In the first part of my series regarding the presence of obsolete operating systems on your modern network, I explained how it’s not uncommon to see Windows XP in current production environments.

In this second part I’ll discuss ways in which you can bring these computers online, securely.

Introduction.

If the computer in question is in a production environment, controlling industrial machinery, then it shouldn’t be routinely connected to the internet without careful configuration of firewalls. In addition, you should image the contents of the hard disk and keep these machine-restorable backups in a secure location in case the computer is damaged in the future.  At Fingertip Solutions we use either Acronis True Image or Clonezilla for this task.

If the computer has to be imaged without being rebooted then True Image is the tool of choice, but costs £34.99 per endpoint at the time of writing (True Image 2017 is the last version supporting installation directly onto Windows XP). Clonezilla is completely free, but you must reboot the computer to access it.  Some find Clonezilla’s text mode unix interface a little intimidating too, but it’s logical and easy enough to understand.

Firewall Configuration.

In terms of firewalling, as a minimum I’d recommend a hardware NAT router and firewall separating the production equipment from the rest of the production network (let alone the internet) such that they exist as follows:

Windows XP “relics subnet” –> Firewall / Router 1 –> Production subnet –> Firewall / Router 2 –> Internet

Firewall / Router 1 should be configured to permit TCP traffic on port 80 (HTTP) to any destination, TCP traffic on port 443 (HTTPS) and TCP/UDP port 53 (DNS) to any destination.  If the computer talks to domain controllers, printers or any other custom application then these should be permitted also, but ONLY to hosts on the production subnet.

Venture Online (Tentatively!)

The chances are that the computer you’re using isn’t even at the most recent patch level (this means pre-April 2014, remember!) so the browsing experience using built-in browsers will be patchy at best. Internet Explorer 6 (loathed even back in 2001-2004 when it ruled the roost) is the default browser in Windows XP.  No modern website renders correctly in it, which can make venturing online a trying experience.

Chrome can be downloaded (just) using IE6 to navigate to https://www.google.com/chrome but will only install if XP has been patched as far as Service Pack 2.  There’s an added problem though:

Early-patch Windows XP only supports RC4128 and AES128 encryption.  “So what?” I hear you say … Well the modern internet uses AES256 as the base-level encryption for SSL and TLS encrypted websites and that includes just about EVERY website that’s going to be useful to you.  Throw into the mix that the root certificates will also have expired and you’re going to be missing out on a lot of the web.

For example:

www.google.com

www.symantec.com

www.malwarebytes.com

www.avg.com

windowsupdate.microsoft.com

I guess you’re beginning to see the pattern… that last one always gives me a particular hoot.  Denied the updates you need because you missed the boat on updates! Harsh!

Your friend and hero here is an unlikely candidate – Mozilla Firefox (https://www.mozilla.org/en-US/firefox/new/).  Firefox is actually a very fine browser indeed, overtaken and overshadowed by the young upstart Google Chrome it’s still beloved by privacy advocates and people who have to wrangle Windows XP in the modern era – but WHY?

Simple – it has its own embedded cipher suite, and doesn’t rely on the underlying operating system.

This puts you in a position to update and harden the underlying operating system, which will be the basis for my next blog post.