The XP computer is not directly connected to the internet. However, it is on the LAN where it holds analogue faxes for manual processing by staff. The other computers on the LAN are all Windows 10 computers. The entire LAN is behind a 3rd party firewall.
Asked
Active
Viewed 85 times
1 Answers
1
Despite this XP machine is not directly accessible from the Internet and there might not be attack vectors through the analogue fax machines, being on the same LAN makes it a good target for lateral movement and gaining persistence on your network.
I'd put this XP machine on a separate VLAN and isolate it as much as possible i.e. only allow the mandatory access for this legacy functionality. That could be e.g.
- deny access from the machine to the Internet.
- this must be done on network level, as once someone is already inside he can modify the settings on the local machine
- deny access from the machine to the LAN
- there's no harm to assume it could be compromised
- allow limited access from the LAN to the machine
- only the ports absolutely required
- IDS/IPS on the traffic, if possible
- if someone gets limited access to any of the LAN computers, he could use this to gain full access on this vulnerable XP.
Esa Jokinen
- 16,100
- 5
- 50
- 55
-
great, thanks. We will swap it out for a windows 10 comp. It is old anyway. Thanks again for the answer. – Rob Benson Apr 30 '20 at 17:09