You’d be amazed at what you can do with port 80/443 access, so while that is a deterrent, it is not a solution that will make any guarantees that the machines cannot do anything nefarious.
Adding a proxy server in front of the machines with a whitelist of allowed web sites instead of NAT would go further, but at the end of that day you’re still talking about taking a 14 year old operating system that is no longer supported and connecting it to the internet.
--
Andrew Anderson, Director of Development, Library and Information Resources Network, Inc.
http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
On Mar 5, 2014, at 7:20, Michael Bond <[log in to unmask]> wrote:
> Why not setup your XP boxes to use a private network (10.x.x.x or 192.168.x.x) and put them behind a heavily fire walled NAT solution. Could be setup on the network level or with a router and a linux box running IP tables. Lots of ways to do it.
>
> Install and keep updated Firefox or Chrome, lock down the machines so that users don’t have permissions to install anything, and setup a whitelist of programs that are allowed to be run (takes a little bit of work, but its very doable. We did this in WVU Libraries on all our machines [500 or so], public and staff, until we got our virtualized desktops in place).
>
> You can’t disallow Internet Explorer from running, but you can limit the websites that it is allowed to visit. You could even go as far as only allowing it to connect to the local host, but likely anything ‘on campus’ would be fine.
>
> I’m assuming you are using some sort of image management solution (Ghost, at the very least). So once you get an image setup it shouldn’t be that bad to maintain and deploy. And if something does become exploited, you can can re-image the machine.
>
> Configure the NAT to not allow any traffic to come from that private network other than ports 80 and 443 (and any other legitimate port that you need). that way if a machine does become compromised it can’t do (much) harm outside of your private XP network.
>
> If you need AD authentication you can set that all up in the ACLs for the network as well so that they can only contact a specific authentication server. If you absolutely needed to you could even put an auth server on the same private network that has a trust back to your main auth servers. Put 2 network interfaces in it and it can live on 2 networks so you don’t have to poke a hole through your private networks ACLs to get back to the main auth servers.
>
> Its not an ideal situation, but if you can’t afford new machines and you absolutely need to keep your XP machines running there are ways of doing it. But at what point does it become cost prohibitive with your time compared to investing in new hardware?
>
> If you don’t do something though, you’ll be spending all your time rebuilding compromised XP boxes eventually.
>
> Michael Bond
> [log in to unmask]
>
>
>
> On Mar 4, 2014, at 4:55 PM, Riley Childs <[log in to unmask]> wrote:
>
>> Not to stomp around, but 1 hour is a LONG time for an unpatched computer, especially when in close proximity to other unpatched computers! DeepFreeze is great, but it is not a long term solution, also starting next week you will get a nag screen every time you login telling you about the EOL.
>>
>> Riley Childs
>> Student
>> Asst. Head of IT Services
>> Charlotte United Christian Academy
>> (704) 497-2086
>> RileyChilds.net
>> Sent from my Windows Phone, please excuse mistakes
>> ________________________________
>> From: Benjamin Stewart<mailto:[log in to unmask]>
>> Sent: 3/4/2014 4:46 PM
>> To: [log in to unmask]<mailto:[log in to unmask]>
>> Subject: Re: [CODE4LIB] Windows XP EOL
>>
>> Hello everyone
>>
>> (I have been in IT for 25+ years, k-7 for 15 years and now 10 months UNBC
>> Library)
>>
>>
>> If I worked for an organization that did not have the money to go either
>> replacement Win7 or Linux desktop for usability issues.
>>
>> I would contact Faronics and get a deal for educational licenses to
>> install Deepfreeze.
>> Then setup all workstation basic accounts and to reboot if idle for 1
>> hour. (and shut down, startup between set times)
>> Deepfreeze also has a remote console to unfreeze and refreeze for
>> maintenance to the workstation. (e.g. browser updates flash adobe)
>> This in hand with PDQ deploy/inventory works very nice. (Basic version
>> free)
>>
>>
>> Last option would (no possible for most places) contact the Dell official
>> lease site via direct or eBay. (there is a Canada and US supplier)
>>
>> You can by nice 780 Dell with win7 pro for about $140 with shipping.
>> Some companies like Dell of HP have be know to also donate to non-profit.
>>
>> ~Ben
>>
>> System Administrator
>> Geoffrey R. Weller library
>> UNBC, BC Canada
>> PH (250) 960-6605
>> [log in to unmask]
>>
>>
>>
>>
>>
>>
>>
>> On 2014-03-04, 11:12 AM, "Ingraham Dwyer, Andy" <[log in to unmask]>
>> wrote:
>>
>>> I would not be surprised if there were black hats out there sitting on
>>> exploits they've discovered, waiting until *after* April to release
>>> malware that takes advantage of them.
>>>
>>> -A
>>>
>>>
>>> Andy Ingraham Dwyer
>>> Infrastructure Specialist
>>> State Library of Ohio
>>> 274 E. 1st Avenue
>>> Columbus, OH 43201
>>> Tel: 614-644-6849
>>> library.ohio.gov
>>>
>>> Please contact my supervisor with any feedback regarding my customer
>>> service.
>>>
>>> -----Original Message-----
>>> From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of
>>> Justin Coyne
>>> Sent: Saturday, March 01, 2014 8:35 PM
>>> To: [log in to unmask]
>>> Subject: Re: [CODE4LIB] Windows XP EOL
>>>
>>> They won't be a security risk on April 8th, but the first time that MS
>>> publishes security patches after that date for newer version, security
>>> researchers will examine the patches. Doing so will give them an idea
>>> about how to exploit the problem the patch was for. They will then try
>>> to run the exploit on XP and see if it is vulnerable. Eventually they
>>> will find an exploit that works against XP.
>>>
>>> Even if you have a AV, people can exploit your machine without using a
>>> virus. Is that a risk you want to accept?
>>>
>>> -Justin
>>>
>>>
>>> On Sat, Mar 1, 2014 at 4:59 PM, Jimm Wetherbee <[log in to unmask]> wrote:
>>>
>>>> Just because MS won't support XP any more doesn't mean those machines
>>>> are instantly useless or a security risk come April 8th. We will not
>>>> be doing anything with our lab computers until Summer because they are
>>>> too old to run Windows 8 but we cannot do without them.
>>>>
>>>> --jimm
>>>>
>>>>
>>>> On Sat, Mar 1, 2014 at 5:28 PM, Riley Childs <[log in to unmask]
>>>>> wrote:
>>>>
>>>>> Hi,
>>>>> I wanted to hear how people are dealing with the Windows XP
>>>>> End-of-Life (if anything at all :(
>>>>>
>>>>>
>>>>> Personally I am migrating the computers that can run it to Windows 8
>>>>> (we ran out of 7 licenses and someone (years ago) bought SA, but
>>>>> that's
>>>> another
>>>>> story), and when April 7th comes around: throw anything we can't use
>>>>> away (sigh).
>>>>>
>>>>> Riley Childs
>>>>> Student
>>>>> Asst. Head of IT Services
>>>>> Charlotte United Christian Academy
>>>>> (704) 497-2086
>>>>> RileyChilds.net
>>>>> Sent from my Windows Phone, please excuse mistakes
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
|