The short answer is that while you can't totally protect this system, you can practically protect it to a level as good or better then a general purpose PC running up-to-data antivirus, antimalware and regular Windows updates - if you limit its functionality enough.
There are risks (really of the unknown), but these risks are pretty small provided you have it behind a decent firewall and only allow requests to be initiated from it (as opposed to running any kind of world accessible server).
You should probably break attack scenarios into 3 kinds -
Script Kiddies / general asshats on the Internet who just see everyone
as a target.
Someone attacking from inside your network (either a co-worker or
someone like that, OR SOMEONE WHO'S system has been compromised).
People with the desire to launch a targeted attack at you.
You can - and in this case probably should isolate this machine from the rest of the network by putting this machine (and only this machine) behind a dedicated firewall (nat router with no open ports) or its own interface on a firewall - which cheaply pretty much eliminates problem 1 by turning the problem into a type 1 or 3.
For handling group (1) easily enough by not allowing them to gain access to your system. If you do anything which can fall to social engineering/uncontrolled content, you can't secure this system - by this I mean things like doing web browsing with a general purpose web browser. If you are able to limit the mechanisms used to interact with the Internet from this systems AND / CONTROL SANITIZE THE INPUT you should be OK -
[ In the respect of limiting input, data simply traversing the machine is a grey area - you will for the most part be OK because your system is just forwarding the packets, its not - or should not actually be interacting with them - unless an exploit at the routing/packet forwarding level is found - and these would be pretty hard to craft and pretty rare ]
With respect of (3) = Advanced Persistent Attack, it really does not matter if the box is running Windows or something else - sooner or later it will fall. How long it takes depends on how vigilant you are and what resources the attacker can command (but think about it, someone with enough authority could probably break in and physically steal the hardware, so this is probably not an attack you need to worry too much about)
Another couple of thoughts to throw in there - Have good backups - that way if something does go wrong your risk is limited. (And having it on a separate network to the rest of your system mitigates the damage it can do if it is compromised)
Why not just install Linux on bare metal? Or at the very least, export the VM, install Linux, then import the VM into virtualbox or the like. – EEAA – 2016-01-02T04:02:51.950
1Depends on how well it is firewalled from the internet. There are vulnerabilities in windows that don't require any user interaction to exploit. Even ones hackers keep secret and don't report. – cybernard – 2016-01-02T04:07:41.943
1@cybernard On the router it's just NAT. On the Windows XP machine it's just the default firewall. It's scary to think that hackers can penetrate this. NAT should mean they can't see me. Windows firewall should discard uncollicited traffic. Unless XP has a vulnerability at a low level, like where ethernet traffic is dealt with... or the firewall itself... what are my chances? – misha256 – 2016-01-02T04:24:29.500
Assuming your hardware router is configured properly for NAT and not forwarding any ports to the XP computer you have good start. You can not depend on the firewall built into XP. Have you updated your router's firmware, and googled the make and model to check for it for vulnerabilities and other hidden weakness. Yes, some routers have these. – cybernard – 2016-01-02T04:34:15.490
@EEAA It's a bit esoteric. The Linux VM obtains data from the internet and saves it to a samba-shared directory. The XP PC is running software that regularly processes this data. The catch is that the XP software outputs to two MIDI controller PCI cards. Now that can't be virtualized by any VM software I know of, so thats why XP has to run on bare metal. Will the setup run on Win7? If it did I wouldn't be in this predicament. – misha256 – 2016-01-02T04:34:21.170
@cybernard It's an Asus router, firmware upgrades seem to come through quite frequently and the router makes it very easy to do, so I can confidently say the router is in as good a shape as it can get. NAT is on, no port forwarding is enabled, all unnecessary services are disabled. The router does not have SPI firewall though. So it's just NAT. – misha256 – 2016-01-02T04:44:57.010
IS UPNP disabled in the router? – cybernard – 2016-01-02T04:48:26.480
Yes UPNP is disabled on the router, and also on the XP machine as per http://tweaks.com/windows/37087/completely-disable-universal-plug-and-play-upnp/
– misha256 – 2016-01-02T05:18:33.2171If you're tied to XP for the drivers, you could disable all non-essential services (like
Remote Registry
), and, since your VM has bridged networking, you could add aLoopback
virtual NIC to XP that you then bridge to the VM to use for your samba share, then set the physical NIC on XP to a static IP unrelated to your current network, keeping the physical NIC still bridged to the VM so the VM can access the internet, but not the XP host. Doing this at least limits the attack vectors that can be taken to a more manageable level. – txtechhelp – 2016-01-02T11:21:48.2172
You can hack the HP registry to get security updates until 2019, i have done this on 2 of my XP pc's and it continues to work, still getting updates every month....http://www.zdnet.com/article/registry-hack-enables-continued-updates-for-windows-xp/
– Moab – 2016-01-02T14:55:32.313@Moab Now that's something! – misha256 – 2016-01-02T21:19:51.530
he,he,he.........hope it helps you. – Moab – 2016-01-03T00:50:10.813
1
Also read the followup linked off the article @Moab pointed to. Quoting:
– dxiv – 2016-01-11T05:48:35.227Now and then, vulnerabilities come along that aren't fixed in XP, even in the embedded version. Cisco came across one recently in the vulnerability patched by Microsoft in November as MS14-063. This one did not show up in the list of vulnerabilities patched in embedded XP in November.
It's still a bit of a gamble, better than nothing but not foolproof.@dxiv All OS's have unknown zero day exploits. – Moab – 2016-01-11T16:35:10.263
Standard firewalling only protects you from exploits on ports that you don't need to share with the outside world, or computers that you know you can ignore. The remaining threats could be with any traffic that gets through the firewall, such as any potential vulnerabilities in the services that you do open up. – GuitarPicker – 2016-01-12T20:00:48.863