Please see the attached diagram.
We have an environment full of virus with only one switch and only one exit to internet. How can we
(1) Perform a clean reinstall of Microsoft Windows XP SP3 or Windows 7 SP1
(2) Perform Windows Updates
(3) Install remaining software without being infected by the other machines that are infected?
I mean, when you perform a new Install from Windows and plugs it to the local network, the workstation will be infected by the other ones that are infected and performing continuing broadcasts.
We have the following:
-Windows XP SP3
-Windows 7 SP1
-McAfee VirusScan Enterprise 8.8 - Patch 3
-The majority of workstations will still be Windows XP SP3.
What are the best practices we can apply here?
obs1: I know the question "seem obvious" so let's clarify. Imagine that the environment was not well administered in the past and now we have this problem with virus. Unfortunately the environment is critical and utilizes an application that cannot be "simply stopped": it will severe affect our users. The others computers are infected but the application still works. So, our mission is to clean everything without stopping nothing. And here comes my question: how can we install a new Workstation with Windows XP SP3 or Windows 7 without being infected. For example. Regarding Windows Updates I considered offline wsus. wsusoffline.net ; I think that could handle the Windows Updates, couldn't it? obs: there is no wsus server on this environment.
obs2: If I put a Linux Server with IPTABLES and a internal IP Address different from the other machines like this:
-External Interface: 172.16.0.100/24
-Internal Interface: 192.168.1.10/24
and then assign an IP address for my new workstations as let's say 192.168.1.20, will I be isolated from the other ones? We will be in the same VLAN but a different subnet. Can I still get infected?