Is it possible to connect a Windows XP computer to a workgroup in a secure way

The scenario:

1.      We have a Windows XP computer which runs an offline PDF to Print comparison.  
2.      As it is XP we have taken it off our network for security reasons
3.      The XP computer is attached to an A1 scanner which scans a printed leaflet
4.      The software then compares the printed scan against the original PDF used to generate the print plates
5.      For reprints this is OK as a copy of the original PDF already exists on the XP computer
6.      For new prints the user needs to go to another computer which is on WorkGroup, browse for the file, copy the original PDF to a USB, copy from the USB to the Windows XP computer, then run comparison

It is step 6 which I am trying to improve.  Can I directly connect the XP computer to the networked computer using some sort of software that isolates but still allows a folder to be browsed and a file copied.  I hope I have made this clear
Jenny CoulthardInformation Technology ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
If you connect this XP Computer directly a computer on the network, then it is exposed both ways (in and out) to the network and not isolated. There is nothing I know of to isolate XP when it is connected to the network. The security for XP is not that advanced and require SMBv1 which is inherently insecure. So the simple answer here is no.
You could isolate it. The simpler scenario is to block that one machine from the internet. A second one would be to isolate it into a separate VLAN that is blocked from the internet. It would definitely help if you installed some HIPS software on it ass well.
Olgierd UngehojerSenior Network AdministratorCommented:
You can safe files over isolated vlan to some network folder on server with permission to safe files only from xp machine. And then you can give permission read only from this folder to copy files.
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Jenny CoulthardInformation Technology ManagerAuthor Commented:
So I am thinking, separate/isolated VLAN + HIPS Software, McAFee have a HIP for desktop which I will get some information from them once worked out time difference.  With the separate VLAN do I have to setup a second copy of the files because as soon as I give access to the first VLAN then it wouldn't be isolated any more.  I have VLAN's setup and can change ports etc but this is the limit of my understanding.
HIPS should be used whether you use the VLAN or not. If you use the VLAN, you can spell out WHICH hosts/subnets within your network have access to that VLAN.

As for your file question, you don't necessarily have to change anything in terms of storage.

BTW - I'm assuming the software that the XP system is running isn't available for a newer version of Windows?
Sudeep SharmaTechnical DesignerCommented:
Though there are solutions above which are more standardized, however you may want to look at different approach altogether, which is below
  1. Disable everything from the Windows Firewall including File Share, Remote Desktop, Internet, DNS etc.
  2. Install FileZilla Server run it over SSL and share the directory which would have the PDF Files.
  3. Then create the users who can access the FileZilla and the folder which can be accessed.
JohnBusiness Consultant (Owner)Commented:
A VLAN can isolate the machine but if you then connect it in the main system, it still exposes the main system
The currently networked computer can be kept on the isolated VLAN as well if you wanted. Which OS is it running?
2.      As it is XP we have taken it off our network for security reasons

as told by masnrock, the simple scenario is to block the one XP machine from internet. if you additionally deactivate all services on the xp which allow to access other devices from the xp or which expose its existence (like computer browser), you still can automate the step 6 by allowing other computers to push files to a (hidden) share which is at the xp. i can't see any scenario which could use any insecure functionality at the xp as long as it was not connected to the internet and as long it would be isolated from other computers of the network by policies and configuration. i even would say that the current method over usb is more dangerous as long as you couldn't protect operations systems from malicious code which is hidden in the firmware of the usb stick.

Jenny CoulthardInformation Technology ManagerAuthor Commented:
Hi Everyone, thanks for the comments.

The other computers are running Windows 7 64bit that are on this workgroup and currently the software will only run under XP but that could possibly change.

I will look at the HIPS + deactivating all services on the XP possible + allow one other computer to push file to a hidden share at the XP + deleting all accounts that exist on other computers in the workgroup +  if HIPS doesn't cover - Disable everything from the Windows Firewall including File Share, Remote Desktop, Internet, DNS
JohnBusiness Consultant (Owner)Commented:
You need to be aware that XP requires SMBv1 so any connection will compromise things.

currently the software will only run under XP but that could possibly change.   <-- I would see if you can change this. XP is so long dead that it has become really dangerous to have connected
Jenny CoulthardInformation Technology ManagerAuthor Commented:
I know - unfortunately one quote for similar replacement software came in at $160,000 so for now we have a USB stick.
you may use an old pc with windows 7 and two network cards to work as a "bridge" from the main network to the xp pc. you would transfer your files safely via the main network to a share of the intermediate pc. then using the second network you would transfer files by netbios over tcp/ip (smb) . that could be done deferred by a job at the "bridge pc" and therefore the xp is not exposed at the common network.

Jenny CoulthardInformation Technology ManagerAuthor Commented:
I'm not really sure using an old PC as a bridge would give the security required but links to  a discussion I had with the local IT shop guy.  Get a NAS with two network cards, turn off routing on the nas.  Connect NAS to work group and then to a second switch (or maybe this needs to be a router) to create a second network with no Default Gateway and the XP computer connects to switch and can retrieve files from the  NAS

Does this sound feasible?
JohnBusiness Consultant (Owner)Commented:
To get what you want will require keeping your machines to do the job on a disconnected LAN (isolated VLAN) and then when all done, move the data on USB drive to your network.

If you cannot replace the system that needs XP, best to make it a virtual machine so it can last forever.
yes, a NAS with two network cards would isolate the XP which would not be exposed to other computers.

it looks like a good solution.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jenny CoulthardInformation Technology ManagerAuthor Commented:
Thanks for all your comments.  I am going to use a hybrid of all suggestions:
Isolated VLAN
Bridging NAS with two network cards
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.