Re: Protecting no longer supported Windows7
On 15.01.2020 18:39, The Wanderer wrote: > >> It also means Microsoft will now change many downloadable support >> packages so they won't run anymore on Windows 7 > Possible, although I wouldn't expect them to bother to go and make > changes en-masse. It's more likely that they just won't bother to make > sure that future changes to such packages remain compatible with Windows 7. It happened before with Windows XP, so I'm expecting this trend will continue with Windows 7 and Windows 8.x I know that, because to this day I still have to maintain several Windows XP hosts for various reasons. >> and delete TechNet articles about Windows 7, > Are you sure? I've never seen them do that with previous releases; at > the least, I'm fairly sure I keep running across Technet articles (and > other support documents) marked as being for older Windows versions, > when I'm looking for ones that apply to something newer. Yes, I'm sure. Windows GUI, Control Panel applets, etc, contain many URLs that lead to help pages and articles, but when you actually click on them you will get "Page not found or moved" page from "*.microsoft.com" domain as a result. If you will search manually for official documentation you may find it, but accuracy and completeness of it won't be guaranteed. I've seen too many TechNet\Microsoft hosted articles with broken URLs to think otherwise. > >> and also 3rd party software developers now have rights to deny any >> support for Windows 7. > They had that before; it just wasn't a particularly good idea in many > cases. Some of them will probably start doing this, while others will > probably continue offering as much support as they did before, at least > for a good while. I'm talking mostly about niche software, like banking software, CAD, Adobe and Microsoft products, anti-virus software, anything that depends on the Internet, like browsers and email clients, etc and of course, WHQL driver updates for all kinds of hardware. > >> If Windows 7 is unsupported it doesn't means it will stop function, >> it means, in terms of support and maintenance, you're on your own. It >> will stay as secure as it is to this day > Modulo the discovery of new security vulnerabilities, which currently > exist but aren't yet known about, anyway. So technically true, but > doesn't mean what it might appear to mean at first glance. > > Personally, I'm half-expecting one or more previously unknown zero-day > vulnerabilities to be revealed and start being actively exploited today, > now that the only people who will be getting patches for them are the > ones who have paid extended-support contracts with Microsoft. Yes, if you agreed to maintain a legacy software you have to understand all the risks and develop a strong protection scheme along with disaster recovery backup plan. A configuration of a firewall simply won't be sufficient. >> and it doesn't really depend on firewall, if you won't open >> (port-forward) high risk service ports (like RDP, SMB, etc) to the >> internet, of course. > I'm not really sure what you're talking about here. While yes, if you > wall a Windows 7 computer off from access to the Internet any security > vulnerabilities it may have will become far closer to irrelevant than > otherwise be the case, anything short of that will still leave ways by > which it could get infected (especially assuming less-than-perfect > security behavior on the part of users) - and the full wall-off would > most likely be impractical for real-world use. > That is because you've ommited last part of the quote, probably. I'm assuming OP is having very basic understanding about IT security, so I tried to warn him about firewall wouldn't be the ultimate solution for every and all security problems. It will help, but only for some cases. That said, I think it is impossible to suggest anything more than that without knowing additional information about OP's current infrastructure. -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄
Re: Protecting no longer supported Windows7
Alexander writes: > It also means Microsoft will now change many downloadable support > packages so they won't run anymore on Windows 7 The Wanderer writes: > Possible, although I wouldn't expect them to bother to go and make > changes en-masse. It's more likely that they just won't bother to make > sure that future changes to such packages remain compatible with > Windows 7. Which could be much worse than making sure they won't run on 7. -- John Hasler jhas...@newsguy.com Elmwood, WI USA
Re: Protecting no longer supported Windows7
On 2020-01-15 06:09, Dan Purgert wrote: Format and install a Linux distro of your choice. +1 (That was my first idea, but concluded that the OP only wanted suggestions for the Debian gateway.) David
Re: Protecting no longer supported Windows7
