![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Any security benefit to leaving computers off a domain?
- Thread starter Eiolon
- Start date
Any flaw found after April will not be patched. I guarantee there will be root vulnerabilities out there. In terms of domain access, any compromised machine is then a doorway into your domain giving the malware, at the bare minimum, access to the domain resources that the logged in user has.
In fact one of the things security researchers are worried about is attacks being withheld until Windows XP is past the April deadline because the climate is just right (huge market share and easy attack surface).
The real question you're asking is how badly can a malicious machine impact your domain. The answer is obvious and subtle because nobody knows what attacks are not being thrown into the wild because of this perfect storm.
removing them from the domain can have some positive affect, as they will no longer be able to access domain resources (unless any resources have the "Guest" account enabled and given perms)
On the other hand, security policies and other settings applied via GPO could also have a positive affect; which will no longer be relevent if the machines are removed from the domain.
6 of one, half-dozen of the other.
On the other hand, security policies and other settings applied via GPO could also have a positive affect; which will no longer be relevent if the machines are removed from the domain.
6 of one, half-dozen of the other.
Alright, well, they don't need to be on the domain to do what they do so I will just remove them from it. Isolating them isn't practical because the machines need to communicate with everything else on the same subnet.
We are in a tough spot. We aren't allowed to touch them to upgrade them to Windows 7 or it will void our $20,000 a year service contract and the software it runs supposedly doesn't even work with Win 7 any ways.
We are in a tough spot. We aren't allowed to touch them to upgrade them to Windows 7 or it will void our $20,000 a year service contract and the software it runs supposedly doesn't even work with Win 7 any ways.
Keeping those machines on the network at all is what isn't practical. If they're not getting security updates, leaving them on the network is just asking for loads of trouble. At this point, you should be asking questions. Why can't you upgrade the computers to Windows 7? Is the software incompatible? Does it violate the terms of your licenses? Any competent human being should have known that at some point leading up to now those machines were going to need to be readied for Windows 7. If it's a management problem, you should be pushing back. If it means buying newer or different software, they should have budgeted for that. Expecting to be able to sit on XP until the end of the universe is a terrible decision worthy only of reprimanding. Tell whoever is in charge that if the machines aren't upgraded, they can no longer serve their purpose.
Well for starters, why did you guys sign a contract that extends beyond the Windows XP support window? The contract should have been written to end when support for XP does. Second, you should get after the vendors/developers about supporting their software or getting after whoever purchases software licenses to buy a newer version or a competing product. If you have to run a no-longer supported operating system to use their software, their software is effectively non-functional and that's 100% useless.
If you can't upgrade the new machines to a capable operating system, you might as well toss them off of the roof, because they'd be just as useful afterwards. Don't get me wrong. I'm not saying this is your fault. But it is somebody's fault.
Last edited:
We have been pressuring them to get Windows 7 compatible software and systems installed for the last 2 years but the truth of the matter is we are peanuts to these guys. If we stopped paying our $20,000 it wouldn't matter to them. We are small fish in the industry for them.
However, we cannot just abandon ship. I am just going to guess but I think we have around $3 million invested since 2004. There is no way we could just switch to a competitor. There is no way our elected officials would sign off on that, which they would have to for it to happen.
By the way, I don't know the specifics of the contract. I wasn't involved in the agreement process. All I know is they are refusing to make software compatible for Vista, 7 or 8.
However, we cannot just abandon ship. I am just going to guess but I think we have around $3 million invested since 2004. There is no way we could just switch to a competitor. There is no way our elected officials would sign off on that, which they would have to for it to happen.
By the way, I don't know the specifics of the contract. I wasn't involved in the agreement process. All I know is they are refusing to make software compatible for Vista, 7 or 8.
Last edited:
Unfortunately, I'm in a similar boat with one of my contracts. It'd be nice to live in an ideal world where rational IT arguments are listened to, but unfortunately the real world has a way of biting us in the ass, don't it?
I'm not sure how much safer removing them from the domain is, however. Your workstations shouldn't be communicating with each other anyway ( ideally, firewalled off from each other ), so while you might *slightly* reduce your risk, you also increase administrative overhead in managing the systems, which wipes that reduction out and, in fact, increases the risk.
Instead, what about removing the xp machines' ability to access the internet? What I've done at one of my contracts is to remove all unnecessary software ( java, flash? Lookin' at you ), and removed the machines' abilities to access the internet. In addition, all workstations run as limited users already, so while it's not perfect it will certainly reduce the risk.
Pffft.....Software companies refusing to quit working with XP. This doesn't surprise me one bit.
I would strongly suggest making images of the XP systems that are clean and working. That way incase of infection you can pull back the clean images. Lets hope you don't have any bad motherboards though, because replacing older hardware can be expensive assuming you can even find the stuff.
