Primary protocol: - MS-DOS 3.1 + Microsoft Network Client (1985) - OS/2 1.2 (1988) - Windows for Workgroups 3.1 (1992) - Windows 3.11 for Workgroups (1993) - Windows NT 3.1 (1993) - Windows NT 3.5 (1994) - Windows NT 3.51 (1995) - Windows 95 (1995) - Windows NT 4.0 (1996) - Windows 98 (1998) - Windows ME (2000) - Windows 2000 (2000) - Windows XP (2001) - Windows Server 2003 (2003) - Linux kernel 2.6 (2003) - Linux Samba 1.x (1992) - Mac OS X 10.0 (Cheetah, 2001) Backup protocol, enabled: - Windows Vista (2006) - Windows Server 2008 (2008) - Windows 7 (2009) - Windows Server 2008 R2 (2009) - Windows 8 (2012) - Windows Server 2012 (2012) - Windows 8.1 (2013) - Windows Server 2012 R2 (2013) - Windows 10 (2015) - Linux Samba 4.11 (2019) - Mac OS X 10.9 (Mavericks, 2013) Backup protocol, disabled: - Windows 10 build 1709 (October 2017) - Windows 10 build 1803 (April 2018) - Windows Server 2016 (2016) - Windows Server 2019 (2018) - Windows 11 (2021) - Windows Server 2021 (2022) - Linux Samba 4.11 (2019) |
Basic File and Printer Sharing NetBIOS Dependency Limited Performance Small Buffer Size No Native Encryption Opportunistic Locking Limited file size up to 2GB (32-bit) Support for remote copy Support for transaction mechanisms Support for LAN only |
| CIFS (1996) | Primary protocol: - Windows NT 4.0 (1996) - Windows 98 (1998) - Windows ME (2000) - Windows 2000 (2000) - Windows XP (2001) - Windows Server 2003 (2003) - Linux kernel 2.6 (2003) - Linux Samba 1.x (1992) - Mac OS X 10.0 (Cheetah, 2001) Backup protocol, enabled: - Windows Vista (2006) - Windows Server 2008 (2008) - Windows 7 (2009) - Windows Server 2008 R2 (2009) - Windows 8 (2012) - Windows Server 2012 (2012) - Windows 8.1 (2013) - Windows Server 2012 R2 (2013) - Windows 10 (2015) - Linux Samba 4.11 (2019) - Mac OS X 10.9 (Mavericks, 2013) Backup protocol, disabled: - Windows 10 build 1709 (October 2017) - Windows 10 build 1803 (April 2018) - Windows Server 2016 (2016) - Windows Server 2019 (2018) - Windows 11 (2021) - Linux Samba 4.11 (2019) |
Better support for TCP Files bigger than 2GB (64-bit filesystem) Support for symbolic links Support for hard links Support for WAN |
| SMB 2.0.1 (2006) | Primary protocol: - Windows Server 2008 (2008) - Windows Vista (2006) - Windows Server 2008 R2 (2009) - Linux kernel 3.7 (2012) - Linux Samba 3.6 (2011) - Mac OS X 10.0 (Mavericks, 2013) Backup protocol, enabled: - Windows 7 (2009) - Windows Server 2008 R2 (2009) - Windows 8 (2012) - Windows Server 2012 (2012) - Windows 8.1 (2013) - Windows Server 2012 R2 (2013) - Windows 10 (2015) - Windows Server 2016 (2016) - Windows Server 2019 (2018) - Windows 11 (2021) - Windows Server 2021 (2022) - Linux Samba 4.11 (2019) - Mac OS X 10.10 (Yosemite, 2014) Backup protocol, disabled: |
Reduced Commands Larger Buffer Size Compound Requests Pipelining Durable Handles Improved Opportunistic Locking Connection Multichannel |
| SMB 2.1 (2009) | Primary protocol: - Windows 7 (2009) - Windows Server 2008 R2 (2009) - Windows 8 (2012) - Windows Server 2012 (2012) - Windows 8.1 (2013) - Windows Server 2012 R2 (2013) - Windows 10 (2015) - Linux kernel 3.12 (2013) - Linux Samba 4.0 (2012) - Mac OS X 10.10 (Mavericks, 2013) Backup protocol, enabled: - Windows Server 2016 (2016) - Windows Server 2019 (2018) - Windows 11 (2021) - Windows Server 2021 (2022) - Linux Samba 4.11 (2019) - Mac OS X 10.10 (Yosemite, 2014) Backup protocol, disabled: |
