Sysadmin Blog The XPocalypse is upon us, gentlebeings, and those of us who must keep XP around are doomed! Or so some very expensive marketing pushes would have us believe.
As you know by now, I have to keep some XP systems around. In some cases they'll probably be around for a decade or more. If you believe the breathtaking hyperbole of frenzied kit-shifters, we're all going to be sucked into a black hole of doom the instant support for XP ends, with black hats popping up left and right to release hidden vulnerabilities. Cats and dogs will live together, our businesses will collapse into a shambles of badly maintained rubble and it'll all be your fault.
You're only in trouble if the evil boogeymen can get their crud onto your system. Let's put aside silly notions like "just don't allow XP on the internet" and think realistically for a moment or two. Excepting in some very rare circumstances, every XP box still left in service past today is going to need to get information on and off of it in some fashion or another.
Information goes in, information comes out; that's what we use computers for. The boogeyman can crawl in through a floppy, a CD, a USB stick or even some fellow just looking for a place to plug in his smartphone to charge. Defending the eminently vulnerable requires some "defence in depth" considerations, but it is entirely possible.
Man the battlements
Ask yourself how that Windows XP computer is actually being used. If it is sitting there accepting some files from the internet, processing them and then spitting the results out elsewhere, do you need to have USB enabled or CD drives hooked up? Consider – and I am not joking here – just gluing the USB ports up. Buy yourself a PCI USB card, put it in a baggie and tape it to the inside of the sidepanel. If you ever, for whatever reason, need to administratively use a USB something-or-other, that's how you'll do it.
Conversely, if the thing doesn't need to be on the internet to do its job, ruthlessly block it from such. Put it on its own subnet and VLAN, wall it off from everything but the exact systems it needs to communicate with and get a third-party firewall installed that will only talk to the systems you need to talk to.
Consider an inline firewall/ intrusion detection system operating as a separate appliance between your XP subnet and anything else they need to talk to. If the outside world needs to get to that XP box, make damned sure is has to go through a gauntlet of firewalls and whitelists to get there.
Which brings up the last bit about information on and off of that XP box: consider the absolute minimum that the XP system must communicate with, and then whitelist only those systems. In the Windows world it's far more common to default to "allow all" and then blacklist baddies, but when the system you're working with is in a known vulnerable state that's a really bad plan.
Reduce, rebuild, repeat
If at all possible, lock XP up in a virtual machine. There are lots of reasons why this isn't always possible – hardware dongles, the need to power proprietary hardware cards and so forth, but where possible, try. Hypervisors have these nifty things called "snapshots" that you should care about; they provide you the ability to roll XP back to the point before that latest crippling virus ruined your day.
Erase your XP box and rebuild it. Do this several times. Know that system inside and out. Do not have one application, one single file on that XP box that does not need to be there. Have your build documented to perfection. You need to know when something is out of place.
You need to know not only when something is awry, but be able to rebuild that system from scratch at the drop of a hat. Consider building a Gold Master Ghost image and periodically re-imaging the system at random intervals. If you know where all your files are then you should be able to set your system up so that configuration items, user preferences and so forth are backed up to a location that is not on the XP system itself – NASes are cheap – and thus a restore of the XP system from an image will be able to fetch or automatically map to the configuration files you need.
The ultimate goal is a completely non-persistent copy of Windows XP. You seek the ability to boot from read-only media and get whatever configuration files you need from writeable storage, with both that writable storage and the XP box'ss access to the wider world guarded and monitored.
For those of us who can't virtualise XP, there are probably only two reasons: some great big proprietary hardware card or a dongle. If your requirement runs to the "hardware card" side of the equation then it's time to start building your own read-only version of XP.
I could write you a whole bunch of stuff about how to build one of these Windows XP environments yourself, but it would be a galactic waste of all of our time. Go look at BartPE and Hirens. The folks who assembled these things are quite smart, and you are not likely at all to do better than they have.
Start from BartPE if you need a clean environment and from Hirens if you need one packed full of jam. Strip out what you don't need and customise to your requirements. Test, retest, build and rebuild. Get yourself a version of XP that can last a decade because the only writeable locations the system talks to are the locations it absolutely needs to talk to in order to run its software and update its configuration.
Consider also Faronics Deep Freeze. I've not had a chance to test it myself, but it was recommended to me for this application and it is probably worth investigation.
The best laid defences against the bad guys getting in are only going to slow the inevitable, not prevent it. Human stupidity is the only unlimited resource in the universe and somehow, through some incomprehensible mechanism, malware will find its way onto your XP system. Recovering from this should be as simple as rebooting the system.
If you just need XP around because of a dongle, consider hitting up eBay and looking for a Wyse client. They run XP embedded, some of them are powerful enough to do quite a reasonable amount of work, and I know from experience that they are quite content to sit in a corner and be a dongle server for the kinds of industry apps that need them. Added bonus: XP embedded is patched for a little while longer yet, so you could buy yourself a few more months to get this completely automated.
One thing about all this doom-mongering is true: there are bad people out there who know how to attack Windows XP and they are just waiting to cash in. What's more, vulnerabilities will be discovered that affect "all versions of Windows" – including XP.
Microsoft is committed to patching an XP descendant OS – POSReady 2009 – for some time to come. Any halfway competent blackhat could reverse-engineer the patches for that OS and exploit the now unpatched Windows XP classic.
Anti-malware programs are absolutely not going to save you. Every single person reading this article knows full well that the very first thing to happen when a system gets pwned is that the anti-malware software is eaten without complaint. In fact, your best indication that your system has been infected is that the icon is no longer in the system tray, at which point you're hosed anyways.
If you can run your Windows XP in a VM, you can roll back using snapshots and clones. That's child's play. If you can't, you need to get more creative ... but the end of the world this is not. Windows XP will be in service around the world for more than a decade to come, it will simply be in service as a robust, well-tested, well-understood OS that sysadmins have implemented as read-only.
Good luck to you all. ®