36

In our small business, we are using about 75 PCs. Servers and desktops/laptops are all up-to-date and are secured using Panda Business Endpoint Protection and Malwarebytes Business Endpoint Security (MBAM + Ant-Exploit).

However, in our production-environment we have about 15 Windows XP PCs running. They are connected to the company network. Mainly for SQL-connectivity and logging purposes. They have limited write-access to the servers.

The Windows XP PCs are only used for one dedicated (custom) production-application. No office software (email, browsing, office,...). Furthermore each of these XP-PCs has Panda web access control which does not allow Internet access. The only exceptions are for Windows and Panda Updates.

Is it necessary, from security point-of-view, to replace these Windows XP PCs with new PCs?

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Thomas VDB
  • 369
  • 3
  • 3
  • 3
    Do the XP machines have any connection to the outside world? Or the outside world have any connections inside? If they are all "strictly" internal... at my business, we have XP machines that are "disconnected" from the outside world (some actually not connected to anything) and have "proprietary" software that interacts with machinery that can't be replaced easily... Replacing them is a different question than say... replacing a Web Server. – WernerCD May 16 '17 at 23:19
  • 10
    @Nav If the only vendors of an entire class of hardware only support windows, then of course they have to use windows. If that hardware lasts decades, they have to use Windows XP or 98. Or DOS. If the cost of switching all their legacy systems and retraining user is huge, then they do in practice. – Chris H May 17 '17 at 10:51
  • 21
    @Nav that's an incredibly elitest attitude to have. To switch the vast majority of employees to a different operating system is a large cost and burden. And to say that Linux is "far better and safer" is naive. How do you even measure "better"? If Linux had the penetration that Windows has, there would be just as many exploits and risk for Linux. And there are _plenty_ of in-the-wild exploits that are aimed at Linux - have we already forgotten heartbleed? Different operating systems have different pros and cons for each audience, and decisions should be made in that context. – Mark Henderson May 17 '17 at 11:38
  • 3
    @Nav Windows in an office is a platform for MS Office oftentimes. And MS Office is still irreplaceable in many cases despite of 20 years of naivete about it in the open source community :) – rackandboneman May 17 '17 at 19:02
  • 1
    "If Linux had the penetration that Windows has, there would be just as many exploits and risk for Linux." That's not true. Penetrating Linux has more value than Windows. It has been proven that Linux is more secure. But yeah, you are right about the rest. – Khajak Vahanyan May 18 '17 at 07:45
  • 3
    @KhajakVahanyan In this year alone the [Linux kernel](https://www.cvedetails.com/top-50-products.php?year=2017) have the most distinct (public) vulnerabilities, nearly four times of Windows 2008. – Martheen May 18 '17 at 09:47
  • Isolate them. Completely! Move the logging servers into a isolated network with these. – Thorbjørn Ravn Andersen May 18 '17 at 11:39
  • P.S. Microsoft have indeed released an update for XP that fixed (atleast the worm part) of this. If they cannot open emails etc. then that will suffice for now, but you should start a project to try replace them long-term – Milney May 18 '17 at 15:01

6 Answers6

64

is it necessary from security point-of-view, to replace these XP-PC's with new PC's.

No, it's not necessary to replace the PCs. But it is necessary to upgrade those operating systems (this may also involve replacing those PCs - we don't know. But if they are running specialized hardware, then it may be possible to keep the PC).

There are so many real-world stories about supposedly "air-gapped" PCs being infected. This can happen regardless of your operating system, but having a super-old non-updated operating system makes it even more at risk.

Especially as it sounds like your computers are protected by a software restriction to block internet access. This is likely easy to bypass. (caveat: I've never heard of this Panda web access control, but it certainly looks like on-host software).

The problem you are likely to face is a lack of vendor cooperation. It is possible that vendors refuse to help, want to charge $100,000 for an upgrade, or have plain outright gone bankrupt and the IP thrown away.

If this is the case, this is something that the company needs to budget for.

If there really is no option but to keep at 16-year-old operating system running unpatched (maybe this is a million dollar CNC lathe or milling machine or MRI), then you need to do some serious hardware-based host isolation. Putting those machines on their own vlan with extremely restrictive firewall rules would be a good start.


It would appear that you need some hand-holding in this regard, so how's this:

  • Windows XP is a 16 year old operating system. Sixteen years old. Let that sink in. I would think twice before buying a sixteen year old car, and they still make spare parts for 16 year old cars. There are no 'spare parts' for Windows XP.

  • By the sounds of it, you have poor host isolation. Let's say that something gets inside your network already. By some other means. Someone plugs in an infected USB stick. It's going to scan your interior network and propagate to anything that has a vulnerability it can exploit. A lack of internet access is irrelevant here because the phone call is coming from inside the house

  • This Panda security product looks like it's software-based restrictions. Software can be bypassed, sometimes easily. I bet a decent piece of malware could still get out to the internet if the only thing stopping it is a piece of software running on top of the networking stack. It could just get admin privileges and stop the software or service. So they don't really have no internet access at all. This comes back to host isolation - with proper host isolation you could actually get them off the internet and maybe limit the damage they can do to your network.