Improved Read/Write Performance Request Leasing Large MTU Support |
| SMB 3.0 (2012) | Primary protocol: - Windows 8 (2012) - Windows Server 2012 (2012) - Windows 8.1 (2013) - Windows Server 2012 R2 (2013) - Windows 10 (2015) - Windows Server 2016 (2016) - Windows Server 2019 (2018) - Windows 11 (2021) - Windows Server 2021 (2022) - Linux kernel 3.12/4.0 (2013/2015) - Linux Samba 4.2 (2015) - Mac OS X 10.10 (Yosemite, 2014) Backup protocol, enabled: Backup protocol, disabled: |
End-to-End Encryption SMB Multichannel SMB Transparent Failover SMB Direct (RDMA) VSS for SMB Scale-Out File Shares |
| SMB 3.0.2 (2013) | Primary protocol: - Windows 8.1 (2013) - Windows Server 2012 R2 (2013) - Windows 10 (2015) - Windows Server 2016 (2016) - Windows Server 2019 (2018) - Windows 11 (2021) - Windows Server 2021 (2022) - Linux kernel 4.13 (2017) - Linux Samba 4.9 (2018) - Mac OS X 10.10 (Sierra, 2016) Backup protocol, enabled: Backup protocol, disabled: |
Refined Transparent Failover SMB Encryption Performance |
| SMB 3.1.1 (2016) | Primary protocol: - Windows 10 (2015) - Windows Server 2016 (2016) - Windows Server 2019 (2018) - Windows 11 (2021) - Windows Server 2021 (2022) - Linux kernel 4.18 (2018) - Linux Samba 4.11 (2019) - Mac OS X 10.10 (High Sierra, 2017) Backup protocol, enabled: Backup protocol, disabled: |
Pre-authentication Integrity (SHA512) Enhanced Encryption Improved Performance Cluster Dialect Fencing Secure Negotiation |
Communication and Security
The listed file sharing services communicate using specific ports. In addition, each version provides support for encryption (confidentiality) and integrity. The latest version of the SMB protocol supports the protection of the login process using SHA-512, the information is given in the properties of the given protocols in the previous table.
| Protocols | Communication Ports | Confidentiality | Integrity |
| SMB 1.0 (1983) | NetBIOS: - 137/udp, 137/tcp (NameService) - 138/udp (Datagram Distribution) - 139/tcp (Session Service] Server Message Block (Since Windows 2000): - 445/tcp |
N/A | N/A |
| CIFS (1996) | NetBIOS: - 137/udp, 137/tcp (NameService) - 138/udp (Datagram Distribution) - 139/tcp (Session Service] Server Message Block (Since Windows 2000): - 445/tcp |
N/A | MD5 (optional) |
| SMB 2.0.1 (2006) | Server Message Block: - 445/tcp |
N/A | HMAC-SHA256 |
| SMB 2.1 (2009) | Server Message Block: - 445/tcp |
N/A | HMAC-SHA256 |
| SMB 3.0 (2012) | Server Message Block: - 445/tcp |
AES-CCM-128 | AES-CMAC-128 |
| SMB 3.0.2 (2013) | Server Message Block: - 445/tcp |
AES-CCM-128 | AES-CMAC-128 |
| SMB 3.1.1 (2016) | Server Message Block: - 445/tcp |
AES-CMAC-128 | AES-GCM-128 |
Setting selection and support for protocols
As mentioned above, it is important to get rid of obsolete protocols that create a security risk. Before removing them, the first step must be done, which is to determine the current status and verify whether removing them will cause additional damage. For this reason, a series of information is provided about the options for each platform and protocol in order to determine the status, disable or enable the protocol, or collect information about its use.
