Server 2008 Client - Block external traffic while keeping network connectivity

Hi everybody.

So Win XP support is ending, before it does I need an XP client to still have network connectivity locally, but have all traffic denied to it from the outside world.  The client machine runs control software to a big UV printer which is unavailable on Windows 7, hence no choice keeping XP.  I need to lock it down to prevent it being a gateway to all the nasty outsiders, while retaining local folder sharing user access.

I'm presuming I need to use the Firewall to prevent access over certain ports to the client IP address, anybody shed any light onto this?

Many Thanks
pcpoorlyltdAsked:
Who is Participating?
 
hecgomrecConnect With a Mentor Commented:
Here is my suggestion based on the main request: allow only internal traffic.

I'm guessing here, but it looks to me that besides the special application you have shared folders on it.

If this is correct, just to be completely sure move the shares to another computer with Win7, if not let hope my advise will be enough.

If the machine is only needed for internal purposes just go to the NIC configuration and make it have an static IP and DO NOT put any Gateway on the settings, this will prevent the machine from getting to the internet therefore no viruses or spam pulled by mistake onto the machine.

Now if someone needs access to the application from the outside and you don't have a VPN connection established giving those connections an internal IP then you will have to redirect on your firewall the proper inbound calls to the machine.
0
 
Qwadrat4Connect With a Mentor Commented:
Why do you need this? You still can use XP after end of support.
If you will use firewall - block all traffic except microsoft-ds (TCP port 445) and maybe RDP (TCP 3389).
0
 
Sudeep SharmaConnect With a Mentor Technical DesignerCommented:
You might need to create two simple rules.
First rule, allow TCP/UDP from Local Network (192.168.1.XXX)  to/from your system.
Second rule, deny ALL TCP/UDP Traffic from any network.

Sudeep
0
 
Giovanni HewardCommented:
@pcpoorlyltd
One option to keep in mind is you can always convert the physical XP machine into a virtual machine (P2V).  You can then power it up and down on an as needed basis, and snap-shot it back to a known working state should you encounter failures in the future.


If the machine requires remote access, it would be best to place it behind a VPN solution.  This way you're enforcing identification, authentication, authorization, and auditing before the machine is even accessible.  If you do not require remote access to the machine, and only LAN traffic is required, consider removing the default gateway and blocking the MAC address at the gateway, etc.

Either way, consider reducing the attack surface by disabling unnecessary services.  You want to view access to this machine in terms of least privilege.  What is the absolute minimum access requirements?  Block all inbound/outbound traffic except what is absolutely required.  From there limit access based on protocol, port, and source/destination IP address(es) using a firewall.

Consider installing exploit mitigation software such as EMET, in conjunction with an application white listing solution (McAfee SolidCore, etc.)  Using this method you could forgo using signature based antimalware solutions.

Run necessary software as a least privileged user (not as Administrator).  Implement proper DACLs, such as denying all access to unnecessary OS executables (PowerShell, cscript/wscript, cmd.exe, etc.) and only permit read access to those essential executables which remain, etc.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.