I have someone who is running an SQL server on a fully up to date XP machine, but it's still XP regardless. The thing only lives to serve up the SQL database, and only needs to be accessed on the internal network, my question: is there any way to keep this XP machine available on the network (and the SQL database with it), but NOT allow it access the internet?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
XP: any way to have it available on a network but not online?
- Thread starter Jon55
- Start date
Demon10000
Supreme [H]ardness
- Joined
- Aug 20, 2006
- Messages
- 4,502
Sure; you can play with the routing tables or remove the default gateway, but it's going to be a nightmare.
Why not replace it with an updated machine with the same name? It should be pretty easy to move the SQL data over to a new machine.
Why not replace it with an updated machine with the same name? It should be pretty easy to move the SQL data over to a new machine.
I had originally tried this. The issue wasn't at all with SQL, it was with the software that utilizes the SQL database. It's an older unsupported program that had some specific username/password associations, and nobody had the original user/pass info. Essentially, moving the SQL database was easy, but configuring the software which uses that database wasn't going to happen.
bman212121
[H]ard|Gawd
- Joined
- Aug 18, 2011
- Messages
- 1,815
Is it in a business environment? Is there VLANs? All it takes is a couple of ACLs applied to the VLAN the box is on. You can deny all traffic except for the port that is needed for the software to connect to the database.
I can't remember how robust the firewall was on XP but you can definitely use a firewall on the pc itself to lock the box down. That or if you are running an antivirus solution that has a firewall component. You just need something that allows you to block all traffic except for the couple of services you need.
EDIT: It doesn't appear you can really lock down outbound traffic on XP using the built in firewall.
I can't remember how robust the firewall was on XP but you can definitely use a firewall on the pc itself to lock the box down. That or if you are running an antivirus solution that has a firewall component. You just need something that allows you to block all traffic except for the couple of services you need.
EDIT: It doesn't appear you can really lock down outbound traffic on XP using the built in firewall.
Last edited:
Awesome, I'll look into these ideas. Thanks!
QwertyJuan
[H]F Junkie
- Joined
- Aug 17, 2000
- Messages
- 11,285
Proxy?
GreenMonkey
2[H]4U
- Joined
- Jun 25, 2006
- Messages
- 2,159
We're using antivirus firewall and LAN white listing for this at my work.
Sgraffite
Supreme [H]ardness
- Joined
- Jan 10, 2006
- Messages
- 4,405
Can't you just put it on it's own network address range, and forward the SQL server port to it?
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
If your company still relies on some ancient software that won't run without XP and for which nobody knows the credentials your IT admin should start looking for a new job - as a janitor or a cleaner possibly.
Or perhaps you have no IT admin to plan these things and it's a legacy of someone who used to work there like typical in small busineses
Or perhaps you have no IT admin to plan these things and it's a legacy of someone who used to work there like typical in small busineses
koolaidkitten
Gawd
- Joined
- Apr 28, 2006
- Messages
- 632
I hope someone has made a disaster recovery plan if this thing ever goes belly up. If it hasn't been done already I would virtualize that system and make sure it does nightly backups.
If your company still relies on some ancient software that won't run without XP and for which nobody knows the credentials your IT admin should start looking for a new job - as a janitor or a cleaner possibly.
Or perhaps you have no IT admin to plan these things and it's a legacy of someone who used to work there like typical in small busineses
Who said the company relies on it? They have already moved on long ago to a completely different/newer system (no SQL bullshit whatsoever). This particular old database just servers up reports from past quarters when they occasionally need it.
Next time maybe not jump to conclusions?
This is pretty much already the next move, just curious what others were doing in the interim.
Demon10000
Supreme [H]ardness
- Joined
- Aug 20, 2006
- Messages
- 4,502
Just ignore it; this happens any time someone asks an XP question. Some people haven't worked in a large and/or corporate environment where you can't just wave your wand and make legacy software work on any OS of your choice...
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
A large corporate IT does not let itself to get in a situation where your business intelligence relies on a failing old XP box and nobody knows the login credentials for the software that's needed for the job lol. That's called extremely poor administration.
I can understand that happening in a small company with hobbyists working on the issue but not from professionals.
I agree. If the machine is serving some critical business need, then you don't let it sit on some old platform with no backup and no way to recover it if it dies. If it's not business critical, then why do you still have it around?
I completely understand the need to continue using legacy software in a large enterprise, but there is zero excuse for not having a backup/recovery plan in place for it.
If that is the case, some people need to lose their jobs.
Does the company need the reports? It's a yes or no question. If they need the reports, then the company relies on it. If they don't need the reports, then well....why would you keep the system around?
