• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Easy way to block Windows XP

Scheduled Pinned Locked Moved Firewalling
19 Posts 11 Posters 6.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chrismacmahon
    last edited by Feb 18, 2014, 4:02 PM

    With 4/14 getting close everyday, I manage a few clients that have some legacy window's XP machines that they really don't want to upgrade.

    I can move to a sperate LAN, but the downside is their switching equipment is non managed..VLANing is out..and putting a new switch is costly but an option.

    I know on the Firewall-Advanced you can do source OS as windows, but can it get more specific to winxp?

    Need help fast? Our support is available 24/7 https://www.netgate.com/support/

    Do Not PM For Help!

    1 Reply Last reply Reply Quote 0
    • G
      GomezAddams
      last edited by Feb 21, 2014, 8:06 PM

      @chrismacmahon:

      With 4/14 getting close everyday, I manage a few clients that have some legacy window's XP machines that they really don't want to upgrade.

      I can move to a sperate LAN, but the downside is their switching equipment is non managed..VLANing is out..and putting a new switch is costly but an option.

      I know on the Firewall-Advanced you can do source OS as windows, but can it get more specific to winxp?

      If you can set up DHCP reservations so that they always get a fixed set of IP addresses, you could filter on that. Otherwise, if they have a domain, you could use group policy to set their proxy to 127.0.0.1 port 65535, and to remove the "connections" tab. That's how we are handling it.

      1 Reply Last reply Reply Quote 0
      • V
        viniciusferrao
        last edited by Mar 18, 2014, 2:43 AM

        I'm looking for a solution in pfSense for this issue.

        Our case is worse. There's no VLANs, there's no domain, and the IP addresses are static!

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Mar 18, 2014, 3:04 AM Mar 18, 2014, 2:58 AM

          Solution for what? Are those your machines? Then either upgrade them or unplug them. Are they NOT your machines? Then for god's sake stop telling people what OS should they run! Do you also block any other "unsupported" OS out there? XP has almost 30% market share, that is 3x more than the "latest and greatest" W8.x metrocrap. You people are mad or what?  ::)

          1 Reply Last reply Reply Quote 0
          • V
            viniciusferrao
            last edited by Mar 18, 2014, 3:06 AM

            @doktornotor:

            Solution for what? Are those your machines? Then either upgrade them or unplug them. Are they NOT your machines? Then for god's sake stop telling people what OS should they run! Do you also block any other "unsupported" OS out there? XP has almost 30% market share, you people are mad or what?  ::)

            Well since it's an university network with more than 1000 machines using real IPv4 address and as a sysadmin I should keep my network safe. Oh… I almost forget, there's a department rule to block WAN connection from XP clients after the end of support.

            I don't think your reply add something useful to this thread, there are cases and cases, that should be studied according the situation.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by Mar 18, 2014, 3:12 AM Mar 18, 2014, 3:09 AM

              Sure. So you are keeping your network safe from unsupported MacOS/Linux/BSD/Android/whatnot versions as well? You're gonna pay the people for W7+ OS upgrade? You're gonna pay them for the HW upgrade for those machines that cannot run the latest and "greatest" from MS? You're getting paid some commision from MS for this "safety" campaign? Or what?

              Good that I'm not at your university.  ::)

              1 Reply Last reply Reply Quote 0
              • D
                dotdash
                last edited by Mar 18, 2014, 6:48 PM

                XP does have a unique fingerprint. I'm unsure of exactly how pfsense is parsing it, but you could check out /etc/pf.os for reference. Perhaps comment out anything past XP and block Windows on the rule?

                RE: doktornotor
                I can see your point of view, but this forum is for people seeking technical help. If you disagree with someones goals, you could simply choose to not offer any advice. Lots of people control corporate networks that might want to restrict access by OS. If you don't like it, you are free to allow any OS to use your bandwidth.

                1 Reply Last reply Reply Quote 0
                • V
                  viniciusferrao
                  last edited by Mar 18, 2014, 8:17 PM

                  @dotdash:

                  XP does have a unique fingerprint. I'm unsure of exactly how pfsense is parsing it, but you could check out /etc/pf.os for reference. Perhaps comment out anything past XP and block Windows on the rule?

                  RE: doktornotor
                  I can see your point of view, but this forum is for people seeking technical help. If you disagree with someones goals, you could simply choose to not offer any advice. Lots of people control corporate networks that might want to restrict access by OS. If you don't like it, you are free to allow any OS to use your bandwidth.

                  Woha! There's a lot of fingerprints for Windows Systems. And the only one that appears to be useful is this one:

                  8192:128:1:52:M*,N,W2,N,N,S:            Windows:Vista::Windows Vista/7

                  Simply putting a # in front of this line and enabling TCP drop for Windows systems is the idea?

