Easy way to block Windows XP
-
Sure. So you are keeping your network safe from unsupported MacOS/Linux/BSD/Android/whatnot versions as well? You're gonna pay the people for W7+ OS upgrade? You're gonna pay them for the HW upgrade for those machines that cannot run the latest and "greatest" from MS? You're getting paid some commision from MS for this "safety" campaign? Or what?
Good that I'm not at your university. ::)
-
XP does have a unique fingerprint. I'm unsure of exactly how pfsense is parsing it, but you could check out /etc/pf.os for reference. Perhaps comment out anything past XP and block Windows on the rule?
RE: doktornotor
I can see your point of view, but this forum is for people seeking technical help. If you disagree with someones goals, you could simply choose to not offer any advice. Lots of people control corporate networks that might want to restrict access by OS. If you don't like it, you are free to allow any OS to use your bandwidth. -
XP does have a unique fingerprint. I'm unsure of exactly how pfsense is parsing it, but you could check out /etc/pf.os for reference. Perhaps comment out anything past XP and block Windows on the rule?
RE: doktornotor
I can see your point of view, but this forum is for people seeking technical help. If you disagree with someones goals, you could simply choose to not offer any advice. Lots of people control corporate networks that might want to restrict access by OS. If you don't like it, you are free to allow any OS to use your bandwidth.Woha! There's a lot of fingerprints for Windows Systems. And the only one that appears to be useful is this one:
8192:128:1:52:M*,N,W2,N,N,S: Windows:Vista::Windows Vista/7
Simply putting a # in front of this line and enabling TCP drop for Windows systems is the idea?
Thanks in advance,
-
Woha! There's a lot of fingerprints for Windows Systems. And the only one that appears to be useful is this one:
8192:128:1:52:M*,N,W2,N,N,S: Windows:Vista::Windows Vista/7
Simply putting a # in front of this line and enabling TCP drop for Windows systems is the idea?
It's an idea. No idea if it will work. I haven't needed to filter on OS, so I haven't looked at how the rule is constructed. I would make a test rule, look at the debug on the rules, then edit pf.os, re-create the rule and compare.
-
Almost every single TCP/IP parameter used in the fingerprinting is easily configurable via registry. Or Google e.g. for "OSfuscate" for a single-click GUI way. Hopefully, realizing how futile this is could finally move you to focusing on some useful security-related tasks instead.
-
Almost every single TCP/IP parameter used in the fingerprinting is easily configurable via registry. Or Google e.g. for "OSfuscate" for a single-click GUI way. Hopefully, realizing how futile this is could finally move you to focusing on some useful security-related tasks instead.
This is just to block the dumb user. Which is the major source of problems.
A good enough solution is enemy of the perfect solution.
-
Hello all,
Has anyone been successfull with this approach ?
Doesn't seem to have any effect other than blocking all TCP traffic but I might (probably) be wrong somewhere.Thanks
-
I like windows XP, but the fact that it is now unsupported has forced me to upgrade lots of computers…
To Linux... (-:
-
I suspect that trying to block XP by using some sort of tcp/ip fingerprinting is going to be less than effective, and will cause other problems to boot (Server 2003 probably has the same fingerprint).
I suspect that some other angle would be the better approach (group policy, using a proxy and filtering on the browser ID string, etc).
But please do post back here if you find something that works.
-
"I almost forget, there's a department rule to block WAN connection from XP clients after the end of support."
I am curious to what idiot came up with that policy, and what idiot in IT agreed that it was something they could even do?
When my son's were in school, they had to install a cisco secure client to access the network. If your school is going to run a security policy that controls access to the extent hey OS XYZ is not allowed access. NAC/NAP with a client on the box would be a much more effective method than trying to fingerprint the OS by their tcp traffic.
-
Push out a group policy for XP machines to run a script that will update a MAC address list that can be imported to whatever.
-
After some digging and testing, it looks like pf's p0f code can at least match XP in some, if not many/most cases.
No guarantees for accuracy, but I committed some code to 2.2 to let it be selected. The commit applies cleanly to 2.1.2 also.
You can apply 6316efd305fdce649851634fcd8bd123686d8d18 with the System Patches package and then select Windows XP in the OS drop-down on the firewall rule. Make sure it's a block rule, and make sure the rule is at the top of the list as usual. If you're on 2.2 you can wait for the next new snapshot later today to try it out.
-
I run XP on one machine because some perfectly good legacy hardware requires it, but I also block XP from accessing the internet or being accessed. Basically, I'd say if you are the owner of XP system, I would block its internet access, but if you are providing a service to customers, I wouldn't because you may be killing off 30% of your business.
-
I'd take losing the 30% of my business instead of having to deal with a compromise. But that's just me.
There are only 2 solutions to the XP problem:
- Linux
- Air-gap the computers that still need to run XP.
Anything else is begging for a compromise. I know I'll get stoned for this, but it's the truth. Any outdated OS has no place on the public internet. If we could only drop the outdated routers as well…
Just my $0.02. Others will disagree with me, to each their own.