This. If the system is important, and was allowed to get into the situation it's in, fire people. If not, get rid of it. Systems shouldn't make it into production without proper actions being taken (such as documenting important passwords).
Tawnos
2[H]4U
- Joined
- Sep 9, 2001
- Messages
- 3,808
Be aware, even if you isolate it from the internet, such a vulnerable box on your network is a liability due to lateral movement attacks. Essentially, if someone's machine gets compromised at a user-access level, that malicious software can still move to other boxes in your network, especially if said boxes are unprotected.
Unknown-One
[H]F Junkie
- Joined
- Mar 5, 2005
- Messages
- 8,909
I'm looking for a reliable way to accomplish this as well. What I've come up with so-far:
1. Assign the XP machine a static IP address
2. Hop onto our internet-facing firewall/gateway and black-hole all traffic from/to that internal IP.
This allows the box to access all internal resources, but prevents internet access. Only problem is that it requires a lot of legwork.
I'd like to find something I can roll out using group policy. Just target any XP machine that's joined to the domain and nuke its internet access.
1. Assign the XP machine a static IP address
2. Hop onto our internet-facing firewall/gateway and black-hole all traffic from/to that internal IP.
This allows the box to access all internal resources, but prevents internet access. Only problem is that it requires a lot of legwork.
I'd like to find something I can roll out using group policy. Just target any XP machine that's joined to the domain and nuke its internet access.
bman212121
[H]ard|Gawd
- Joined
- Aug 18, 2011
- Messages
- 1,815
Like Tawnos said, it's possible if you simply try to block internet access at the gateway level it's not going to completely fix the issue. The best solution is having some type of firewall between the XP boxes and the rest of your network. You really want to block ALL inbound and outbound traffic for the computer except for the one or two services that need access. This will dramatically reduce the chances of something occurring with the box and is generally good practice for a server anyway.
Limit who can plug external devices or discs in and use them, limit all network access, and keep an AV solution on the boxes and XP can still be plenty secure to be used on a daily basis. They will probably be less of a threat to your network than your Windows 7 boxes that your users use to surf facebook all day on.
Limit who can plug external devices or discs in and use them, limit all network access, and keep an AV solution on the boxes and XP can still be plenty secure to be used on a daily basis. They will probably be less of a threat to your network than your Windows 7 boxes that your users use to surf facebook all day on.
Correct. In the thread starter's case, they should seek to restrict access such that the ONLY thing the XP machine can talk to is the database. The easiest way to do this would probably involve VLANs.
QwertyJuan
[H]F Junkie
- Joined
- Aug 17, 2000
- Messages
- 11,285
Why can't you just setup a ClearOS box, and turn on the proxy server? The computer can only see what the proxy allows it to?
bman212121
[H]ard|Gawd
- Joined
- Aug 18, 2011
- Messages
- 1,815
It might be possible depending upon how the proxy works but most won't. Generally when talking about a proxy server it redirects 80, 443, 21, to forward through the box. The rest of the ports however do not go through the proxy as it doesn't have a way to handle things like RDP, VOIP, or other protocols. So if a proxy is put in place you can block internet access from a web browser, but it might not block other methods of communication between the pcs like SMB (Windows Shares). Once again in order to get traffic from the SQL database to the XP box there needs to be a path on the LAN, but you don't want the XP box to access other things like SMB shares from other machines. That's where a proxy is generally just an "edge" device meaning it regulates traffic from LAN to WAN, but not LAN to LAN communication.
The firewall portion of ClearOS would do what he needs though. The firewall will do the same thing ACLs do, a PFSense boxes firewall, an AV solution all do. They limit the traffic from one source to the next in both directions. In order for ClearOS to work effectively the pc has to route all traffic through ClearOS in order to block it. If you put all pcs on the same network then the ClearOS box won't do what you need. Think of it as someone guarding a doorway. At the door a person is standing there deciding who can pass. If multiple people are on one side they can talk to each other without having to travel through the door, so it doesn't matter what the doorman says since they won't ever need go past him to talk to each other. You want to have that one high risk person on the opposite side of the door from all of the other people, so the doorman can monitor who comes through and block anyone not allowed to pass either in or out.
Last edited:
MysticRyuujin
Limp Gawd
- Joined
- Oct 1, 2013
- Messages
- 507
What's wrong with just using a separate VLAN and a firewall? You could even go so far as to use VRFs or Virtual Firewall contexts if you wanted...
I have a box I use for testing and other than allowing it to get on the internet and allowing RDP to it from one other box it's completely isolated.
You just need to take the time to setup the firewalls rules to be exactly as you want them.
I have a box I use for testing and other than allowing it to get on the internet and allowing RDP to it from one other box it's completely isolated.
You just need to take the time to setup the firewalls rules to be exactly as you want them.