Honestly though, you shouldn't need to justify replacing these computers and/or operating system. They will be fully depreciated for accounting purposes, they're likely well past the end of any warranty or support from the hardware vendor, they are definitely past any kind of support from Microsoft (even if you wave your titanium American Express in Microsoft's face, they still won't take your money).

Any company that is interested in reducing risk and liability would have replaced those machines years ago. There is little to no excuse for keeping workstations around. I listed some valid excuses above (if it's totally disconnected completely from any and all networks and lives in a closet and runs the elevator music I might - MIGHT - give it a pass). It sounds like you do not have any valid excuse for leaving them around. Especially now that you are aware that they are there, and you have seen the damage that can occur (I assume you were writing this in response to WannaCry/WannaCrypt).

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 1
    Hi, I will have to explain why it is necessary to replace these old XP-PC's, despite that they have no internet access. So is it possible to give me some (semi)-technical explanations what situations that could occor. The fact that the web access control is software-based is definitely a start. btw this is a link to Panda web access control : http://www.pandasecurity.com/usa/support/card?id=50074 – Thomas VDB May 16 '17 at 14:01
  • 2
    @ThomasVDB I've added an update to my answer – Mark Henderson May 16 '17 at 15:03
19

Replacement might be overkill. Set up a gateway. The gateway machine should not run Windows; Linux is probably the best choice. The gateway machine should have two separate network cards. The Windows XP machines will be on one network on one side, the remainder of the world is on the other side. Linux will not route traffic.

Install Samba, and make shares for the XP machines to write to. Copy incoming files forward to the final destination. rsync would be the logical choice.

Using iptables, block all ports except those used for Samba. Block outbound Samba connections on the side that has XP machines (so that nothing can write to the XP machines) and **all* inbound connections on the other side (so nothing can write to the Linux machine at all) - perhaps with a single hardcoded exception for SSH, but only from the IP of your management PC.

To hack the XP machines now requires hacking a Linux server in between, which is positively rejecting all connections coming in from the non-XP side. This is what's known as defense in depth. While it's possible that some unlucky combination of bugs still exists that would allow a determined and knowledgeable hacker to bypass this, you'd be talking about a hacker that is specifically trying to hack those 15 XP machines on your network. Botnets, viruses and worms typically can bypass only one or two common vulnerabilities, and rarely can work across multiple Operating Systems.

MSalters
  • 690
  • 5
  • 6
  • 3
    That might work. PFSense or monowall would work here, no? The PC's should still be able to connect to our SQL Server. – Thomas VDB May 16 '17 at 18:02
  • 4
    Yeah, or instead of a gateway machine you just buy a small but capable router (Mikrotik) or like USD 40. FInished. Uses way less power. – TomTom May 16 '17 at 20:56
  • -1 because this will not solve the OP's problems. – James Snell May 17 '17 at 11:37
  • 6
    @JamesSnell: That's not a helpful comment. Why won't it help? What concrete security threat can you name that bypasses this setup? – MSalters May 18 '17 at 06:45
  • 3
    @ThomasVDB: The point of a gateway running iptables and Samba is that the IP packets are either dropped (not SMB) or handled by a capable, modern implementation. This means the XP machines will **only** receive IP packets generated by Samba on the Linux machine. These are known not to be malformed. A router, as TomTom suggests, will forward IP packets, but a router doesn't know about the SMB protocol and will forward bad packets like those that triggered WannaCry. Yes, not checking is more energy-efficient, but security should be the chief priority here. – MSalters May 18 '17 at 09:31
  • @MSalters - it would be easier to ask how introducing a 'foreign' operating system with a high management bar (and therefore cost) where there are few existing skills in the organisation would help at all. Frankly the whole thing is just 'I heart linux' not a solution that fits the OPs needs. – James Snell May 18 '17 at 16:50
  • @MSalters You are a little bit ignorant about routers these days, it seems. You suggest iptables - I do the same, just on a 25 USD little hardware that actually runs Linux internally ;) No sense in putting up something sucking up more electricity and being more expensive. Mikrotik has a ton of firewall functionality. – TomTom May 20 '17 at 15:17
13

This weekends news regarding WannaCry should have made it clear beyond any doubt that it is absolutely necessary to replace Windows XP and similar systems wherever possible.

