Windows XP PCs in company network

Question

In our small business, we are using about 75 PCs. Servers and desktops/laptops are all up-to-date and are secured using Panda Business Endpoint Protection and Malwarebytes Business Endpoint Security (MBAM + Ant-Exploit).

However, in our production-environment we have about 15 Windows XP PCs running. They are connected to the company network. Mainly for SQL-connectivity and logging purposes. They have limited write-access to the servers.

The Windows XP PCs are only used for one dedicated (custom) production-application. No office software (email, browsing, office,...). Furthermore each of these XP-PCs has Panda web access control which does not allow Internet access. The only exceptions are for Windows and Panda Updates.

Is it necessary, from security point-of-view, to replace these Windows XP PCs with new PCs?

Answer 1

is it necessary from security point-of-view, to replace these XP-PC's with new PC's.

No, it's not necessary to replace the PCs. But it is necessary to upgrade those operating systems (this may also involve replacing those PCs - we don't know. But if they are running specialized hardware, then it may be possible to keep the PC).

There are so many real-world stories about supposedly "air-gapped" PCs being infected. This can happen regardless of your operating system, but having a super-old non-updated operating system makes it even more at risk.

Especially as it sounds like your computers are protected by a software restriction to block internet access. This is likely easy to bypass. (caveat: I've never heard of this Panda web access control, but it certainly looks like on-host software).

The problem you are likely to face is a lack of vendor cooperation. It is possible that vendors refuse to help, want to charge $100,000 for an upgrade, or have plain outright gone bankrupt and the IP thrown away.

If this is the case, this is something that the company needs to budget for.

If there really is no option but to keep at 16-year-old operating system running unpatched (maybe this is a million dollar CNC lathe or milling machine or MRI), then you need to do some serious hardware-based host isolation. Putting those machines on their own vlan with extremely restrictive firewall rules would be a good start.

---

It would appear that you need some hand-holding in this regard, so how's this:

• Windows XP is a 16 year old operating system. Sixteen years old. Let that sink in. I would think twice before buying a sixteen year old car, and they still make spare parts for 16 year old cars. There are no 'spare parts' for Windows XP.

• By the sounds of it, you have poor host isolation. Let's say that something gets inside your network already. By some other means. Someone plugs in an infected USB stick. It's going to scan your interior network and propagate to anything that has a vulnerability it can exploit. A lack of internet access is irrelevant here because the phone call is coming from inside the house

• This Panda security product looks like it's software-based restrictions. Software can be bypassed, sometimes easily. I bet a decent piece of malware could still get out to the internet if the only thing stopping it is a piece of software running on top of the networking stack. It could just get admin privileges and stop the software or service. So they don't really have no internet access at all. This comes back to host isolation - with proper host isolation you could actually get them off the internet and maybe limit the damage they can do to your network.

Honestly though, you shouldn't need to justify replacing these computers and/or operating system. They will be fully depreciated for accounting purposes, they're likely well past the end of any warranty or support from the hardware vendor, they are definitely past any kind of support from Microsoft (even if you wave your titanium American Express in Microsoft's face, they still won't take your money).

Any company that is interested in reducing risk and liability would have replaced those machines years ago. There is little to no excuse for keeping workstations around. I listed some valid excuses above (if it's totally disconnected completely from any and all networks and lives in a closet and runs the elevator music I might - MIGHT - give it a pass). It sounds like you do not have any valid excuse for leaving them around. Especially now that you are aware that they are there, and you have seen the damage that can occur (I assume you were writing this in response to WannaCry/WannaCrypt).

Answer 2

Replacement might be overkill. Set up a gateway. The gateway machine should not run Windows; Linux is probably the best choice. The gateway machine should have two separate network cards. The Windows XP machines will be on one network on one side, the remainder of the world is on the other side. Linux will not route traffic.

Install Samba, and make shares for the XP machines to write to. Copy incoming files forward to the final destination. rsync would be the logical choice.

Using iptables, block all ports except those used for Samba. Block outbound Samba connections on the side that has XP machines (so that nothing can write to the XP machines) and **all* inbound connections on the other side (so nothing can write to the Linux machine at all) - perhaps with a single hardcoded exception for SSH, but only from the IP of your management PC.

To hack the XP machines now requires hacking a Linux server in between, which is positively rejecting all connections coming in from the non-XP side. This is what's known as defense in depth. While it's possible that some unlucky combination of bugs still exists that would allow a determined and knowledgeable hacker to bypass this, you'd be talking about a hacker that is specifically trying to hack those 15 XP machines on your network. Botnets, viruses and worms typically can bypass only one or two common vulnerabilities, and rarely can work across multiple Operating Systems.

Answer 3

This weekends news regarding WannaCry should have made it clear beyond any doubt that it is absolutely necessary to replace Windows XP and similar systems wherever possible.

Even if MS released an extraordinary patch for this ancient OS, there is no guarantee at all that this will happen again.

Answer 4

We use some Windows XP machines for specific (legacy) software, we've tried to move as much as possible to virtual machines using Oracle VirtualBox (free), and I'd recommend you look at doing the same.

This gives several benefits;

Number 1 for you is that you can control the VM's network access very tightly from the outside (without installing anything inside Windows XP), and you benefit from the protection of the host machine's newer OS and any security software running on it.

It also means you can move the VM across different physical machines / operating systems as upgrades or hardware failures happen, back it up easily including being able to save a snapshot of "known good working" state before applying any updates/changes.

We use one VM per application to keep things super segregated. As long as you keep the boot drive UUID correct, the Windows XP install doesn't mind.

This approach means we can spin up a VM for a given task that has a minimal Windows XP install and the one piece of software required, with no extra cruft tacked on and nothing to trip it up. Throttling the machine's network access greatly reduces vulnerability and prevents Windows XP from surprising you with any updates which may break things or worse.

Answer 5

As someone suggested previously, consider strengthening the isolation towards the rest of the network.

Relying on on-machine software is weak (because it relies on the OS network stack which can be vulnerable itself). A dedicated subnet would be a good start and a VLAN-based solution better (this can be levered out by a determined attacker, but it will stop most "crimes of opportunity" attacks dead. NIC drivers need to support this, though). A dedicated physical network (via either a dedicated switch or port-based VLAN) is best.

Answer 6

Yes, they need to be replaced. Anyone running Windows XP machines connected to any kind of network post-WannaCry is just asking for trouble.