Solved

Server 2008 Client - Block external traffic while keeping network connectivity

Posted on 2014-04-01
6
279 Views
Last Modified: 2014-10-21
Hi everybody.

So Win XP support is ending, before it does I need an XP client to still have network connectivity locally, but have all traffic denied to it from the outside world.  The client machine runs control software to a big UV printer which is unavailable on Windows 7, hence no choice keeping XP.  I need to lock it down to prevent it being a gateway to all the nasty outsiders, while retaining local folder sharing user access.

I'm presuming I need to use the Firewall to prevent access over certain ports to the client IP address, anybody shed any light onto this?

Many Thanks
0
Comment
Question by:pcpoorlyltd
6 Comments
 
LVL 1

Assisted Solution

by:Qwadrat4
Qwadrat4 earned 166 total points
ID: 39968988
Why do you need this? You still can use XP after end of support.
If you will use firewall - block all traffic except microsoft-ds (TCP port 445) and maybe RDP (TCP 3389).
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 166 total points
ID: 39969257
You might need to create two simple rules.
First rule, allow TCP/UDP from Local Network (192.168.1.XXX)  to/from your system.
Second rule, deny ALL TCP/UDP Traffic from any network.

Sudeep
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39969783
@pcpoorlyltd
One option to keep in mind is you can always convert the physical XP machine into a virtual machine (P2V).  You can then power it up and down on an as needed basis, and snap-shot it back to a known working state should you encounter failures in the future.


If the machine requires remote access, it would be best to place it behind a VPN solution.  This way you're enforcing identification, authentication, authorization, and auditing before the machine is even accessible.  If you do not require remote access to the machine, and only LAN traffic is required, consider removing the default gateway and blocking the MAC address at the gateway, etc.

Either way, consider reducing the attack surface by disabling unnecessary services.  You want to view access to this machine in terms of least privilege.  What is the absolute minimum access requirements?  Block all inbound/outbound traffic except what is absolutely required.  From there limit access based on protocol, port, and source/destination IP address(es) using a firewall.

Consider installing exploit mitigation software such as EMET, in conjunction with an application white listing solution (McAfee SolidCore, etc.)  Using this method you could forgo using signature based antimalware solutions.

Run necessary software as a least privileged user (not as Administrator).  Implement proper DACLs, such as denying all access to unnecessary OS executables (PowerShell, cscript/wscript, cmd.exe, etc.) and only permit read access to those essential executables which remain, etc.
0
 
LVL 11

Accepted Solution

by:
hecgomrec earned 168 total points
ID: 39972076
Here is my suggestion based on the main request: allow only internal traffic.

I'm guessing here, but it looks to me that besides the special application you have shared folders on it.

If this is correct, just to be completely sure move the shares to another computer with Win7, if not let hope my advise will be enough.

If the machine is only needed for internal purposes just go to the NIC configuration and make it have an static IP and DO NOT put any Gateway on the settings, this will prevent the machine from getting to the internet therefore no viruses or spam pulled by mistake onto the machine.

Now if someone needs access to the application from the outside and you don't have a VPN connection established giving those connections an internal IP then you will have to redirect on your firewall the proper inbound calls to the machine.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now