Limiting XP User Permissions for Security (OS to become only a shell for RDP)

Hello all,

Given that XP support ended over a year ago, I'd like to know what suggestions you may have to increase security on them so that we can use them to remote onto other machines only, with all other permissions removed.

What permissions would you suggest removing from a user group, after which we will put all users in that group (only).

How secure actually is this?

Thanks for taking the time to read
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andreasSystem AdminCommented:
It depends on what can be done via RDP, if that user can do critical stuff and the RDP you are lost. The attacked XP box may sniff RDP password and the attacker can tunnel his traffic through the XP box and connect at the same user via RDP and cause havoc in the machine the user has permission to logon.

Disabandon XP if you want to be more secure.
JohnBusiness Consultant (Owner)Commented:
Security patches for XP are long over. XP should NOT be used where security is paramount. And now, as I see software upgrades for Windows 10, I am seeing that some software no longer supports or runs on XP.

Make a plan to upgrade from XP and execute the plan as quickly as possible.
Hi Leo.

The question suggests that you have no idea what the end of support for xp means, security wise.

Let me try to explain it this way: patches are only needed against exploits. If we do things with xp that don't interact with exploitable functions, we are safe. However, you don't seem to be in the position to tell.

Having xp as remote desktop client is harmless in the first place. Doing other things with xp that might infect it (file sharing, office work like pdf reading and of course web browsing) is getting more and more risky. So if you can isolate xp network-wise (firewall on, no exceptions), and don't use the internet and don't use it for office work, you are safe to use it as RDP client.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

leo135Author Commented:
So if the firewall is on with no exceptions and the user cannot use any software other than rdp, it should be secure? There are no other ways in now that XP ended support?
JohnBusiness Consultant (Owner)Commented:
There are no other ways in now that XP ended support?  <-- A good deal of security protection is built into the operating system - not always an add on.  So there is not much you can do with an operating more than a year out of support and with no updates.
andreasSystem AdminCommented:
The thing with turning off all software except RDP client and block all traffic except to the RDP server is a good step forward but will not bring 100% safty.

- you also need to ensure users cannot plug any usb/firewire devices and use any CD/DVDs,
- users cannot open any files, not belonging to the system itself
- Systems cannot be reached from the internet and reach the internet itself, the windws only firewall is not enough,
  you need to block all traffic except to the RDP from within the company, that means the XP boxes need an own subnet.
"So if the firewall is on with no exceptions and the user cannot use any software other than rdp, it should be secure? There are no other ways in now that XP ended support?"
If I boot xp (firewall on), start the RDP client and connect, then nothing bad will ever happen. It depends on what else you plan to do on that xp machine. If "nothing at all" would be your answer, then you may do it and feel secure.
If however, your users tend to do all kinds of things apart from RDP, sure, there are many potential risks.
leo135Author Commented:
Ok I think I have all the answers I need. I may create a special group and give it only access to the RDP file and client and nothing else, but it will take a bit of experimenting and may not work. If so, then I doubt they can be trusted to do nothing else so may have to go with the first recommendations of abandoning XP, although that kind of decision isn't necessarily in my control. Thanks everyone for your answers!

Love being here at EE
leo135Author Commented:
Everything I needed to know
andreasSystem AdminCommented:
Just another hint,

If you really only want the users to access the RDP you also could use a linux system with a RDP client, if no money should be spent for upgrading old PCs to a current version of Windows.
That's true. You should not have to use an outdated OS just for an RDP client. Many free linux system (even live systems like knoppix) offer rdesktop.
leo135Author Commented:
It's still not free as we'd have to charge for the work but I will definitely take it into consideration. Thanks for still answering even after the accepted answer stage.

The internet is both a place of the best and worst of people and here is an example of it being the best.
andreasSystem AdminCommented:
Securing the XP boxes is also work, and mybe more than just hand out a boot cd to the users and removing the ahrddisk from the machine ;)
All depends on your setup, your security requirements, users, (e.g. if it would pose a problem that users have root on such a cd booted PC), etc. pp.

Many users here are not here for points many of us just like the challenge to solve problems, to help others and to learn new things. The points are just a nice addon nad make it more fun and EE free to use, 3000pt each month are very easy to earn)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.