Avatar of Jenny Coulthard
Jenny Coulthard
Flag for Australia asked on

Is it possible to connect a Windows XP computer to a workgroup in a secure way

The scenario:

1.      We have a Windows XP computer which runs an offline PDF to Print comparison.  
2.      As it is XP we have taken it off our network for security reasons
3.      The XP computer is attached to an A1 scanner which scans a printed leaflet
4.      The software then compares the printed scan against the original PDF used to generate the print plates
5.      For reprints this is OK as a copy of the original PDF already exists on the XP computer
6.      For new prints the user needs to go to another computer which is on WorkGroup, browse for the file, copy the original PDF to a USB, copy from the USB to the Windows XP computer, then run comparison

It is step 6 which I am trying to improve.  Can I directly connect the XP computer to the networked computer using some sort of software that isolates but still allows a folder to be browsed and a file copied.  I hope I have made this clear
Windows XPNetworkingNetwork SecuritySecurityCyber Security

Avatar of undefined
Last Comment
Jenny Coulthard

8/22/2022 - Mon
John

If you connect this XP Computer directly a computer on the network, then it is exposed both ways (in and out) to the network and not isolated. There is nothing I know of to isolate XP when it is connected to the network. The security for XP is not that advanced and require SMBv1 which is inherently insecure. So the simple answer here is no.
masnrock

You could isolate it. The simpler scenario is to block that one machine from the internet. A second one would be to isolate it into a separate VLAN that is blocked from the internet. It would definitely help if you installed some HIPS software on it ass well.
Olgierd Ungehojer

You can safe files over isolated vlan to some network folder on server with permission to safe files only from xp machine. And then you can give permission read only from this folder to copy files.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Jenny Coulthard

ASKER
So I am thinking, separate/isolated VLAN + HIPS Software, McAFee have a HIP for desktop which I will get some information from them once worked out time difference.  With the separate VLAN do I have to setup a second copy of the files because as soon as I give access to the first VLAN then it wouldn't be isolated any more.  I have VLAN's setup and can change ports etc but this is the limit of my understanding.
SOLUTION
masnrock

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Sudeep Sharma

Though there are solutions above which are more standardized, however you may want to look at different approach altogether, which is below
  1. Disable everything from the Windows Firewall including File Share, Remote Desktop, Internet, DNS etc.
  2. Install FileZilla Server run it over SSL and share the directory which would have the PDF Files.
  3. Then create the users who can access the FileZilla and the folder which can be accessed.
Thanks,
Sudeep
John

A VLAN can isolate the machine but if you then connect it in the main system, it still exposes the main system
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
masnrock

The currently networked computer can be kept on the isolated VLAN as well if you wanted. Which OS is it running?
sarabande

2.      As it is XP we have taken it off our network for security reasons

as told by masnrock, the simple scenario is to block the one XP machine from internet. if you additionally deactivate all services on the xp which allow to access other devices from the xp or which expose its existence (like computer browser), you still can automate the step 6 by allowing other computers to push files to a (hidden) share which is at the xp. i can't see any scenario which could use any insecure functionality at the xp as long as it was not connected to the internet and as long it would be isolated from other computers of the network by policies and configuration. i even would say that the current method over usb is more dangerous as long as you couldn't protect operations systems from malicious code which is hidden in the firmware of the usb stick.

Sara
Jenny Coulthard

ASKER
Hi Everyone, thanks for the comments.

The other computers are running Windows 7 64bit that are on this workgroup and currently the software will only run under XP but that could possibly change.

I will look at the HIPS + deactivating all services on the XP possible + allow one other computer to push file to a hidden share at the XP + deleting all accounts that exist on other computers in the workgroup +  if HIPS doesn't cover - Disable everything from the Windows Firewall including File Share, Remote Desktop, Internet, DNS
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
John

You need to be aware that XP requires SMBv1 so any connection will compromise things.

currently the software will only run under XP but that could possibly change.   <-- I would see if you can change this. XP is so long dead that it has become really dangerous to have connected
Jenny Coulthard

ASKER
I know - unfortunately one quote for similar replacement software came in at $160,000 so for now we have a USB stick.
sarabande

you may use an old pc with windows 7 and two network cards to work as a "bridge" from the main network to the xp pc. you would transfer your files safely via the main network to a share of the intermediate pc. then using the second network you would transfer files by netbios over tcp/ip (smb) . that could be done deferred by a job at the "bridge pc" and therefore the xp is not exposed at the common network.

Sara
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jenny Coulthard

ASKER
Hi,
I'm not really sure using an old PC as a bridge would give the security required but links to  a discussion I had with the local IT shop guy.  Get a NAS with two network cards, turn off routing on the nas.  Connect NAS to work group and then to a second switch (or maybe this needs to be a router) to create a second network with no Default Gateway and the XP computer connects to switch and can retrieve files from the  NAS

Does this sound feasible?
SOLUTION
John

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
sarabande

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jenny Coulthard

ASKER
Thanks for all your comments.  I am going to use a hybrid of all suggestions:
Isolated VLAN
Bridging NAS with two network cards
HIPS