XOR has the right idea. Block their outbound ability to make internet connections, that will help keep viruses from establishing footholds by file download. Now you will have to worry about worms or file passed around via USB. You might possibly VLAN off the XP machines so they can access the database or whatever your LOB app needs, but they can't touch any other network resources.
Also you might talk with the products Developer and your Account Manager about XP (if you can talk to them). Many times Tech Support will tell you there is no plan because no one has updated their scripts. But the development group may be testing Win7 or 8, or the Account Manager know the timeline on upgrades.
I would strongly suggest making images of the XP systems that are clean and working. That way incase of infection you can pull back the clean images. Lets hope you don't have any bad motherboards though, because replacing older hardware can be expensive assuming you can even find the stuff.
XOR has the right idea. Block their outbound ability to make internet connections, that will help keep viruses from establishing footholds by file download. Now you will have to worry about worms or file passed around via USB. You might possibly VLAN off the XP machines so they can access the database or whatever your LOB app needs, but they can't touch any other network resources.
Also you might talk with the products Developer and your Account Manager about XP (if you can talk to them). Many times Tech Support will tell you there is no plan because no one has updated their scripts. But the development group may be testing Win7 or 8, or the Account Manager know the timeline on upgrades.
Funny, we are on the other end. We are developing new software in the health care field, and are refusing to support/allow XP systems since they are EOL. But the pushback from sales/project manager is ridiculous. There are a ton of offices still using XP, but it's not worth opening ourselves up to the potential security risks of their unpatched systems. It seems like once a week me and the VP of development have to explain(argue) to sales why they can't push running the software on XP, even an unsupported option... Especially when I'll be on the hook if there is a problem...
koolaidkitten
Gawd
- Joined
- Apr 28, 2006
- Messages
- 632
Can any of these machines be virtualized/put on a terminal server? And internet access restricted?
Good for you. That's the kind of forward progress most software companies are ignoring. Don't support EOL operating systems since the security will be compromised.
That's actually a very good idea. OP needs to look at this as a viable solution. P2V his XP workstations. Then he could use Virtualbox or VMware Player to boot the images and keep his old systems while still upgrading. Or instead of P2V if it'll be a pain, then just setup a new VM with XP and install everything you will need. Then you can shut off the VMs when not needed and backup is easy since you just Export the VM.
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,864
Was my first thought, there is no reason now to run XP on direct hardware anymore if you need it that bad.
MysticRyuujin
Limp Gawd
- Joined
- Oct 1, 2013
- Messages
- 507
XenApp...
App-V...
2X App Server
App-V...
2X App Server
Last edited:
No. These are point of sale terminals. They have their own RFID antenna, credit card reader, thermal printer and barcode scanner attached.
Even then, our service agreement states we will use their hardware and only their hardware without modification except to use our own anti-virus software. We can't even change the mouse or keyboard placing a service call for them to do it.
Luckily, no one browses the Internet on the systems so we won't be getting malware from that. However, if there is a network threat, that is what we are worrying about.
MysticRyuujin
Limp Gawd
- Joined
- Oct 1, 2013
- Messages
- 507
Oh well that's terrible...
Unfortunately there is. Ironically, today I just found out one of my dental clients has a digital pano machine with a PCI interface into their workstation. And, of course, the PCI card only works in XP. And because they're cheapskates, this shit was old when they bought it; I can't get a conversion kit or anything to upgrade the pano interface.
So unless they're up for dropping 80+G on a new digital pano, they're sticking with XP on that system, for now.
unholythree
Limp Gawd
- Joined
- Sep 23, 2011
- Messages
- 234
Some of our departments do medical research and they tend to never upgrade their equipment. Most of the time they come with computers built in or add on cards that only support whatever OS originally shipped with it.
When 2000 ended support there were still computers running that after 2 years. Hopefully it won't be that bad with XP.
When 2000 ended support there were still computers running that after 2 years. Hopefully it won't be that bad with XP.
Ha ha, you know it. It it's self service kiosks so the customers themselves do the transactions, not us.
abdul201388
n00b
- Joined
- May 6, 2013
- Messages
- 47
Microsoft have said that they will stop supporting windows till next year.
http://www.bbc.co.uk/news/technology-25758308
http://www.bbc.co.uk/news/technology-25758308
If the system is only used for that device, and not connected to the LAN/internet, what's the problem with that?
That's like having a leaky house full of holes that keep getting bigger and more start to form, meanwhile you're just adding more and more buckets to try and catch all the water.
It's a very small gesture that solves nothing and if that's your only excuse for continuing to use XP then the user/organization has a serious problem. They would have been better off if they cut all XP support as intended years ago when Windows 7 proved itself before this Windows 8 debacle now scaring organizations into upgrading.
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,864
Yup, i re-tract my statement, good ol legacy stuff!