Solved

Server 2008 Client - Block external traffic while keeping network connectivity

Posted on 2014-04-01
6
276 Views
Last Modified: 2014-10-21
Hi everybody.

So Win XP support is ending, before it does I need an XP client to still have network connectivity locally, but have all traffic denied to it from the outside world.  The client machine runs control software to a big UV printer which is unavailable on Windows 7, hence no choice keeping XP.  I need to lock it down to prevent it being a gateway to all the nasty outsiders, while retaining local folder sharing user access.

I'm presuming I need to use the Firewall to prevent access over certain ports to the client IP address, anybody shed any light onto this?

Many Thanks
0
Comment
Question by:pcpoorlyltd
6 Comments
 
LVL 1

Assisted Solution

by:Qwadrat4
Qwadrat4 earned 166 total points
ID: 39968988
Why do you need this? You still can use XP after end of support.
If you will use firewall - block all traffic except microsoft-ds (TCP port 445) and maybe RDP (TCP 3389).
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 166 total points
ID: 39969257
You might need to create two simple rules.
First rule, allow TCP/UDP from Local Network (192.168.1.XXX)  to/from your system.
Second rule, deny ALL TCP/UDP Traffic from any network.

Sudeep
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39969783
@pcpoorlyltd
One option to keep in mind is you can always convert the physical XP machine into a virtual machine (P2V).  You can then power it up and down on an as needed basis, and snap-shot it back to a known working state should you encounter failures in the future.


If the machine requires remote access, it would be best to place it behind a VPN solution.  This way you're enforcing identification, authentication, authorization, and auditing before the machine is even accessible.  If you do not require remote access to the machine, and only LAN traffic is required, consider removing the default gateway and blocking the MAC address at the gateway, etc.

Either way, consider reducing the attack surface by disabling unnecessary services.  You want to view access to this machine in terms of least privilege.  What is the absolute minimum access requirements?  Block all inbound/outbound traffic except what is absolutely required.  From there limit access based on protocol, port, and source/destination IP address(es) using a firewall.

Consider installing exploit mitigation software such as EMET, in conjunction with an application white listing solution (McAfee SolidCore, etc.)  Using this method you could forgo using signature based antimalware solutions.

Run necessary software as a least privileged user (not as Administrator).  Implement proper DACLs, such as denying all access to unnecessary OS executables (PowerShell, cscript/wscript, cmd.exe, etc.) and only permit read access to those essential executables which remain, etc.
0
 
LVL 11

Accepted Solution

by:
hecgomrec earned 168 total points
ID: 39972076
Here is my suggestion based on the main request: allow only internal traffic.

I'm guessing here, but it looks to me that besides the special application you have shared folders on it.

If this is correct, just to be completely sure move the shares to another computer with Win7, if not let hope my advise will be enough.

If the machine is only needed for internal purposes just go to the NIC configuration and make it have an static IP and DO NOT put any Gateway on the settings, this will prevent the machine from getting to the internet therefore no viruses or spam pulled by mistake onto the machine.

Now if someone needs access to the application from the outside and you don't have a VPN connection established giving those connections an internal IP then you will have to redirect on your firewall the proper inbound calls to the machine.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are some basic methods for preventing attacks on, hacking of and unauthorized access to a network -- maybe not completely, but up to a certain level. Start with a well-reputed firewall and unified threat management (UTM) system -- a gateway…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now