Solved

Server 2008 Client - Block external traffic while keeping network connectivity

Posted on 2014-04-01
6
280 Views
Last Modified: 2014-10-21
Hi everybody.

So Win XP support is ending, before it does I need an XP client to still have network connectivity locally, but have all traffic denied to it from the outside world.  The client machine runs control software to a big UV printer which is unavailable on Windows 7, hence no choice keeping XP.  I need to lock it down to prevent it being a gateway to all the nasty outsiders, while retaining local folder sharing user access.

I'm presuming I need to use the Firewall to prevent access over certain ports to the client IP address, anybody shed any light onto this?

Many Thanks
0
Comment
Question by:pcpoorlyltd
6 Comments
 
LVL 1

Assisted Solution

by:Qwadrat4
Qwadrat4 earned 166 total points
ID: 39968988
Why do you need this? You still can use XP after end of support.
If you will use firewall - block all traffic except microsoft-ds (TCP port 445) and maybe RDP (TCP 3389).
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 166 total points
ID: 39969257
You might need to create two simple rules.
First rule, allow TCP/UDP from Local Network (192.168.1.XXX)  to/from your system.
Second rule, deny ALL TCP/UDP Traffic from any network.

Sudeep
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39969783
@pcpoorlyltd
One option to keep in mind is you can always convert the physical XP machine into a virtual machine (P2V).  You can then power it up and down on an as needed basis, and snap-shot it back to a known working state should you encounter failures in the future.


If the machine requires remote access, it would be best to place it behind a VPN solution.  This way you're enforcing identification, authentication, authorization, and auditing before the machine is even accessible.  If you do not require remote access to the machine, and only LAN traffic is required, consider removing the default gateway and blocking the MAC address at the gateway, etc.

Either way, consider reducing the attack surface by disabling unnecessary services.  You want to view access to this machine in terms of least privilege.  What is the absolute minimum access requirements?  Block all inbound/outbound traffic except what is absolutely required.  From there limit access based on protocol, port, and source/destination IP address(es) using a firewall.

Consider installing exploit mitigation software such as EMET, in conjunction with an application white listing solution (McAfee SolidCore, etc.)  Using this method you could forgo using signature based antimalware solutions.

Run necessary software as a least privileged user (not as Administrator).  Implement proper DACLs, such as denying all access to unnecessary OS executables (PowerShell, cscript/wscript, cmd.exe, etc.) and only permit read access to those essential executables which remain, etc.
0
 
LVL 11

Accepted Solution

by:
hecgomrec earned 168 total points
ID: 39972076
Here is my suggestion based on the main request: allow only internal traffic.

I'm guessing here, but it looks to me that besides the special application you have shared folders on it.

If this is correct, just to be completely sure move the shares to another computer with Win7, if not let hope my advise will be enough.

If the machine is only needed for internal purposes just go to the NIC configuration and make it have an static IP and DO NOT put any Gateway on the settings, this will prevent the machine from getting to the internet therefore no viruses or spam pulled by mistake onto the machine.

Now if someone needs access to the application from the outside and you don't have a VPN connection established giving those connections an internal IP then you will have to redirect on your firewall the proper inbound calls to the machine.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
UNIX SCP 5 77
The endless cat and mouse game of fail2ban 4 119
IT usage Policies for a new staff joining the organisation. 4 107
Creating a Vendor Admin user 23 55
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question