Even if MS released an extraordinary patch for this ancient OS, there is no guarantee at all that this will happen again.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • 2
    Yes, but don't these virusses enter the company by email and browsing the web? Is this not covered by the fact that these PC's have no internet access? I am sure that XP PC's are unsafe when used for desktop-applications. But when running only one app with no internet-access must be a different situation? Or what am I missing? – Thomas VDB May 16 '17 at 14:12
  • 2
    But they are connected to an SQL server. What happens if that get infected with another malware next time and uses a potential hole in the SQL server client implementation? As long as there is any connection to other systems, there is potential danger. – Sven May 16 '17 at 14:25
  • 13
    @ThomasVDB: WannaCry has two ways to distribute itself. Email attachments are one, but a second method was via file shares. In particular, **file shares** using the older SMBv1 protocol. Microsoft had released patches specifically for that issue back in March 2017. However, as XP was out of support then, Microsoft initially did not release an XP version of that SMBv1 patch. They reversed that decision now that WannaCry has hit, but _only_ for this specific problem. – MSalters May 16 '17 at 15:37
  • 7
    `Yes, but don't these viruses enter the company by email and browsing the web? Is this not covered by the fact that these PC's have no internet access?` - **"I don't lock my bedroom windows because they're on the second floor and there's no ladder outside"** is a justification that never once stopped a burglar from burglarizing a home. If these machines fall under your purview and your responsibility then you need to patch them, regardless of what you think the likelihood is of them being compromised. – joeqwerty May 17 '17 at 00:51
  • That will stop a burglar that has plenty of houses with open ground level windows available. Determined attacker (technically skilled disgruntled employee or corporate spy) vs opportunist attacker (malware, vandals, botnet builders). – rackandboneman May 17 '17 at 19:09
  • @rackandboneman Given enough time anything that is currently one step away from automation will get automated. And this is also true for attacks you might endure. No professional trusts in security by obscurity. And no-one should consider there being easier targets as a good argument for being safe. And lets not conflate one burglar with a botnet / malware builder. There is real competition out there with botnets trying to outdo each-other, the better analogy would be a burglar trying to get a trophy for most houses burgled. – Reaces May 17 '17 at 19:22
  • Oh, SBO is not to be trusted, but still an ally. And often the deciding factor, in practice, in whether a vulnerable system in an environment of non-targeted attacks falls or stands - or how many stand and how many fall (of course this only makes a difference when loss of service, not theft of data is the risk!). – rackandboneman May 17 '17 at 19:45
  • @MSalters To add to this: WannaCry had *remarkable* impact because people had not (yet) updated their system with 6 week old updates. Keeping XP alive is like not updating for 3 years ... – Hagen von Eitzen May 19 '17 at 08:22
5

We use some Windows XP machines for specific (legacy) software, we've tried to move as much as possible to virtual machines using Oracle VirtualBox (free), and I'd recommend you look at doing the same.

This gives several benefits;

Number 1 for you is that you can control the VM's network access very tightly from the outside (without installing anything inside Windows XP), and you benefit from the protection of the host machine's newer OS and any security software running on it.

It also means you can move the VM across different physical machines / operating systems as upgrades or hardware failures happen, back it up easily including being able to save a snapshot of "known good working" state before applying any updates/changes.

We use one VM per application to keep things super segregated. As long as you keep the boot drive UUID correct, the Windows XP install doesn't mind.

This approach means we can spin up a VM for a given task that has a minimal Windows XP install and the one piece of software required, with no extra cruft tacked on and nothing to trip it up. Throttling the machine's network access greatly reduces vulnerability and prevents Windows XP from surprising you with any updates which may break things or worse.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
John U
  • 161
  • 4
  • This can give you problems if the custom software is there to drive custom hardware :) In any other cases, VMs and snapshots allow you a really "dirty" strategy if needed: Run until hacked, restore from snapshot, rinse, repeat :) Make sure nothing else gets hit, though :) – rackandboneman May 19 '17 at 09:41
  • True, but these days VMs are surprisingly good at most of that, and the fact you can run it on a host machine that's 10x as powerful helps. If the special software is doing something especially vulnerable then you don't have a lot of options but as you say, at least it's just a cloned VM that gets hacked and you can nuke it & start from fresh easily. – John U May 19 '17 at 09:51
  • I was thinking "driving oddball ISA cards like GPIO, DAC/ADC or IEEE-488 interfaces" :) One of the classic reasons to have ancient OS environments around. – rackandboneman May 19 '17 at 09:55
  • Well yeah, although these days you're only a Raspberry Pi or Arduino away from replicating or interfacing that sort of thing. – John U May 19 '17 at 11:02
3

As someone suggested previously, consider strengthening the isolation towards the rest of the network.

Relying on on-machine software is weak (because it relies on the OS network stack which can be vulnerable itself). A dedicated subnet would be a good start and a VLAN-based solution better (this can be levered out by a determined attacker, but it will stop most "crimes of opportunity" attacks dead. NIC drivers need to support this, though). A dedicated physical network (via either a dedicated switch or port-based VLAN) is best.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
rackandboneman
  • 2,487
  • 10
  • 8
-5

Yes, they need to be replaced. Anyone running Windows XP machines connected to any kind of network post-WannaCry is just asking for trouble.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24