On 2020-01-14 23:35, Klaus Singvogel wrote: David Christensen wrote: Configure your firewall to block traffic in both directions between the Windows 7 hosts and the Internet. Good idea. https://drboli.wordpress.com/2009/03/06/the-little-dutch-boy-who-saved-holland/ Additional: block traffic between the Windows 7 hosts, as an infected one might infect others. More putty, please. David
Re: Protecting no longer supported Windows7
On 2020-01-14 21:25, john doe wrote: Hi, I have a Debian server serving/doing DHCP/DNS/firewall/..., as of today, Microsoft stops supporting Windows7. Is there anything that I could do to protect those Windows7 hosts that are behind this server? P.S. For the sake of this question, upgrading to W10 /buying new Windows devices is not an option. On 2020-01-14 22:30, David Christensen wrote: Configure your firewall to block traffic in both directions between the Windows 7 hosts and the Internet. On 2020-01-14 23:05, to...@tuxteam.de wrote: And stuff putty into the USB ports :-D (no, that wasn't a serious proposal. Just a reminder that goodies are not only delivered via Internet). If you are trying to protect your users... well, you know. Permatex® Steel Weld™ Epoxy looks good: https://www.permatex.com/products/adhesives-sealants/epoxies/permatex-steel-weld-epoxy/ David
Re: Protecting no longer supported Windows7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 john doe wrote: > Hi, > > I have a Debian server serving/doing DHCP/DNS/firewall/..., as of today, > Microsoft stops supporting Windows7. > > Is there anything that I could do to protect those Windows7 hosts that > are behind this server? Since updating to W10 is out, the only real options are: Physically remove them from all networks (LAN, WiFi, and sneakernet). Format and install a Linux distro of your choice. Just blocking connectivity "to the internet" isn't enough, as there are other avenues that could cause the systems to be compromised. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl4fHPsACgkQjhHd8xJ5 ooGsDggArvJaZ/e4DBEvbGYgPY7p+UK7u3C31zNMBoZNgqbVNqCfCCSf6DlGItqe q0EkTyvbT4AwTatV7EOZblrorylmvCx9hVngFkfbjxw/mC0MuzI7Jb4lrUTLklFA hlKtbH43QKxujXQz8r8tFOVVOQ8wkJzunF6o2GJXd7+i5k11NFflfzvXTn2R4Yub h49COhLp82dkJiGYIF+via9OQcybhxx9uK+7GC+Ust5syYTS7PhVA2lR/QzQ/Uk6 upHn1Y94USjTHy0xupPUjdmCUO+Dx3iRnsj6Zj/nuf3aouh8SUegQIPcYrqVi0xJ 4tlyKMqH8f1Iw4QEUuzk1zDBlzfDog== =ctGQ -END PGP SIGNATURE- -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Re: Protecting no longer supported Windows7
Wanderer is correct here, you can attempt to purchase an ESU for it, which depends on version. https://support.microsoft.com/en-gb/help/4527878/faq-about-extended-security-updates-for-windows- Regards On Wed, 15 Jan 2020, 13:48 The Wanderer, wrote: > On 2020-01-15 at 01:29, Alexander V. Makartsev wrote: > > > On 15.01.2020 10:25, john doe wrote: > > > >> Hi, > >> > >> I have a Debian server serving/doing DHCP/DNS/firewall/..., as of > >> today, Microsoft stops supporting Windows7. > >> > >> Is there anything that I could do to protect those Windows7 hosts > >> that are behind this server? > >> > >> P.S. > >> > >> For the sake of this question, upgrading to W10 /buying new > >> Windows devices is not an option. > > > > End of support for Windows 7 means that you won't get OS updates, or > > any kind of support anymore. > > True. (Unless you have a paid extended-support contract with Microsoft, > in which case - as long as you keep paying, I think per-computer - you > have something like another two years.) > > > It also means Microsoft will now change many downloadable support > > packages so they won't run anymore on Windows 7 > > Possible, although I wouldn't expect them to bother to go and make > changes en-masse. It's more likely that they just won't bother to make > sure that future changes to such packages remain compatible with Windows 7. > > > and delete TechNet articles about Windows 7, > > Are you sure? I've never seen them do that with previous releases; at > the least, I'm fairly sure I keep running across Technet articles (and > other support documents) marked as being for older Windows versions, > when I'm looking for ones that apply to something newer. > > > and also 3rd party software developers now have rights to deny any > > support for Windows 7. > > They had that before; it just wasn't a particularly good idea in many > cases. Some of them will probably start doing this, while others will > probably continue offering as much support as they did before, at least > for a good while. > > > If Windows 7 is unsupported it doesn't means it will stop function, > > it means, in terms of support and maintenance, you're on your own. It > > will stay as secure as it is to this day > > Modulo the discovery of new security vulnerabilities, which currently > exist but aren't yet known about, anyway. So technically true, but > doesn't mean what it might appear to mean at first glance. > > Personally, I'm half-expecting