Platform Apple macOS
You can use /Applications/Utilities/Console.app to parse logs and filter strings "SMB"
"smbd" nebo "protocol". You can use the command as an alternative:
log show --predicate 'process == "smbd"' --info
| Protocol | Apple macOS - NetBIOS |
| Detection | cat /etc/nsmb.conf | grep -i port445 |
| Enabling | /etc/nsmb.conf port445=normal #(enable NetBIOS) port445=netbios_onlyl #(require NetBIOS, for SMB1) |
| Disabling | /etc/nsmb.conf port445=no_netbios (disable NetBIOS) |
| Protocol | Apple macOS - NetBIOS |
| Detection | cat /etc/nsmb.conf | grep -i port445 |
| Enabling | /etc/nsmb.conf port445=normal #(enable NetBIOS) port445=netbios_onlyl #(require NetBIOS, for SMB1) |
| Disabling | /etc/nsmb.conf port445=no_netbios (disable NetBIOS) |
| Protocol | Apple macOS - SMB |
| Detection | cat /etc/nsmb.conf | grep -i proto | grep -i map |
| Enabling | /etc/nsmb.conf protocol_vers_map=7 #(111 SMB 3+2+1) # protocol_vers_map=5 # (101 SMB 3+1) # protocol_vers_map=3 # (011 SMB 2+1) # protocol_vers_map=1 # (001 SMB 1) |
| Disabling | /etc/nsmb.conf protocol_vers_map=6 # (110 SMB 3+2) # protocol_vers_map=4 # (100 SMB 3) # protocol_vers_map=2 # (010 SMB 2) |
| Protocol | Apple macOS - SMB preference |
| Detection | cat /etc/nsmb.conf | grep -i smb | grep -i neg |
| Enabling | /etc/nsmb.conf smb_neg=normal #(enable SMB1 and SMB2) smb_neg=smb1_only #(require SMB1) |
| Disabling | /etc/nsmb.conf smb_neg=smb2_only #(require SMB, disable NetBIOS) |
Platform Linux, system environment (mount)
The original implementation of SMB mounting, implemented for kernel 2.6, came about in 2003.
By this time, the first versions of CIFS were available, and other versions followed. For this reason, there was a temporary difference
in the behavior, where some old systems distinguished between CIFS, SMB and SMB2, so it was necessary to use
the corresponding commands. This is currently corrected by the version parameter, which can be used for both CIFS
and SMB. To some extent, these protocols are now system-wide. However, it is possible to encounter
implementations without the possibility to specify a version.
