Solved

Server 2008 Client - Block external traffic while keeping network connectivity

Posted on 2014-04-01
6
284 Views
Last Modified: 2014-10-21
Hi everybody.

So Win XP support is ending, before it does I need an XP client to still have network connectivity locally, but have all traffic denied to it from the outside world.  The client machine runs control software to a big UV printer which is unavailable on Windows 7, hence no choice keeping XP.  I need to lock it down to prevent it being a gateway to all the nasty outsiders, while retaining local folder sharing user access.

I'm presuming I need to use the Firewall to prevent access over certain ports to the client IP address, anybody shed any light onto this?

Many Thanks
0
Comment
Question by:pcpoorlyltd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 1

Assisted Solution

by:Qwadrat4
Qwadrat4 earned 166 total points
ID: 39968988
Why do you need this? You still can use XP after end of support.
If you will use firewall - block all traffic except microsoft-ds (TCP port 445) and maybe RDP (TCP 3389).
0
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 166 total points
ID: 39969257
You might need to create two simple rules.
First rule, allow TCP/UDP from Local Network (192.168.1.XXX)  to/from your system.
Second rule, deny ALL TCP/UDP Traffic from any network.

Sudeep
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39969783
@pcpoorlyltd
One option to keep in mind is you can always convert the physical XP machine into a virtual machine (P2V).  You can then power it up and down on an as needed basis, and snap-shot it back to a known working state should you encounter failures in the future.


If the machine requires remote access, it would be best to place it behind a VPN solution.  This way you're enforcing identification, authentication, authorization, and auditing before the machine is even accessible.  If you do not require remote access to the machine, and only LAN traffic is required, consider removing the default gateway and blocking the MAC address at the gateway, etc.

Either way, consider reducing the attack surface by disabling unnecessary services.  You want to view access to this machine in terms of least privilege.  What is the absolute minimum access requirements?  Block all inbound/outbound traffic except what is absolutely required.  From there limit access based on protocol, port, and source/destination IP address(es) using a firewall.

Consider installing exploit mitigation software such as EMET, in conjunction with an application white listing solution (McAfee SolidCore, etc.)  Using this method you could forgo using signature based antimalware solutions.

Run necessary software as a least privileged user (not as Administrator).  Implement proper DACLs, such as denying all access to unnecessary OS executables (PowerShell, cscript/wscript, cmd.exe, etc.) and only permit read access to those essential executables which remain, etc.
0
 
LVL 11

Accepted Solution

by:
hecgomrec earned 168 total points
ID: 39972076
Here is my suggestion based on the main request: allow only internal traffic.

I'm guessing here, but it looks to me that besides the special application you have shared folders on it.

If this is correct, just to be completely sure move the shares to another computer with Win7, if not let hope my advise will be enough.

If the machine is only needed for internal purposes just go to the NIC configuration and make it have an static IP and DO NOT put any Gateway on the settings, this will prevent the machine from getting to the internet therefore no viruses or spam pulled by mistake onto the machine.

Now if someone needs access to the application from the outside and you don't have a VPN connection established giving those connections an internal IP then you will have to redirect on your firewall the proper inbound calls to the machine.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question