Windows XP on a network, security concerns?

I have a scenario where I need to continue to run a Windows XP PC even though XP is long not supported by Microsoft.

The PC will be connected to my network, but only for the purpose of allowing a Linux virtual machine to access the internet via the PC's network connection. Nothing else on the PC will ever touch the internet.

What kind of security risks might I be exposed to here? I've always thought one needed to browse to a dodgy website or execute/open a malicious file in order for anything bad to happen. That can't happen on this PC (and the virtual machine uses bridged networking which means its traffic is well isolated).

Can a Windows XP PC be exploited simply by being connected to a network, without user interaction?
If there are risks, what practical steps can be taken to mitigate them while maintaining the physical configuration and functionality as is?

Bounty is open

A tremendous number of people must find themselves in a similar position, where they need to expose a legacy XP PC (or VM for that matter) to a network. That's why I'm offering 500 points, in the hope that we get a solid answer.

Downvoters: Don't be shy to leave a comment. I can improve the question, but only if I know what's wrong with it.

misha256

Posted 2016-01-02T04:01:03.767

Reputation: 10 292

Why not just install Linux on bare metal? Or at the very least, export the VM, install Linux, then import the VM into virtualbox or the like. – EEAA – 2016-01-02T04:02:51.950

1Depends on how well it is firewalled from the internet. There are vulnerabilities in windows that don't require any user interaction to exploit. Even ones hackers keep secret and don't report. – cybernard – 2016-01-02T04:07:41.943

1@cybernard On the router it's just NAT. On the Windows XP machine it's just the default firewall. It's scary to think that hackers can penetrate this. NAT should mean they can't see me. Windows firewall should discard uncollicited traffic. Unless XP has a vulnerability at a low level, like where ethernet traffic is dealt with... or the firewall itself... what are my chances? – misha256 – 2016-01-02T04:24:29.500

Assuming your hardware router is configured properly for NAT and not forwarding any ports to the XP computer you have good start. You can not depend on the firewall built into XP. Have you updated your router's firmware, and googled the make and model to check for it for vulnerabilities and other hidden weakness. Yes, some routers have these. – cybernard – 2016-01-02T04:34:15.490

@EEAA It's a bit esoteric. The Linux VM obtains data from the internet and saves it to a samba-shared directory. The XP PC is running software that regularly processes this data. The catch is that the XP software outputs to two MIDI controller PCI cards. Now that can't be virtualized by any VM software I know of, so thats why XP has to run on bare metal. Will the setup run on Win7? If it did I wouldn't be in this predicament. – misha256 – 2016-01-02T04:34:21.170

@cybernard It's an Asus router, firmware upgrades seem to come through quite frequently and the router makes it very easy to do, so I can confidently say the router is in as good a shape as it can get. NAT is on, no port forwarding is enabled, all unnecessary services are disabled. The router does not have SPI firewall though. So it's just NAT. – misha256 – 2016-01-02T04:44:57.010

IS UPNP disabled in the router? – cybernard – 2016-01-02T04:48:26.480

Yes UPNP is disabled on the router, and also on the XP machine as per http://tweaks.com/windows/37087/completely-disable-universal-plug-and-play-upnp/

– misha256 – 2016-01-02T05:18:33.217

1If you're tied to XP for the drivers, you could disable all non-essential services (like Remote Registry), and, since your VM has bridged networking, you could add a Loopback virtual NIC to XP that you then bridge to the VM to use for your samba share, then set the physical NIC on XP to a static IP unrelated to your current network, keeping the physical NIC still bridged to the VM so the VM can access the internet, but not the XP host. Doing this at least limits the attack vectors that can be taken to a more manageable level. – txtechhelp – 2016-01-02T11:21:48.217

You can hack the HP registry to get security updates until 2019, i have done this on 2 of my XP pc's and it continues to work, still getting updates every month....http://www.zdnet.com/article/registry-hack-enables-continued-updates-for-windows-xp/

– Moab – 2016-01-02T14:55:32.313

@Moab Now that's something! – misha256 – 2016-01-02T21:19:51.530

he,he,he.........hope it helps you. – Moab – 2016-01-03T00:50:10.813

Also read the followup linked off the article @Moab pointed to. Quoting: Now and then, vulnerabilities come along that aren't fixed in XP, even in the embedded version. Cisco came across one recently in the vulnerability patched by Microsoft in November as MS14-063. This one did not show up in the list of vulnerabilities patched in embedded XP in November. It's still a bit of a gamble, better than nothing but not foolproof.