mount -t cifs //server/share /mnt/point -o vers=3.1.1,username=user,password=password
mount.cifs //server/share /mnt/point -o vers=3.1.1,username=user,password=password
mount -t smbfs //server/share /mnt/point -o vers=3.1.1,username=user,password=mount
mount.smb2 //server/password /mnt/point -o vers=3.1.1,username=user,password=password
mount.smb3 //server/share /mnt/point -o vers=3.1.1,username=user,password=password
smbmount //server/share /mnt/point -o vers=3.1.1,username=user,password=password
Platform Linux, application Samba
Logs The Samba server is usually located at /var/log/smbd.log or /var/log/samba/. These files can be filtered to obtain the corresponding information, e.g.:
cat /var/log/smbd.log | grep "protocol\|version"
| Protocol | Linux Samba NetBIOS |
| Detection | cat /etc/smb.conf | grep -i netbios |
| Enabling | /etc/smb.conf disable netbios = no |
| Disabling | /etc/smb.conf disable netbios = yes |
| Protocol | Linux Samba SMB1 |
| Detection | cat /etc/smb.conf | grep -i client | grep -i proto |
| Enabling | /etc/smb.conf client min protocol = CORE client max protocol = SMB3 # CORE: Earliest version, withouit concept of user names. # COREPLUS: Slight improvements on CORE for efficiency. # LANMAN1: Long filename support. # LANMAN2: Updates to Lanman1 protocol. # NT1: Windows NT 4.0 CIFS Protocol. # SMB2: SMB2 by default selects the SMB2_10 variant. # SMB2_02: Windows Vista SMB2 version. # SMB2_10: Windows 7 SMB2 version. # SMB3: SMB3 by default selects the SMB3_11 variant. # SMB3_00: Windows 8 SMB3 version. # SMB3_02: Windows 8.1 SMB3 version. # SMB3_11: Windows 10 SMB3 version. |
| Disabling | /etc/smb.conf client min protocol = SMB2_02 client max protocol = SMB3 # CORE: Earliest version, withouit concept of user names. # COREPLUS: Slight improvements on CORE for efficiency. # LANMAN1: Long filename support. # LANMAN2: Updates to Lanman1 protocol. # NT1: Windows NT 4.0 CIFS Protocol. # SMB2: SMB2 by default selects the SMB2_10 variant. # SMB2_02: Windows Vista SMB2 version. # SMB2_10: Windows 7 SMB2 version. # SMB3: SMB3 by default selects the SMB3_11 variant. # SMB3_00: Windows 8 SMB3 version. # SMB3_02: Windows 8.1 SMB3 version. # SMB3_11: Windows 10 SMB3 version. |
Platform Microsoft Windows
When you start the Event Viewer (eventvwr.msc), you can find connection information in the menu
Applications and Services Logs > Microsoft > Windows > SMBClient or SMBServer.
SMB Client logs (client connection) and SMB Server logs (server connection) contain connection information and SMB versions used.
- Event ID 3000 - SMB version used for connection
- Event ID 31013 - incompatible SMB version
SMB1
| Protocol | Windows SMB1 - Audit by PowerShell |
| Detection | Get-SmbServerConfiguration | Select AuditSmb1Access |
| Enabling | Set-SmbServerConfiguration -AuditSmb1Access $true |
| Disabling | Set-SmbServerConfiguration -AuditSmb1Access $false |
| Protocol | Windows SMB1 - client commands in CMD shell |
| Detection | sc.exe qc lanmanworkstation |
| Enabling | sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled |
| Disabling | sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb10 start= auto |
| Protocol | Windows SMB1 - Group Policy on Client |
| Detection | N/A |
| Enabling | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10 Start REG_DWORD: 1= Enabled HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation DependOnService REG_MULTI_SZ: "Bowser","MRxSmb20″,"NSI" |
| Disabling | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10 Start REG_DWORD: 4= Disabled HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation DependOnService REG_MULTI_SZ: "Bowser","MRxSmb20″,"NSI" |
| Protocol | Windows SMB1 - Group Policy on Server |
| Detection | N/A |
| Enabling | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB1 REG_DWORD: 1 = Enabled |
| Disabling | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB1 REG_DWORD: 0 = Disabled |
| Protocol | Windows SMB1 - PowerShell |
| Detection | Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol |
| Enabling | Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol |
| Disabling | Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol |
| Protocol | Windows SMB1 server PowerShell commands |
| Detection | Get-SmbServerConfiguration | Select EnableSMB1Protocol |
| Enabling | Set-SmbServerConfiguration -EnableSMB1Protocol $true |
| Disabling | Set-SmbServerConfiguration -EnableSMB1Protocol $false |
| Protocol | Windows SMB1 server - PowerShell commands with Registry keys |
| Detection | Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} |
| Enabling | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force |
| Disabling | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force |
SMB2
| Protocol | Windows SMB2 - client commands in CMD shell |
| Detection | sc.exe qc lanmanworkstation |
| Enabling | |
| Disabling | sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start= disabled |