                  Thanks in advance,

                  1 Reply Last reply Reply Quote 0
                  • D
                    dotdash
                    last edited by Mar 18, 2014, 9:22 PM

                    @viniciusferrao:

                    Woha! There's a lot of fingerprints for Windows Systems. And the only one that appears to be useful is this one:

                    8192:128:1:52:M*,N,W2,N,N,S:            Windows:Vista::Windows Vista/7

                    Simply putting a # in front of this line and enabling TCP drop for Windows systems is the idea?

                    It's an idea. No idea if it will work. I haven't needed to filter on OS, so I haven't looked at how the rule is constructed. I would make a test rule, look at the debug on the rules, then edit pf.os, re-create the rule and compare.

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by Mar 18, 2014, 10:34 PM

                      Almost every single TCP/IP parameter used in the fingerprinting is easily configurable via registry. Or Google e.g. for "OSfuscate" for a single-click GUI way. Hopefully, realizing how futile this is could finally move you to focusing on some useful security-related tasks instead.

                      1 Reply Last reply Reply Quote 0
                      • V
                        viniciusferrao
                        last edited by Mar 19, 2014, 1:34 AM

                        @doktornotor:

                        Almost every single TCP/IP parameter used in the fingerprinting is easily configurable via registry. Or Google e.g. for "OSfuscate" for a single-click GUI way. Hopefully, realizing how futile this is could finally move you to focusing on some useful security-related tasks instead.

                        This is just to block the dumb user. Which is the major source of problems.

                        A good enough solution is enemy of the perfect solution.

                        1 Reply Last reply Reply Quote 0
                        • T
                          thuizt
                          last edited by Apr 9, 2014, 9:07 PM

                          Hello all,

                          Has anyone been successfull with this approach ?
                          Doesn't seem to have any effect other than blocking all TCP traffic but I might (probably) be wrong somewhere.

                          Thanks

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by Apr 9, 2014, 10:02 PM

                            I like windows XP, but the fact that it is now unsupported has forced me to upgrade lots of computers…

                            To Linux...  (-:

                            1 Reply Last reply Reply Quote 0
                            • G
                              GomezAddams
                              last edited by Apr 11, 2014, 4:50 PM

                              I suspect that trying to block XP by using some sort of tcp/ip fingerprinting is going to be less than effective, and will cause other problems to boot (Server 2003 probably has the same fingerprint).

                              I suspect that some other angle would be the better approach (group policy, using a proxy and filtering on the browser ID string, etc).

                              But please do post back here if you find something that works.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by Apr 11, 2014, 8:53 PM

                                "I almost forget, there's a department rule to block WAN connection from XP clients after the end of support."

                                I am curious to what idiot came up with that policy, and what idiot in IT agreed that it was something they could even do?

                                When my son's were in school, they had to install a cisco secure client to access the network.  If your school is going to run a security policy that controls access to the extent hey OS XYZ is not allowed access.  NAC/NAP with a client on the box would be a much more effective method than trying to fingerprint the OS by their tcp traffic.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                1 Reply Last reply Reply Quote 0
                                • H
                                  Harvy66
                                  last edited by Apr 12, 2014, 2:54 AM

                                  Push out a group policy for XP machines to run a script that will update a MAC address list that can be imported to whatever.

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by Apr 29, 2014, 4:17 PM

                                    After some digging and testing, it looks like pf's p0f code can at least match XP in some, if not many/most cases.

                                    No guarantees for accuracy, but I committed some code to 2.2 to let it be selected. The commit applies cleanly to 2.1.2 also.

                                    You can apply 6316efd305fdce649851634fcd8bd123686d8d18 with the System Patches package and then select Windows XP in the OS drop-down on the firewall rule. Make sure it's a block rule, and make sure the rule is at the top of the list as usual. If you're on 2.2 you can wait for the next new snapshot later today to try it out.

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kejianshi
                                      last edited by Aug 30, 2014, 1:20 AM

                                      I run XP on one machine because some perfectly good legacy hardware requires it, but I also block XP from accessing the internet or being accessed.  Basically, I'd say if you are the owner of XP system, I would block its internet access, but if you are providing a service to customers, I wouldn't because you may be killing off 30% of your business.

                                      1 Reply Last reply Reply Quote 0
                                      • ?
                                        A Former User
                                        last edited by Sep 1, 2014, 8:32 PM

                                        I'd take losing the 30% of my business instead of having to deal with a compromise. But that's just me.

                                        There are only 2 solutions to the XP problem:

                                        1. Linux
                                        2. Air-gap the computers that still need to run XP.

                                        Anything else is begging for a compromise. I know I'll get stoned for this, but it's the truth. Any outdated OS has no place on the public internet. If we could only drop the outdated routers as well…

                                        Just my $0.02. Others will disagree with me, to each their own.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                          [[user:consent.lead]]
                                          [[user:consent.not_received]]