Securing outdated hardware

Install the last version of EMET that works on XP (4.something) and set it up properly, install an actual firewall, disable USB ports through the BIOS, if at all possible at least install the last security updates available for XP. If you had the funds to do so I would also recommend licensing Deep Freeze and using it on every box. Why do these users even HAVE administrator access to the company's computers? I know XP can be a shitshow when it comes to restricted user rights but if their requirements are literally "use google in a web browser" then block everything except for the web browser through Group Policy.

Seriously, you would save hundreds of dollars a month migrating these old P4 boxes to Raspberry Pis. What are these people doing on these machines, Word 2003 and Outlook 2003? Is this just another "it works for me" scenario that never stopped "working" for them? Switching to SBCs and retraining on Debian XFCE/MATE will pay for itself after a couple months from the electricity bills alone. If you absolutely need old XP32 binary compatibility isolate the fuck out of anything that runs XP32 and consider them permanently pozzed with every virus and malware on the face on the earth, don't connect them to anything. Glue the USB ports shut. Actually just glue all the USB ports shut on every box at bare minimum since you can't really stop the 45 year old secretary from shoving whatever device she finds laying around into "her" computer.

Good advice, although if you really want autistic security Alpine Linux or OpenBSD are probably better options.

XP can't be secure anymore, either upgrade to a newer version of Windows that actually gets security updates, or just use some minimal linux distro instead
there are remotely-exploitable security issues for XP
only government contracts get security updates for XP, and there are additional mitigations like network segmentation with VLANs and ACLs and shit, and MS gives security updates to partners who pay, but you're some random person, not a government or military still relying on XP for legacy critical infrastructure

common sense won't protect you against remote code execution on unpatched CVEs, dumbass

OpenBSD won't run on RPis. Alpine Linux is a good recommendation, though.

Windows 10 minimum requirement is 1GHz CPU DX9 GPU 1GB RAM 20GB HDD. You can get volume license agreements from Microsoft on 250+ machines. You might also look into replacing the old PCs with ~$300 Dell or Lenovo microshit boxes that come with Windows 10 Pro.

you have to go back

NetBSD does. In fact, RPi is probably their best supported ARM board.
wiki.NetBSD.org/ports/evbarm/raspberry_pi/

fun fact: theres literally nothing wrong with using netscape navigator in 2018

Where do you think we are?

not /g/, and certainly not on cuckchannel

Wasn't there some Japanese dude that was basically hacking security patches into XP still?

>>>/oven/

based

unbased

Why do cuckchan refugees keep cumming here.

No actually he was running Windows 2000.

Would be a good audience to sell a preconfigured setup to. Gentoo+wine+your proprietary shims to make their dumb app work. Bonus points if you instead hook em on your own closed source OS instead.

install gentoo

Put a proxy between all of the computers and the Internet. Filter the traffic for malicious content.

But good network traffic monitoring will mitigate frequency of occurrence.

then something is wrong with you or your shit setup

1. use internet connection or router that will put you behind NAT. do not have ports accessible from the internet, why would you need that if you are not a server?

2. install 3rd party firewall (can be old) and set block everything policy, then you manually add some rules for software to work with the internet

3. uninstall flash and java

linux is piece of nigger dog shit
windows95 is more usable and user friendly than any linux ever
also linux uses 3 times as much memory as win2000/xp but it is 3 times less productive

why the fuck do you cut internet from them?
just do what I told
but if idiots will voluntary install viruses, nothing will help, no operating system is safe from that

what a bullshit
raspberry is overpriced piece of shit that can't even run windows. so it cannot do anything useful

what a bullshit. fuck off jewish shill
I use XP with internet and I watch and store CP, I commit crimes. I am waiting till you hack me. Come at me

bullshit
show a single CVE that will work on my setup, XP behind NAT and firewall

There are plenty of companies still using 3.11, locked in ancient software contracts combined with garbage budgets.
A lot of the terminals I've used at airports use older console only Apple II era crap.