| Protocol | Windows SMB2 - server PowerShell commands |
| Detection | Get-SmbServerConfiguration | Select EnableSMB2Protocol |
| Enabling | Set-SmbServerConfiguration -EnableSMB2Protocol $true |
| Disabling | Set-SmbServerConfiguration -EnableSMB2Protocol $false |
| Protocol | Windows SMB2 - server PowerShell commands with Registry keys |
| Detection | Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} |
| Enabling | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force |
| Disabling | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force |
SMB3
| Protocol | Windows SMB3 - client commands in CMD shell | Detection | sc.exe qc lanmanworkstation | Enabling | Disabling | sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start= disabled |
| Protocol | Windows SMB3 - server PowerShell commands | Detection | Get-SmbServerConfiguration | Select EnableSMB2Protocol | Enabling | Set-SmbServerConfiguration -EnableSMB2Protocol $true | Disabling | Set-SmbServerConfiguration -EnableSMB2Protocol $false |
| Protocol | Windows SMB3 - server PowerShell commands with Registry keys | Detection | Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} | Enabling | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force | Disabling | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force |
Reference:
- How to disable SMB or NetBIOS in macOS
Zdroj: https://www.apple.com/ - Linux Samba smb.conf
Zdroj: https://www.samba.org/ - How to detect, enable and disable SMBv1, SMBv2 and SMBv3 in Windows
Zdroj: https://www.microsoft.com/
Autor článku:
Podobné články
Your learning platform for cryptography
and security.
1. Introductory Provisions
1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).1.2. The contracting parties in the general terms and conditions are meant to be the trainer and the ordering party, where the ordering party may also be the mediator of the contractual relationship.
1.3. Issues that are not regulated by these terms and conditions are dealt with according to the Czech Civil Code, i.e. Act No.89/2012 Coll.
1.4. All potential disputes will be resolved according to the law of the Czech Republic.
2. Creation of a contract by signing up for a course
2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.2.2. By submitting the application, the Client agrees with these General Terms and Conditions and declares that he has become acquainted with them.
2.3. The application is deemed to have been received at the time of confirmation (within 2 working days by default) by the trainer or intermediary. This confirmation is sent to the data box or to the contact e-mail.
2.4. The standard time for registration is no later than 14 working days before the educational event, unless otherwise stated. In the case of a natural non-business person, the order must be at least 28 working days before the educational event.
2.5. More than one participant can be registered for one application.
2.6. If there are more than 10 participants from one Client, it is possible to arrange for training at the place of residence of the intermediary or the Client.
2.7. Applications are received and processed in the order in which they have been received by the Provider. The Provider immediately informs the Client of all facts. These are the filling of capacity, too low number of participants, or any other serious reason, such as a lecturer's illness or force majeure. In this case, the Client will be offered a new term or participation in another educational event. In the event that the ordering party does not agree to move or participate in another educational event offered, the provider will refund the participation fee. The lack of participants is notified to the ordering party at least 14 days before the start of the planned term.
2.8. The contract between the provider and the ordering party arises by sending a confirmation from the provider to the ordering party.
2.9. The contract may be changed or cancelled only if the legal prerequisites are met and only in writing.
3. Termination of the contract by cancellation of the application
3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.3.2. The customer has the right to cancel his or her application for the course 14 days before the course takes place without any fees. If the period is shorter, the subsequent change takes place. In the interval of 7-13 days, an administrative fee of 10% is charged, cancellation of participation in a shorter interval than 7 days then a fee of 25%. In case of cancellation of the application or order by the customer, the possibility of the customer's participation in an alternative period without any additional fee is offered. The right to cancel the application expires with the implementation of the ordered training.
3.3. In case of cancellation of the application by the trainer, the ordering party is entitled to a full refund for the unrealized action.
