Easy way to block Windows XP


  • Rebel Alliance Netgate Administrator

    With 4/14 getting close everyday, I manage a few clients that have some legacy window's XP machines that they really don't want to upgrade.

    I can move to a sperate LAN, but the downside is their switching equipment is non managed..VLANing is out..and putting a new switch is costly but an option.

    I know on the Firewall-Advanced you can do source OS as windows, but can it get more specific to winxp?



  • @chrismacmahon:

    With 4/14 getting close everyday, I manage a few clients that have some legacy window's XP machines that they really don't want to upgrade.

    I can move to a sperate LAN, but the downside is their switching equipment is non managed..VLANing is out..and putting a new switch is costly but an option.

    I know on the Firewall-Advanced you can do source OS as windows, but can it get more specific to winxp?

    If you can set up DHCP reservations so that they always get a fixed set of IP addresses, you could filter on that. Otherwise, if they have a domain, you could use group policy to set their proxy to 127.0.0.1 port 65535, and to remove the "connections" tab. That's how we are handling it.



  • I'm looking for a solution in pfSense for this issue.

    Our case is worse. There's no VLANs, there's no domain, and the IP addresses are static!


  • Banned

    Solution for what? Are those your machines? Then either upgrade them or unplug them. Are they NOT your machines? Then for god's sake stop telling people what OS should they run! Do you also block any other "unsupported" OS out there? XP has almost 30% market share, that is 3x more than the "latest and greatest" W8.x metrocrap. You people are mad or what?  ::)



  • @doktornotor:

    Solution for what? Are those your machines? Then either upgrade them or unplug them. Are they NOT your machines? Then for god's sake stop telling people what OS should they run! Do you also block any other "unsupported" OS out there? XP has almost 30% market share, you people are mad or what?  ::)

    Well since it's an university network with more than 1000 machines using real IPv4 address and as a sysadmin I should keep my network safe. Oh… I almost forget, there's a department rule to block WAN connection from XP clients after the end of support.

    I don't think your reply add something useful to this thread, there are cases and cases, that should be studied according the situation.


  • Banned

    Sure. So you are keeping your network safe from unsupported MacOS/Linux/BSD/Android/whatnot versions as well? You're gonna pay the people for W7+ OS upgrade? You're gonna pay them for the HW upgrade for those machines that cannot run the latest and "greatest" from MS? You're getting paid some commision from MS for this "safety" campaign? Or what?

    Good that I'm not at your university.  ::)



  • XP does have a unique fingerprint. I'm unsure of exactly how pfsense is parsing it, but you could check out /etc/pf.os for reference. Perhaps comment out anything past XP and block Windows on the rule?

    RE: doktornotor
    I can see your point of view, but this forum is for people seeking technical help. If you disagree with someones goals, you could simply choose to not offer any advice. Lots of people control corporate networks that might want to restrict access by OS. If you don't like it, you are free to allow any OS to use your bandwidth.



  • @dotdash:

    XP does have a unique fingerprint. I'm unsure of exactly how pfsense is parsing it, but you could check out /etc/pf.os for reference. Perhaps comment out anything past XP and block Windows on the rule?

    RE: doktornotor
    I can see your point of view, but this forum is for people seeking technical help. If you disagree with someones goals, you could simply choose to not offer any advice. Lots of people control corporate networks that might want to restrict access by OS. If you don't like it, you are free to allow any OS to use your bandwidth.

    Woha! There's a lot of fingerprints for Windows Systems. And the only one that appears to be useful is this one:

    8192:128:1:52:M*,N,W2,N,N,S:            Windows:Vista::Windows Vista/7

    Simply putting a # in front of this line and enabling TCP drop for Windows systems is the idea?

    Thanks in advance,



  • @viniciusferrao:

    Woha! There's a lot of fingerprints for Windows Systems. And the only one that appears to be useful is this one:

    8192:128:1:52:M*,N,W2,N,N,S:            Windows:Vista::Windows Vista/7

    Simply putting a # in front of this line and enabling TCP drop for Windows systems is the idea?

    It's an idea. No idea if it will work. I haven't needed to filter on OS, so I haven't looked at how the rule is constructed. I would make a test rule, look at the debug on the rules, then edit pf.os, re-create the rule and compare.


  • Banned

    Almost every single TCP/IP parameter used in the fingerprinting is easily configurable via registry. Or Google e.g. for "OSfuscate" for a single-click GUI way. Hopefully, realizing how futile this is could finally move you to focusing on some useful security-related tasks instead.



  • @doktornotor:

    Almost every single TCP/IP parameter used in the fingerprinting is easily configurable via registry. Or Google e.g. for "OSfuscate" for a single-click GUI way. Hopefully, realizing how futile this is could finally move you to focusing on some useful security-related tasks instead.

    This is just to block the dumb user. Which is the major source of problems.

    A good enough solution is enemy of the perfect solution.



  • Hello all,

    Has anyone been successfull with this approach ?
    Doesn't seem to have any effect other than blocking all TCP traffic but I might (probably) be wrong somewhere.

    Thanks



  • I like windows XP, but the fact that it is now unsupported has forced me to upgrade lots of computers…

    To Linux...  (-:



  • I suspect that trying to block XP by using some sort of tcp/ip fingerprinting is going to be less than effective, and will cause other problems to boot (Server 2003 probably has the same fingerprint).

    I suspect that some other angle would be the better approach (group policy, using a proxy and filtering on the browser ID string, etc).

    But please do post back here if you find something that works.


  • Rebel Alliance Global Moderator

    "I almost forget, there's a department rule to block WAN connection from XP clients after the end of support."

    I am curious to what idiot came up with that policy, and what idiot in IT agreed that it was something they could even do?

    When my son's were in school, they had to install a cisco secure client to access the network.  If your school is going to run a security policy that controls access to the extent hey OS XYZ is not allowed access.  NAC/NAP with a client on the box would be a much more effective method than trying to fingerprint the OS by their tcp traffic.



  • Push out a group policy for XP machines to run a script that will update a MAC address list that can be imported to whatever.


  • Rebel Alliance Developer Netgate

    After some digging and testing, it looks like pf's p0f code can at least match XP in some, if not many/most cases.

    No guarantees for accuracy, but I committed some code to 2.2 to let it be selected. The commit applies cleanly to 2.1.2 also.

    You can apply 6316efd305fdce649851634fcd8bd123686d8d18 with the System Patches package and then select Windows XP in the OS drop-down on the firewall rule. Make sure it's a block rule, and make sure the rule is at the top of the list as usual. If you're on 2.2 you can wait for the next new snapshot later today to try it out.



  • I run XP on one machine because some perfectly good legacy hardware requires it, but I also block XP from accessing the internet or being accessed.  Basically, I'd say if you are the owner of XP system, I would block its internet access, but if you are providing a service to customers, I wouldn't because you may be killing off 30% of your business.



  • I'd take losing the 30% of my business instead of having to deal with a compromise. But that's just me.

    There are only 2 solutions to the XP problem:

    1. Linux
    2. Air-gap the computers that still need to run XP.

    Anything else is begging for a compromise. I know I'll get stoned for this, but it's the truth. Any outdated OS has no place on the public internet. If we could only drop the outdated routers as well…

    Just my $0.02. Others will disagree with me, to each their own.