– dxiv – 2016-01-11T05:48:35.227

@dxiv All OS's have unknown zero day exploits. – Moab – 2016-01-11T16:35:10.263

Standard firewalling only protects you from exploits on ports that you don't need to share with the outside world, or computers that you know you can ignore. The remaining threats could be with any traffic that gets through the firewall, such as any potential vulnerabilities in the services that you do open up. – GuitarPicker – 2016-01-12T20:00:48.863

Answers

"Security risks" here are kind of broad - the big issue here is XP isn't supported, and if there's some new threat targetting the many XP PCs still in the wild it won't get fixed.. As such, if I listed security issues specifically, it would be a growing list. Windows XP is a static target with dynamically growing threats

Of course, I've had an old XP PC exploited when it was the new, shiny awesome OS, and used by a skiddie to store warez so... its certainly possible quite a few years on.

Lets look at a random long list of vulnerabilities I found on the internet

The Security Account Manager Remote (SAMR) protocol implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2 does not properly determine the user-lockout state, which makes it easier for remote attackers to bypass the account lockout policy and obtain access via a brute-force attack, aka "SAMR Security Feature Bypass Vulnerability."

So... Yeah, its not just you. Basically any vulnerability found in XP stays open and MS isn't fixing it. Not all vulnerabilities rely on direct user stupidity. Any system visible over the internet is going to get poked, prodded and tested. NAT would obscure you, perhaps but the bad guys would know it too

Amusingly this is the one case where the XP PC makes sense.

In theory you can mitigate this to a large extent with very very strict firewall rules, turning off any un-necessary services and keeping the system lean. Specifically turn off anything that allows remote access of any sort, remote logins etc.

I'd consider a slightly different topology - I'd try a USB ethernet adaptor directly attached to the VM or better yet, splitting off the data collection system, doing a point to point Ethernet connection on its own subnet so the XP box is contactable but not on the internet. In short, keep the XP box on its own little network.

It would be nice if you could find a linux style firewall that would drop anything outside specific IPs - then you could just drop any packets, anywhere, that arn't from the VM.

Journeyman Geek

Posted 2016-01-02T04:01:03.767

Reputation: 119 122

1Your bounty is coming (you and davidgo both get it, I just accidentally gave it to davidgo first). You've come up with some really good practical suggestions which I will look into. The subnet and linux-firewall ideas are excellent. – misha256 – 2016-01-11T06:19:02.380

The short answer is that while you can't totally protect this system, you can practically protect it to a level as good or better then a general purpose PC running up-to-data antivirus, antimalware and regular Windows updates - if you limit its functionality enough.

There are risks (really of the unknown), but these risks are pretty small provided you have it behind a decent firewall and only allow requests to be initiated from it (as opposed to running any kind of world accessible server).

You should probably break attack scenarios into 3 kinds -

Script Kiddies / general asshats on the Internet who just see everyone as a target.
Someone attacking from inside your network (either a co-worker or someone like that, OR SOMEONE WHO'S system has been compromised).
People with the desire to launch a targeted attack at you.

You can - and in this case probably should isolate this machine from the rest of the network by putting this machine (and only this machine) behind a dedicated firewall (nat router with no open ports) or its own interface on a firewall - which cheaply pretty much eliminates problem 1 by turning the problem into a type 1 or 3.

For handling group (1) easily enough by not allowing them to gain access to your system. If you do anything which can fall to social engineering/uncontrolled content, you can't secure this system - by this I mean things like doing web browsing with a general purpose web browser. If you are able to limit the mechanisms used to interact with the Internet from this systems AND / CONTROL SANITIZE THE INPUT you should be OK -

[ In the respect of limiting input, data simply traversing the machine is a grey area - you will for the most part be OK because your system is just forwarding the packets, its not - or should not actually be interacting with them - unless an exploit at the routing/packet forwarding level is found - and these would be pretty hard to craft and pretty rare ]

With respect of (3) = Advanced Persistent Attack, it really does not matter if the box is running Windows or something else - sooner or later it will fall. How long it takes depends on how vigilant you are and what resources the attacker can command (but think about it, someone with enough authority could probably break in and physically steal the hardware, so this is probably not an attack you need to worry too much about)

Another couple of thoughts to throw in there - Have good backups - that way if something does go wrong your risk is limited. (And having it on a separate network to the rest of your system mitigates the damage it can do if it is compromised)

davidgo

Posted 2016-01-02T04:01:03.767

Reputation: 49 152

I wish I were important enough to have targeted attacks launched at me :-p But No. 2, being attacked from a compromised PC on the LAN, is something I did not consider. Damn good point. – misha256 – 2016-01-11T06:44:34.637