I think we can all agree that the first thing OP needs to do is put anything between the business computers and the open Internet. Proxy, router with NAT, Anything that blocks other computers from attempting arbitrary port connections to the machines.

My concern with just NAT is that they're probably using an Internet Explorer / Firefox that will allow arbitrary websites to download shit to the temp folder and then install links to it in the Startup folder of the Start menu. Had that happen once with 2K.

There are fundamental vulnerabilities in those old hardware/software. You're not going to be able to patch everything, ever.

OpenBSD does in fact run on the Pi.

wine doesn't support proprietary dongles and oddball devices including ubiquitous scanners and scanner software.

Spend the company's money and get deep freeze.
faronics.com/products/deep-freeze
Then firewall the shit out of everything and require the use of as much offline software as possible.

Get a software dictionary.

Anything that touches the outside world needs to be on a separate network with a locked down linux distro.
Use something that resembles windows.

Eset usually continues support for older OS versions. That being said, most are still vulnerable to exploits and malware, so virus infections aren't the greatest risk on an older OS. On the plus side, most people don't actively develop new exploits for software that is "dead".

You must be new here? High time you went back to >>>Zig Forums crossposter

Umm sweetie, I don't think you belong

Kek, an Apple II is much safer than any modern computer. If that's all they need for the job, it's the best possible choice, so long as they can continue to source parts for it.
For a long time, banks used old school terminals also. After all, the staff only needed to edit simple text/numeric forms. And it's all that should be required for *me* to login to my online banking account as well. A simple text browser like Lynx is all that should be needed for this kind of task.

RPi isn't useful for everything, but it sure is good enough to do common office tasks like spreadsheets and word processing, plus email and basic web stuff. Oh but right, you think only Windows can do those things, even though office tasks were done long before Windows even existed, and on much weaker computers.

Blocking usb ports or getting portable drives whitelist.
Now on my to do list

Honestly I only understood a fraction of that.
Basically, and part of the issue is that there is a Charlie foxtrot of genetic office equipment that might have to be replaced if a shell was installed, budget is basically Nill.
Finance won't release lump sum payments, only a monthly allowance I have to shave off.
Fucking third world.

I'll look into it, thanks user.
I'm leaning towards isolating the office computers and continue running a patched xp, maybe a Linux system with xp interface in a shell.
Thanks.

Hahaha, hahaha. Pray for me.

Net BSD on rasbery pi's huh.
Budget might stretch but it would have to be a gradual roll out.

Critical infrastructure in China often runs xp, the system is just phisicaly isolated

Confirming this is an issue.
There were firewls but not set up properly
I'm just going to close all the ports and route everything through a Linux.

But if you would believe it power cuts are actually an issue.
We've got phisical wires running next door in case our fuses go and acid batteries to support the back up of files in the event of total power outage

I havnt used a computer since win10 and can't even fix the office printers - but for some reason responsibility for this cluster fuck has fallen on me and I don't have time to study IT for three years.
I DDOS'd someone over a game server, that is the height of my it skills - but we don't have the funds to bring in an expert and there's nobody we trust.
"do the best you can, it can't get any worse and we don't have the money to make it better"

No wonder you're so oblivious to Zig Forums's board culture, you stuck there through every exodus, moot cucking out to jewgle, and only thought of coming here once that place had thoroughly been pozzed to where even the most dedicated cuckchanners couldn't stand it. And now you're acting like you've been here for years now that your shithole is too far gone even for you.
It's no surprise that rapefugees like you can only think in terms of Zig Forums, not-Zig Forums, and muh enlightened centrist septics- you were dumb enough to keep posting to cuckchan after the first exodus in 2014.

You should be fine just installing linux or OpenBSD/NetBSD on those machines. As long as they're just used for browser stuff it should be pretty painless as long as you lock them down enough.

Attached: where do you think we are.jpg (996x777 934.58 KB, 213.63K)

Want to know how i know you're not from here?

Just because you didn't pick up on it doesn't mean it isn't there.

Attached: infinite_ammo.png (512x564, 297.54K)

leave

Install SP3, the necessary updates, and run the regedit to get PoS updates as well.

I cut down most of my clients' viruses by installing uBlock Origin in their browsers. If necessary, I switch the default browser to a uBlock compatible browser. (XP support is being dropped, so keep that in mind)

Ultimately these machines aren't secure and they should have the default gateway removed if WAN access isn't necessary. (PoS updates end next year anyway.) Look into possibly using Linux/Wine for said machines if upgrading hardware is out of the question and WAN access is still necessary.

All Zig Forums culture is shit and should not be encouraged.

are they being exploited or are your users just retarded? and why can't you run something that has security patches? I run linux with the latest security patches fine on my """early 2000's computers"""

sandbox the shit out of it, perhaps helps
but really you should atleast be running Windows 7

Install Debian.

Let them complain. The clever ones will figure out how to spellcheck without this magic Google thing.

How to spot a NEET 101.
Wine is ok for personal use, and absolutely unacceptable for business use that absolutely needs special software/hardware to work.

I wrestled with this problem while doing IT like a decade ago. (But don't call us /g/)

You should definitely evaluate who can be moved to Unix and who can't. This requires knowing what is or isn't compatible. If someone is just checking e-mails and browsing the web then they're a prime candidate. If they need any kind of specialty software or drivers, then they're out. If you tell us what kind of business it is, I might be able to offer more specific advice.

Bear in mind that a mixed Linux/Windows network can add additional problems getting them to communicate, so if you can't move everyone over then you might need to make additional tweaks at the network level to compensate. One of the benefits of an all-Windows network in enterprise is the ability to micromanage stuff with Active Directory.

The next thing I would do is build your own minimal XP ISO. Since your employer is covering it, you can probably afford NTLite (or just use it for free and don't tell anyone). Remove stuff that nobody uses. Nobody uses a scanner? Remove that. Nobody (unlikely) uses printers? Remove it. Dial-up modem support? Gone. Remove the cruft. This gives you a smaller attack surface.

As mentioned, Faronics DeepFreeze will be a great help. Once you're certain you have a "perfect" image, you can install it and immediately DeepFreeze it. You will need to provide a network share for users to save their files on. Training them not to dump stuff they want to save onto their desktop may be an entire issue on its own though: lusers are resistant to basic things like "navigating to a network folder" and you may need to map it and put it on the desktop for their own convenience.

As others said, airgapping is probably a good move. At least relegate them to their own VLAN so they can talk to your servers and that's it. Use HOSTS to reroute any other request; you don't want to risk them pinging the outside world and redirecting all traffic back to home will actually neuter a fair bit of malware.

Honestly, the real issue is that if people can read e-mails they're going to click stuff they shouldn't. And XP has a ton of IE6 vulnerabilities baked-in. You can also consider anti-virus. Kaspersky is probably Russian Botnet but it's effective at keeping other stuff out, so if you need to cave it's probably your best bet. Although Anti-Virus usually is only good for a few years before getting bloated, so maybe there's something better on the market now.

There may be some more elegant solutions, though

Everything from here on out is spitballing based on newer options you have that I didn't when I had these problems. They may be doable but you will need to do additional research.

First and foremost, switching to Linux is the best way forward. Your simplest solution is to pick a stable LTS distribution (Preferably not a Debian-based one, but the best alternative is Fedora or CentOS, and IBM owns those now) and to put it on all the old machines in lieu of outdated versions of Windows. Bar none, this is the most straightforward option you will have.

But, you will need to test out everything before rolling it out. Every driver and piece of software will need to be manually verified by you and users will either need a DE that is close to Windows or just one simple enough to "just work". If you can get all the special enterprise software working in WinE then you're probably 90% good to go.

Other users have mentioned issues with stuff like scanners or other peripheral devices. This is certainly the case. There's no easy workaround for specific hardware keys (I've encountered software that uses hardware dongles to verify purchases) but if it's just scanners and such then you can probably configure a server to handle it at designated Scan Stations. Or just hope the company already has a Xerox machine that supports USB drives.

Another option that may be viable, but is a longshot, is ReactOS. It's still in Alpha and not super stable, but support for older software is generally better. I'm not sure if it's any more secure than Windows, because it's supposed to be identical, but it probably isn't using IE6 to render internal UI elements, and that's like 99% of exploits right there, so it may help. I think this solution is more trouble than it's worth; you may verify everything and then find one thing that bombs the entire system. It's not stable nor necessarily more secure, but it is free software and it may be an improvement.

Ultimately, it's up to you to use your head, OP. There's too many details you left-out about your company, its current infrastructure, what they do, etc. The best solution for your employer depends heavily on the mix of other PCs and how much authority you have to exercise here.

Attached: 3052ec2c7eb06ebbafd7097fb14e69342dcb8e7d18f5f7c5baf73222798d3075.gif (500x520, 379.04K)

Attached: Pikachu_face.png (337x329, 77.91K)

...

If you were relying on microshit to keep your PC secure, then your PC isn't secure. Security measures should be on your network config and group policy config

- use a NAT firewall and well configured to only allow desired protocols
- or just prefer internal network versus an actual direct connection to the internet.
- enable file extensions and forbid users to execute .exe .pif .bat .scr files
- forbid internet explorer and windows media, avoid freeware.
- use a brain
- don't use an antivirus it's pointless, backup regularly.
- gpedit.msc and just follow the basics of the description.
- services.msc and disable EVERYTHING you do not explicitely need.
- have strict policies regarding flash storage, just connect the D+/D- to a 12V rail of the PSU if your machine hold sensitive data.
- modern windows are made for complete morons who are not even allowed to control their services, leaving the data collection and telemetry, which is a security threat for people and corporations fully active.
- earlier versions of Windows like XP and win7 are still prefferable.
- always use the pro. version.
- "Process explorer" is an excellent tool, and so does "Startup control panel" by Mike Lin

Essentially,
- an office machine is meant to get you to work. if a Pentium 3 with Office 2000 gets the job done the user must do the job and not complain. Posting from a machine from which I forced a trainee to work with, to practice excel. "IT'S A DINOSAUR!" He was frustrated cause there is no wifi and no 4G, and no Facebook, but for managing a long list of PeopleSoft GP earning and deductions elements it was more than sufficient. I just wanted to add a touch of trolling.

I like this laptop. Aesthetically I find it more pleasant than the modern flat shit they force on everything.
Also this is Seamonkey.

Attached: procexp.PNG (1024x768 127.65 KB, 113.14K)

CommonSense® is the best security suite out there. You need to install in your brain. But obviously yours does not meets the system requirements for CommonSense 2019.

t. goon
>>>/out/

Sweet, what about .js, .vbs, .pdf, .hta, .html every other extention that can execute code?

Same thing, keep your programs up to date. The OS is only a container.
Do you use IE or some shit?

mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox13
vulners.com/nessus/NETSCAPE_BROWSER_9006.NASL

IF I USE OLD SOFTWARE I WILL BE SAFE!!!111

Upgrade to Windows 7 at least.

Forbid execution of anything not strictly necessary. Feasibility depends on use cases of those.
Virtualize and sandbox as much as possible.
Minimize attack surface in every other way (there's a long list of CVEs to consider).
Definitely only allow internet access through a proxy that is not entered in the system settings.
Possibly even separate intranet computers from internet computers, like some overly (or appropriately) paranoid companies do.
But soon enough all that will get more expensive than upgrading.

As said, not if it requires proprietary anti-piracy keys or drivers or any such bullshit.

Only as long as it's unpopular and you're not a direct target.
It's not like the list at
cvedetails.com/product/64/Netscape-Navigator.html?vendor_id=44
stops at 2009 because there's no more vulnerabilities; it stops because there's no more significant interest.

Depends on what outgoing traffic you make and on how soon you will be unable to update your browser because "unsupported OS".

I corroborate pretty much all this.

You, on the other hand, are playing with the BOFH line.

Some organizations have online tools that still require Internet Explorer 6 (mostly written with aspx, whatever that means). Have fun.

Sage for off-topic.