one or more previously unknown zero-day > vulnerabilities to be revealed and start being actively exploited today, > now that the only people who will be getting patches for them are the > ones who have paid extended-support contracts with Microsoft. > > > and it doesn't really depend on firewall, if you won't open > > (port-forward) high risk service ports (like RDP, SMB, etc) to the > > internet, of course. > > I'm not really sure what you're talking about here. While yes, if you > wall a Windows 7 computer off from access to the Internet any security > vulnerabilities it may have will become far closer to irrelevant than > otherwise be the case, anything short of that will still leave ways by > which it could get infected (especially assuming less-than-perfect > security behavior on the part of users) - and the full wall-off would > most likely be impractical for real-world use. > > -- >The Wanderer > > The reasonable man adapts himself to the world; the unreasonable one > persists in trying to adapt the world to himself. Therefore all > progress depends on the unreasonable man. -- George Bernard Shaw > >
Re: Protecting no longer supported Windows7
On 2020-01-15 at 01:29, Alexander V. Makartsev wrote: > On 15.01.2020 10:25, john doe wrote: > >> Hi, >> >> I have a Debian server serving/doing DHCP/DNS/firewall/..., as of >> today, Microsoft stops supporting Windows7. >> >> Is there anything that I could do to protect those Windows7 hosts >> that are behind this server? >> >> P.S. >> >> For the sake of this question, upgrading to W10 /buying new >> Windows devices is not an option. > > End of support for Windows 7 means that you won't get OS updates, or > any kind of support anymore. True. (Unless you have a paid extended-support contract with Microsoft, in which case - as long as you keep paying, I think per-computer - you have something like another two years.) > It also means Microsoft will now change many downloadable support > packages so they won't run anymore on Windows 7 Possible, although I wouldn't expect them to bother to go and make changes en-masse. It's more likely that they just won't bother to make sure that future changes to such packages remain compatible with Windows 7. > and delete TechNet articles about Windows 7, Are you sure? I've never seen them do that with previous releases; at the least, I'm fairly sure I keep running across Technet articles (and other support documents) marked as being for older Windows versions, when I'm looking for ones that apply to something newer. > and also 3rd party software developers now have rights to deny any > support for Windows 7. They had that before; it just wasn't a particularly good idea in many cases. Some of them will probably start doing this, while others will probably continue offering as much support as they did before, at least for a good while. > If Windows 7 is unsupported it doesn't means it will stop function, > it means, in terms of support and maintenance, you're on your own. It > will stay as secure as it is to this day Modulo the discovery of new security vulnerabilities, which currently exist but aren't yet known about, anyway. So technically true, but doesn't mean what it might appear to mean at first glance. Personally, I'm half-expecting one or more previously unknown zero-day vulnerabilities to be revealed and start being actively exploited today, now that the only people who will be getting patches for them are the ones who have paid extended-support contracts with Microsoft. > and it doesn't really depend on firewall, if you won't open > (port-forward) high risk service ports (like RDP, SMB, etc) to the > internet, of course. I'm not really sure what you're talking about here. While yes, if you wall a Windows 7 computer off from access to the Internet any security vulnerabilities it may have will become far closer to irrelevant than otherwise be the case, anything short of that will still leave ways by which it could get infected (especially assuming less-than-perfect security behavior on the part of users) - and the full wall-off would most likely be impractical for real-world use. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw signature.asc Description: OpenPGP digital signature
Re: Protecting no longer supported Windows7
On Wed, 15 Jan 2020 10:51:31 + Ben Lavender wrote: > I personally recommend upgrading them, > > Think hard if you really need them as you may be able to remove then > entirely. > Please note: > > > > For the sake of this question, upgrading to W10 /buying new Windows > > devices is not an option. > > > > -- > > John Doe > > > > To the OP: To stand any chance of protecting them, they must use neither the Web nor email, nor preferably have any other Internet connection. As we saw with XP, future MS updates will be carefully scrutinised for clues by malware writers, on the basis that many W7 users aren't even aware of the end of support, and many more will ignore it. -- Joe
