Solved

Prevent Windows XP from accessing internal network

Posted on 2013-11-14
16
591 Views
Last Modified: 2013-11-21
With the coming End of support in April, does anyone know how to prevent a Windows XP machine from getting on and accessing the network?

I know what machines on the network are currently Windows XP, so I could maybe do something with giving out incorrect DHCP parameters based on their MAC addresses, which would stop most people (machines), but that doesn't really solve for any unknowns (such as if someone were to bring in a home laptop that was running XP).

Looking for a solution that is centrally implemented and enforced and scales up easily.

Robert
0
Comment
Question by:tnisupport
  • 4
  • 3
  • 3
  • +3
16 Comments
 
LVL 24

Assisted Solution

by:aadih
aadih earned 166 total points
ID: 39648184
Restrict access using their MAC addresses.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39648196
Your network probably won't detect a specific OS before it attaches.

You should know what machines you have and base on the above do not have any XP machines left (that is how I read the above).

Do you allow home machines on your network?  There probably should be a policy that says no, and local management should be able to enforce.

The way I see, the problem with home machines is not XP, but rather you cannot control what software they have and they might bring viruses into the business.

.... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39648226
I thought about MAC address and (having experimented in past with them) they can be onerous to maintain.

Since you do not know the MAC address of an unknown machine, you would have to allow only your own MAC address and exclude all others. That would indeed be onerous to employ.

Think about the local management option. They should be on top of what their employees are doing.

... Thinkpads_User
0
 
LVL 24

Expert Comment

by:aadih
ID: 39648314
Thinkpads_User, Yes. Great point. Thanks.

Although laborious, time consuming, and burdensome, it may be the only way, in some particular circumstances, and suited to small business  (and home) environments.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39648820
What version of Windows Server do you have? You could also configure NPS and have a policy that takes Windows XP as a condition, and deny connectivity. That might help. But obviously, this is going to add some layers of complexity.

http://technet.microsoft.com/en-us/library/cc731220%28v=ws.10%29.aspx
0
 

Author Comment

by:tnisupport
ID: 39649213
masnrock,

Although it adds a layer of complexity, it would allow me to deny network access based on the fact that the machine is still XP.

Do I need AD to be at a 2008 level as well or just a 2008 server to run the NPS services?

Also, if I'm really trying to NOT allow them on the internal network at all, regardless of trying to access the internal domain, I don't know that I want them to participate on my internal subnet via DHCP.

I'm concerned that in order for them to be denied/allowed access, they would initially need to participate in the configured subnet, which could still pose a risk if their machine was infected with something that was network-based and not requiring Windows AD credentials/access to start behaving badly.

Robert
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39649436
I'm going to ask some important questions then.... you said you want to block XP machines. Are we speaking in general or for guest machines that may be allowed into the office?
0
 

Author Comment

by:tnisupport
ID: 39649445
Any XP machines would be great, whether guest or not.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 39649452
@tnisupport  - so far as I know, no router, no server and no process knows what OS a machine is until *after* it has logged on.

The only exclusion process in hardware is the MAC address idea.

... Thinkpads_User
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39649470
Then you're going to need to do something along the lines of network admission control or the NPS stuff I showed earlier, because there is no really good way to try to pull off that type of policy otherwise. The reality is that you're going to have to allow a connection long enough for something to detect the operating system.

(Network switches and routers would never be aware of operating system data)

What type of switches and routers are currently in place?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39649528
@thinkpads_user
NAP is a very old concept - missed it? Read http://en.wikipedia.org/wiki/Network_Access_Protection
In short: before entering the network, you will pass a gate and a warden. "You" (your pc) will have to show a health certificate. If not present or not valid, you are sent off to a quarantine zone, where you are eventually allowed to improve your health (get updated, for example).
0
 
LVL 16

Accepted Solution

by:
vivigatt earned 167 total points
ID: 39652617
DHCP: maybe not such a good idea:
Malicious users could always use a static IP address and then access the network.
You could allow only known MAC addresses and keep an internal database (or Excel sheet) with the OS associated to it.

Microsoft Windows dhcp clients have specificities but I don't think you can "guess" the OS from them.


Using policies is another way to go, but this would prevent the disallowed to access Windows resources (shares, print queus, everything that relies on AD authentication), not necessarily preventing them from accessing "the network" (and in particular the Internet from inside your network).    

If you want to prevent web access (this may be a way to detect Windows XP users, since they will come and complain than "The Internet" is not working anymore), then you may force the use of a proxy web server (and use automatic configuration so that the users should not have to make any change in their settings. Check WPAD
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol ) and, based on the user agent, refuse to serve browsers requests that seem to be emitted from a Windows XP client. Malicious users can overcome this limitation too, of course.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39665180
Why not NAP if I may ask?
0
 

Author Comment

by:tnisupport
ID: 39665880
McKnife,

Trying to prevent any network access at all.  Prior to NAP kicking in, they would have to participate on the network.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39666131
Not quite. Please read my link about how NAP works. We cannot talk of "the network" here but we segment our network. The segment that it may access is only a "playground", not the "real" network.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39666794
tnisupport, you have to bear in mind that network switches and routers do NOT see OS information, hence why you need things like NPS or NAP. MAC address filters don't work, because if you upgrade the OS on a machine, the network will not be aware of that.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now