You’d be amazed at what you can do with port 80/443 access, so while that is a deterrent, it is not a solution that will make any guarantees that the machines cannot do anything nefarious.
Adding a proxy server in front of the machines with a whitelist of allowed web sites instead of NAT would go further, but at the end of that day you’re still talking about taking a 14 year old operating system that is no longer supported and connecting it to the internet. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Mar 5, 2014, at 7:20, Michael Bond <[email protected]> wrote: > Why not setup your XP boxes to use a private network (10.x.x.x or > 192.168.x.x) and put them behind a heavily fire walled NAT solution. Could be > setup on the network level or with a router and a linux box running IP > tables. Lots of ways to do it. > > Install and keep updated Firefox or Chrome, lock down the machines so that > users don’t have permissions to install anything, and setup a whitelist of > programs that are allowed to be run (takes a little bit of work, but its very > doable. We did this in WVU Libraries on all our machines [500 or so], public > and staff, until we got our virtualized desktops in place). > > You can’t disallow Internet Explorer from running, but you can limit the > websites that it is allowed to visit. You could even go as far as only > allowing it to connect to the local host, but likely anything ‘on campus’ > would be fine. > > I’m assuming you are using some sort of image management solution (Ghost, at > the very least). So once you get an image setup it shouldn’t be that bad to > maintain and deploy. And if something does become exploited, you can can > re-image the machine. > > Configure the NAT to not allow any traffic to come from that private network > other than ports 80 and 443 (and any other legitimate port that you need). > that way if a machine does become compromised it can’t do (much) harm outside > of your private XP network. > > If you need AD authentication you can set that all up in the ACLs for the > network as well so that they can only contact a specific authentication > server. If you absolutely needed to you could even put an auth server on the > same private network that has a trust back to your main auth servers. Put 2 > network interfaces in it and it can live on 2 networks so you don’t have to > poke a hole through your private networks ACLs to get back to the main auth > servers. > > Its not an ideal situation, but if you can’t afford new machines and you > absolutely need to keep your XP machines running there are ways of doing it. > But at what point does it become cost prohibitive with your time compared to > investing in new hardware? > > If you don’t do something though, you’ll be spending all your time rebuilding > compromised XP boxes eventually. > > Michael Bond > [email protected] > > > > On Mar 4, 2014, at 4:55 PM, Riley Childs <[email protected]> wrote: > >> Not to stomp around, but 1 hour is a LONG time for an unpatched computer, >> especially when in close proximity to other unpatched computers! DeepFreeze >> is great, but it is not a long term solution, also starting next week you >> will get a nag screen every time you login telling you about the EOL. >> >> Riley Childs >> Student >> Asst. Head of IT Services >> Charlotte United Christian Academy >> (704) 497-2086 >> RileyChilds.net >> Sent from my Windows Phone, please excuse mistakes >> ________________________________ >> From: Benjamin Stewart<mailto:[email protected]> >> Sent: 3/4/2014 4:46 PM >> To: [email protected]<mailto:[email protected]> >> Subject: Re: [CODE4LIB] Windows XP EOL >> >> Hello everyone >> >> (I have been in IT for 25+ years, k-7 for 15 years and now 10 months UNBC >> Library) >> >> >> If I worked for an organization that did not have the money to go either >> replacement Win7 or Linux desktop for usability issues. >> >> I would contact Faronics and get a deal for educational licenses to >> install Deepfreeze. >> Then setup all workstation basic accounts and to reboot if idle for 1 >> hour. (and shut down, startup between set times) >> Deepfreeze also has a remote console to unfreeze and refreeze for >> maintenance to the workstation. (e.g. browser updates flash adobe) >> This in hand with PDQ deploy/inventory works very nice. (Basic version >> free) >> >> >> Last option would (no possible for most places) contact the Dell official >> lease site via direct or eBay. (there is a Canada and US supplier) >> >> You can by nice 780 Dell with win7 pro for about $140 with shipping. >> Some companies like Dell of HP have be know to also donate to non-profit. >> >> ~Ben >> >> System Administrator >> Geoffrey R. Weller library >> UNBC, BC Canada >> PH (250) 960-6605 >> [email protected] >> >> >> >> >> >> >> >> On 2014-03-04, 11:12 AM, "Ingraham Dwyer, Andy" <[email protected]> >> wrote: >> >>> I would not be surprised if there were black hats out there sitting on >>> exploits they've discovered, waiting until *after* April to release >>> malware that takes advantage of them. >>> >>> -A >>> >>> >>> Andy Ingraham Dwyer >>> Infrastructure Specialist >>> State Library of Ohio >>> 274 E. 1st Avenue >>> Columbus, OH 43201 >>> Tel: 614-644-6849 >>> library.ohio.gov >>> >>> Please contact my supervisor with any feedback regarding my customer >>> service. >>> >>> -----Original Message----- >>> From: Code for Libraries [mailto:[email protected]] On Behalf Of >>> Justin Coyne >>> Sent: Saturday, March 01, 2014 8:35 PM >>> To: [email protected] >>> Subject: Re: [CODE4LIB] Windows XP EOL >>> >>> They won't be a security risk on April 8th, but the first time that MS >>> publishes security patches after that date for newer version, security >>> researchers will examine the patches. Doing so will give them an idea >>> about how to exploit the problem the patch was for. They will then try >>> to run the exploit on XP and see if it is vulnerable. Eventually they >>> will find an exploit that works against XP. >>> >>> Even if you have a AV, people can exploit your machine without using a >>> virus. Is that a risk you want to accept? >>> >>> -Justin >>> >>> >>> On Sat, Mar 1, 2014 at 4:59 PM, Jimm Wetherbee <[email protected]> wrote: >>> >>>> Just because MS won't support XP any more doesn't mean those machines >>>> are instantly useless or a security risk come April 8th. We will not >>>> be doing anything with our lab computers until Summer because they are >>>> too old to run Windows 8 but we cannot do without them. >>>> >>>> --jimm >>>> >>>> >>>> On Sat, Mar 1, 2014 at 5:28 PM, Riley Childs <[email protected] >>>>> wrote: >>>> >>>>> Hi, >>>>> I wanted to hear how people are dealing with the Windows XP >>>>> End-of-Life (if anything at all :( >>>>> >>>>> >>>>> Personally I am migrating the computers that can run it to Windows 8 >>>>> (we ran out of 7 licenses and someone (years ago) bought SA, but >>>>> that's >>>> another >>>>> story), and when April 7th comes around: throw anything we can't use >>>>> away (sigh). >>>>> >>>>> Riley Childs >>>>> Student >>>>> Asst. Head of IT Services >>>>> Charlotte United Christian Academy >>>>> (704) 497-2086 >>>>> RileyChilds.net >>>>> Sent from my Windows Phone, please excuse mistakes >>>>> >>>> >>>> >>>> >>>> -- >>>>
