Solved

Prevent Windows XP from accessing internal network

Posted on 2013-11-14
16
599 Views
Last Modified: 2013-11-21
With the coming End of support in April, does anyone know how to prevent a Windows XP machine from getting on and accessing the network?

I know what machines on the network are currently Windows XP, so I could maybe do something with giving out incorrect DHCP parameters based on their MAC addresses, which would stop most people (machines), but that doesn't really solve for any unknowns (such as if someone were to bring in a home laptop that was running XP).

Looking for a solution that is centrally implemented and enforced and scales up easily.

Robert
0
Comment
Question by:tnisupport
  • 4
  • 3
  • 3
  • +3
16 Comments
 
LVL 24

Assisted Solution

by:aadih
aadih earned 166 total points
ID: 39648184
Restrict access using their MAC addresses.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39648196
Your network probably won't detect a specific OS before it attaches.

You should know what machines you have and base on the above do not have any XP machines left (that is how I read the above).

Do you allow home machines on your network?  There probably should be a policy that says no, and local management should be able to enforce.

The way I see, the problem with home machines is not XP, but rather you cannot control what software they have and they might bring viruses into the business.

.... Thinkpads_User
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39648226
I thought about MAC address and (having experimented in past with them) they can be onerous to maintain.

Since you do not know the MAC address of an unknown machine, you would have to allow only your own MAC address and exclude all others. That would indeed be onerous to employ.

Think about the local management option. They should be on top of what their employees are doing.

... Thinkpads_User
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 24

Expert Comment

by:aadih
ID: 39648314
Thinkpads_User, Yes. Great point. Thanks.

Although laborious, time consuming, and burdensome, it may be the only way, in some particular circumstances, and suited to small business  (and home) environments.
0
 
LVL 24

Expert Comment

by:masnrock
ID: 39648820
What version of Windows Server do you have? You could also configure NPS and have a policy that takes Windows XP as a condition, and deny connectivity. That might help. But obviously, this is going to add some layers of complexity.

http://technet.microsoft.com/en-us/library/cc731220%28v=ws.10%29.aspx
0
 

Author Comment

by:tnisupport
ID: 39649213
masnrock,

Although it adds a layer of complexity, it would allow me to deny network access based on the fact that the machine is still XP.

Do I need AD to be at a 2008 level as well or just a 2008 server to run the NPS services?

Also, if I'm really trying to NOT allow them on the internal network at all, regardless of trying to access the internal domain, I don't know that I want them to participate on my internal subnet via DHCP.

I'm concerned that in order for them to be denied/allowed access, they would initially need to participate in the configured subnet, which could still pose a risk if their machine was infected with something that was network-based and not requiring Windows AD credentials/access to start behaving badly.

Robert
0
 
LVL 24

Expert Comment

by:masnrock
ID: 39649436
I'm going to ask some important questions then.... you said you want to block XP machines. Are we speaking in general or for guest machines that may be allowed into the office?
0
 

Author Comment

by:tnisupport
ID: 39649445
Any XP machines would be great, whether guest or not.
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 39649452
@tnisupport  - so far as I know, no router, no server and no process knows what OS a machine is until *after* it has logged on.

The only exclusion process in hardware is the MAC address idea.

... Thinkpads_User
0
 
LVL 24

Expert Comment

by:masnrock
ID: 39649470
Then you're going to need to do something along the lines of network admission control or the NPS stuff I showed earlier, because there is no really good way to try to pull off that type of policy otherwise. The reality is that you're going to have to allow a connection long enough for something to detect the operating system.

(Network switches and routers would never be aware of operating system data)

What type of switches and routers are currently in place?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39649528
@thinkpads_user
NAP is a very old concept - missed it? Read http://en.wikipedia.org/wiki/Network_Access_Protection
In short: before entering the network, you will pass a gate and a warden. "You" (your pc) will have to show a health certificate. If not present or not valid, you are sent off to a quarantine zone, where you are eventually allowed to improve your health (get updated, for example).
0
 
LVL 16

Accepted Solution

by:
vivigatt earned 167 total points
ID: 39652617
DHCP: maybe not such a good idea:
Malicious users could always use a static IP address and then access the network.
You could allow only known MAC addresses and keep an internal database (or Excel sheet) with the OS associated to it.

Microsoft Windows dhcp clients have specificities but I don't think you can "guess" the OS from them.


Using policies is another way to go, but this would prevent the disallowed to access Windows resources (shares, print queus, everything that relies on AD authentication), not necessarily preventing them from accessing "the network" (and in particular the Internet from inside your network).    

If you want to prevent web access (this may be a way to detect Windows XP users, since they will come and complain than "The Internet" is not working anymore), then you may force the use of a proxy web server (and use automatic configuration so that the users should not have to make any change in their settings. Check WPAD
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol ) and, based on the user agent, refuse to serve browsers requests that seem to be emitted from a Windows XP client. Malicious users can overcome this limitation too, of course.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39665180
Why not NAP if I may ask?
0
 

Author Comment

by:tnisupport
ID: 39665880
McKnife,

Trying to prevent any network access at all.  Prior to NAP kicking in, they would have to participate on the network.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39666131
Not quite. Please read my link about how NAP works. We cannot talk of "the network" here but we segment our network. The segment that it may access is only a "playground", not the "real" network.
0
 
LVL 24

Expert Comment

by:masnrock
ID: 39666794
tnisupport, you have to bear in mind that network switches and routers do NOT see OS information, hence why you need things like NPS or NAP. MAC address filters don't work, because if you upgrade the OS on a machine, the network will not be aware of that.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question