3.4. The ordering party has the right to request an alternative date or an alternative training. In such case, the ordering party will be informed about all open courses. The alternative date cannot be enforced or enforced, it depends on the current availability of the course. If the alternative training is for a lower price, the ordering party will pay the difference. If the alternative training is for a lower price, the trainer will return the difference in the training prices to the ordering party.
4. Price and payment terms
4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.4.2. In case of multiple participants registered with one application, a discount is possible.
4.3. The participation fee must be paid into the bank account of the company held with the company Komerční banka č. 78-7768770207/0100, IBAN:CZ5301000000787768770207, BIC:KOMBCZPPXXX. When making the payment, a variable symbol must be provided, which is indicated on the invoice sent to the client by the trainer.
4.4. The participation fee includes the provider's costs, including the training materials. The provider is a VAT payer.
4.5. The client is obliged to pay the participation fee within 14 working days of receipt of the invoice, unless otherwise stated by a separate contract.
4.6. If the person enrolled does not attend the training and no other agreement has been made, his or her absence is considered a cancellation application at an interval of less than 7 days, i.e. the trainer is entitled to a reward of 25% of the course price. The overpayment is returned within 14 days to the sender's payment account from which the funds were sent. Payment to another account number is not possible.
4.7. An invoice will be issued by the trainer no later than 5 working days from the beginning of the training, which will be sent by e-mail or data box as agreed.
5. Training conditions
5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.5.2. If the client is not a student of the course, he is obliged to ensure the distribution of this information to the end participants. The trainer is not responsible for failure to comply with these terms and conditions.
5.2. By default, the training takes place from 9 a.m. to 5 p.m. at a predetermined location.
5.3. The trainer can be available from 8 a.m. to 9 a.m. and then from 17 a.m. to 6 p.m. for questions from the participants, according to the current terms and conditions.
5.4. At the end of the training, the certificate of absorption is handed over to the end users.
5.5. At the end of the training, the end users evaluate the trainer's approach and are asked to comment on the evaluation of his presentation, the manner of presentation and the significance of the information provided.
6. Complaints
6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.6.2. The reasons for dissatisfaction are recorded in the minutes in two copies on the same day. One is handed over to the client and one is held by the trainer.
6.3. A statement on the complaint will be submitted by e-mail within two weeks. A solution will then be agreed within one week.
6.4. The customer's dissatisfaction may be a reason for discontinuing further cooperation, or financial compensation up to the price of the training, after deduction of costs.
7. Copyright of the provided materials
7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.7.2. None of the training materials or any part thereof may be further processed, reproduced, distributed or used for further presentations or training in any way without the prior written consent of the trainer.
8. Liability
8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.8.2. The trainer does not assume responsibility for injuries, damages and losses incurred by the participants in the training events or caused by the participants. Such costs, caused by the above circumstances, shall be borne exclusively by the participant in the training event.
9. Validity of the Terms
9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.Consent to the collection and processing of personal data
According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.Although the collection of data is ubiquitous, the operation of this website is based on the right to privacy of each user. For this reason, the collection of information about users takes place to the extent absolutely necessary and only if the user decides to contact the operator. We consider any further collection and processing of data unethical.
Information about the records of access to the web presentation
This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.Logging of access takes place only at the system level, the reason being the identification of any technical or security problems. Other reasons are overview access statistics. No specific data is collected or monitored in this area and all access records are deleted after three months.
Information about contacting the operator of the site
The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.Information about the order form
In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.Information about the course completion document
Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.Rights of the personal data subject
The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.Furthermore, the customer/visitor of this website may request restriction of processing or object to the processing of personal data and has the right to withdraw his/her consent to the processing of personal data at any time in writing, without prejudice to the lawfulness of their processing prior to such withdrawal. For this purpose, the contact e-mail address support@cryptosession.cz is used.
The customer/visitor has the right to file a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.