Is it possible to connect a Windows XP computer to a workgroup in a secure way
The scenario:
1. We have a Windows XP computer which runs an offline PDF to Print comparison.
2. As it is XP we have taken it off our network for security reasons
3. The XP computer is attached to an A1 scanner which scans a printed leaflet
4. The software then compares the printed scan against the original PDF used to generate the print plates
5. For reprints this is OK as a copy of the original PDF already exists on the XP computer
6. For new prints the user needs to go to another computer which is on WorkGroup, browse for the file, copy the original PDF to a USB, copy from the USB to the Windows XP computer, then run comparison
It is step 6 which I am trying to improve. Can I directly connect the XP computer to the networked computer using some sort of software that isolates but still allows a folder to be browsed and a file copied. I hope I have made this clear
Windows XPNetworkingNetwork SecuritySecurityCyber Security
Last Comment
Jenny Coulthard
8/22/2022 - Mon
John
If you connect this XP Computer directly a computer on the network, then it is exposed both ways (in and out) to the network and not isolated. There is nothing I know of to isolate XP when it is connected to the network. The security for XP is not that advanced and require SMBv1 which is inherently insecure. So the simple answer here is no.
masnrock
You could isolate it. The simpler scenario is to block that one machine from the internet. A second one would be to isolate it into a separate VLAN that is blocked from the internet. It would definitely help if you installed some HIPS software on it ass well.
Olgierd Ungehojer
You can safe files over isolated vlan to some network folder on server with permission to safe files only from xp machine. And then you can give permission read only from this folder to copy files.
So I am thinking, separate/isolated VLAN + HIPS Software, McAFee have a HIP for desktop which I will get some information from them once worked out time difference. With the separate VLAN do I have to setup a second copy of the files because as soon as I give access to the first VLAN then it wouldn't be isolated any more. I have VLAN's setup and can change ports etc but this is the limit of my understanding.
The currently networked computer can be kept on the isolated VLAN as well if you wanted. Which OS is it running?
sarabande
2. As it is XP we have taken it off our network for security reasons
as told by masnrock, the simple scenario is to block the one XP machine from internet. if you additionally deactivate all services on the xp which allow to access other devices from the xp or which expose its existence (like computer browser), you still can automate the step 6 by allowing other computers to push files to a (hidden) share which is at the xp. i can't see any scenario which could use any insecure functionality at the xp as long as it was not connected to the internet and as long it would be isolated from other computers of the network by policies and configuration. i even would say that the current method over usb is more dangerous as long as you couldn't protect operations systems from malicious code which is hidden in the firmware of the usb stick.
Sara
Jenny Coulthard
ASKER
Hi Everyone, thanks for the comments.
The other computers are running Windows 7 64bit that are on this workgroup and currently the software will only run under XP but that could possibly change.
I will look at the HIPS + deactivating all services on the XP possible + allow one other computer to push file to a hidden share at the XP + deleting all accounts that exist on other computers in the workgroup + if HIPS doesn't cover - Disable everything from the Windows Firewall including File Share, Remote Desktop, Internet, DNS
You need to be aware that XP requires SMBv1 so any connection will compromise things.
currently the software will only run under XP but that could possibly change. <-- I would see if you can change this. XP is so long dead that it has become really dangerous to have connected
Jenny Coulthard
ASKER
I know - unfortunately one quote for similar replacement software came in at $160,000 so for now we have a USB stick.
sarabande
you may use an old pc with windows 7 and two network cards to work as a "bridge" from the main network to the xp pc. you would transfer your files safely via the main network to a share of the intermediate pc. then using the second network you would transfer files by netbios over tcp/ip (smb) . that could be done deferred by a job at the "bridge pc" and therefore the xp is not exposed at the common network.
Hi,
I'm not really sure using an old PC as a bridge would give the security required but links to a discussion I had with the local IT shop guy. Get a NAS with two network cards, turn off routing on the nas. Connect NAS to work group and then to a second switch (or maybe this needs to be a router) to create a second network with no Default Gateway and the XP computer connects to switch and can retrieve files from the NAS