7

I have a client that has a couple of machines that are build to cut kitchen tables. These machines still run on Windows XP and are connected to the internet.

Now I need to find a way that these people can run these machines as safely as possible without updating from OS (not possible, I asked the manufacturer from the machines).

The problem is that these machines need to be connected to the internet so that the manufacturer can push updates to them.

What is a best practice to keep these machines working and connected to the internet as safe as possible?

Zozala
  • 73
  • 5
  • 6
    Is it necessary to *push* those updates? Can't they plug in a USB stick with the update? – Luc Feb 04 '20 at 17:29
  • 3
    The internet connection is the big risk here. Any means to cut that connection will get you far. Even better if it's not connected to the company network, either. – schroeder Feb 04 '20 at 17:30
  • Do the machines run XP due to physical reasons (e.g. strange form factor + limited RAM) or logical reasons (e.g. software that only runs on XP)? If the former, one can try to run the machine as a thin client and run the real apps elsewhere. – billc.cn Feb 28 '20 at 18:51

3 Answers3

7

It is not that uncommon to have these out-of-support and vulnerable machines in an organisation. It's important to perform a risk assessment to determine the impact of any vulnerabilities.

High-Level Risk Assessment

Threats:

  • Internet connections mean that remote threats are a problem
  • Local network connections mean that threats within the network (or remote threats that have gained access to the network) are a problem
  • Local physical access to the machine means that anyone who can interact with the machine can be a problem

Impact:

  • Network connections mean that the machine can be used to attack the rest of the network.
  • Any access means that any sensitive data on the machine is at risk (if there is sensitive data on it, like manufacturing designs)
  • Any access means that configurations or machine settings can be maliciously (and dangerously) changed

Mitigations:

  • reduce or eliminate network connections
  • reduce or eliminate physical access to the machines by unauthorised people

Your Specific Case

Without knowing more specific requirements for the machine in your company:

If you need Internet access (and it truly cannot be replaced by some other measure) then you need to cut it off from the rest of your network as much as possible and only allow it to receive connections only from the manufacturer and blocked from making connections out. Your perimeter and internal firewalls come into play here to design a new network. You also want to be able to monitor and recover from any anomalies that occur on the machine.

What I have done in similar situations is to turn the machine into a Virtual Machine (VM), and use VM tools to snapshot, revert, etc. and use the hypervisor to control access, networking, and monitoring. Virtualising the machine is not always possible, however.

Community
  • 1
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    [+1] Very comprehensive answer by Shcroeder, as usual. It can't be overstated how important it is to host this machine on its own subnet (isolated from the rest of the network), and to use a hardware firewall in front of this machine to block all incoming connections, and only allow outgoing connections to trusted servers. – mti2935 Feb 04 '20 at 21:44
1

Think about possible threats. How could an attacker gain access to the system?

  • An attacker could monitor the internet connection and block the updates or insert fake updates.
    => To protect against modified (malicious) updates, the updates could be cryptographically signed.
  • A computer in the network could be infected and try to infect the XP machine.
    => Try to disconnect it from the local network, or firewall the system in a way that it can only communicate with the update servers.
  • An employee may use the browser to quickly look something up, no harm done.
    => If the firewall (that blocks connections to everything except the update server) isn't possible, you can still prevent drive-by malware by uninstalling (or making inaccessible) things like a browser and disallowing the user from installing such things.
  • Etc.
Luc
  • 31,973
  • 8
  • 71
  • 135
0

Two tiered solution can be used here

  1. Install a perimeter firewall, cut all protocols NOT needed for an update (take care of zero-day vulnerabilities, such as SMB protocol vulnerability for XP for example), Firewall should at least be capable of deep packet inspection. Install a firewall antivirus (it will download on somewhere safe, scan it, then release for end computers)
  2. Deploy an up to date, well defended system as a staging area for updates - the idea is that you will download patches first on that machine, then after scanning distribute it to XP machines.

You will need to contact the vendor of an update and gather information such as which port\protocol\file extension\signature they use to be able to successfully validate\allow only their traffic.

Voila, you are good to go.

Rashad Novruzov
  • 658
  • 2
  • 13
  • 3
    @ downvoters: please comment when there is something to be improved about a post, especially when a post goes (or is) negative, and especially when downvoting people that aren't veterans and don't have thousands of reputation points. – Luc Feb 05 '20 at 09:33