Re: Protecting no longer supported Windows7
I personally recommend upgrading them, if not then ensure they are isolated from the rest of the network as well as ensure they do not have WAN access. Further ensure they are protected by an up-to-date AV with regular scans. Think hard if you really need them as you may be able to remove then entirely. Regards Ben Lavender On Wed, 15 Jan 2020, 05:25 john doe, wrote: > Hi, > > I have a Debian server serving/doing DHCP/DNS/firewall/..., as of today, > Microsoft stops supporting Windows7. > > Is there anything that I could do to protect those Windows7 hosts that > are behind this server? > > P.S. > > For the sake of this question, upgrading to W10 /buying new Windows > devices is not an option. > > -- > John Doe > >
Re: Protecting no longer supported Windows7
john doe wrote: > How would I go about that, I don't see how I can restrict inter host > connections that are on the same subnet? Some switches can do so, like managed switches: use a VLAN for Windoze hosts and configure the VLAN that way, if possible. Even my DSL router can be configured to do so, but only global for all hosts in the net (which is not helpful in my setup). Best regards, Klaus. -- Klaus Singvogel GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Re: Protecting no longer supported Windows7
On 1/15/2020 8:35 AM, Klaus Singvogel wrote: > David Christensen wrote: >> Configure your firewall to block traffic in both directions between the >> Windows 7 hosts and the Internet. > > Good idea. > > Additional: block traffic between the Windows 7 hosts, as an infected one > might infect others. > How would I go about that, I don't see how I can restrict inter host connections that are on the same subnet? Thanks to all for suggestingfirewall restriction. -- John Doe
Re: Protecting no longer supported Windows7
David Christensen wrote: > Configure your firewall to block traffic in both directions between the > Windows 7 hosts and the Internet. +1 isolate from outside you can use them in the local network.
Re: Protecting no longer supported Windows7
David Christensen wrote: > Configure your firewall to block traffic in both directions between the > Windows 7 hosts and the Internet. Good idea. Additional: block traffic between the Windows 7 hosts, as an infected one might infect others. Best regards, Klaus. -- Klaus Singvogel GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Re: Protecting no longer supported Windows7
On Tue, Jan 14, 2020 at 10:30:33PM -0800, David Christensen wrote: > On 2020-01-14 21:25, john doe wrote: > >Hi, > > > >I have a Debian server serving/doing DHCP/DNS/firewall/..., as of today, > >Microsoft stops supporting Windows7. [...] > Configure your firewall to block traffic in both directions between > the Windows 7 hosts and the Internet. And stuff putty into the USB ports :-D (no, that wasn't a serious proposal. Just a reminder that goodies are not only delivered via Internet). If you are trying to protect your users... well, you know. Cheers -- t signature.asc Description: Digital signature
Re: Protecting no longer supported Windows7
On 2020-01-14 21:25, john doe wrote: Hi, I have a Debian server serving/doing DHCP/DNS/firewall/..., as of today, Microsoft stops supporting Windows7. Is there anything that I could do to protect those Windows7 hosts that are behind this server? P.S. For the sake of this question, upgrading to W10 /buying new Windows devices is not an option. -- John Doe Configure your firewall to block traffic in both directions between the Windows 7 hosts and the Internet. David
Re: Protecting no longer supported Windows7
On 15.01.2020 10:25, john doe wrote: > Hi, > > I have a Debian server serving/doing DHCP/DNS/firewall/..., as of today, > Microsoft stops supporting Windows7. > > Is there anything that I could do to protect those Windows7 hosts that > are behind this server? > > P.S. > > For the sake of this question, upgrading to W10 /buying new Windows > devices is not an option. > > -- > John Doe > End of support for Windows 7 means that you won't get OS updates, or any kind of support anymore. It also means Microsoft will now change many downloadable support packages so they won't run anymore on Windows 7 and delete TechNet articles about Windows 7, and also 3rd party software developers now have rights to deny any support for Windows 7. If Windows 7 is unsupported it doesn't means it will stop function, it means, in terms of support and maintenance, you're on your own. It will stay as secure as it is to this day and it doesn't really depend on firewall, if you won't open (port-forward) high risk service ports (like RDP, SMB, etc) to the internet, of course. You have to keep in mind that network access over the Internet is only one of the many attack vectors. -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄
