In our previous blog post, we mentioned that Microsoft will stop supporting WindowsXP on April 8, 2014, which means that they will no longer be issuing security patches for that operating system. Therefore, Stanford’s goal is to phase out the use of WindowsXP by that date.
Some equipment may be granted an exception, if the WindowsXP device is used to run equipment where a system upgrade would be prohibitively expensive or otherwise impossible. IRT is therefore offering to host certain WindowsXP devices on a separate, secure network that offers additional protections to make up for the lack of software patches.
If you are in charge of such a machine that can’t be easily upgraded, contact IRT Security to take advantage of this secure network.
Standards for the WindowsXP Secure Net include:
- Network subnets for XP machines are limited to a range of 14 devices each (/28) to limit the risk to others should one of the machines become compromised. No traffic between these networks is allowed.
- Data transfers out are allowed, but no email or web services out – incoming traffic is severely limited as well.
Network Firewall Rules:
- All outbound SMTP and WEB access is blocked from the WindowsXP Secure subnets.
- Outbound file transfers allowed to Stanford hosts, other off-campus outbound is blocked.
- Inbound ping and traceroute are allowed but nothing else.
- In the case of remote management, from on-campus, we can set up VPN access to the XP devices.
Other Rules for Devices on the Network:
- Local firewall rules on the computers should be set to disallow incoming communication other than specific port/protocol that may be required to support the primary function of the system and/or the device to which it is attached.
- Wireless connections are inherently insecure. Wired connections are required on the WindowsXP Secure network.
- No USB input to the WinXP device without special circumstances. Transfers should be done on the network. Software License USB Keys are allowed to use the USB Ports.
- BigFix client installed, but in the cases where BigFix may interrupt ongoing work processes, it’s optional.