

What should I do about Windows XP computers that we need to keep? - chrisBob

In our lab we have a collection of equipment where each piece has a dedicated windows XP computer (a Wyko interferometer for example). What is the best way to deal with the end of support for these machines?<p>The hardware is very expensive to upgrade, and upgrading would basically mean throwing it out and starting over with new equipment.<p>There is also no path to upgrade to Windows 7.
======
octopus
A possible solution:

\- Block all machines from accessing the web, let them access only the
intranet;

\- Install a lightweight VM with a browser on every machine and use this to
access the Internet (for e.g. you could use a VM with a small Linux distro
only for browsing the net).

The second solution is probably a good compromise. This will let you browse
the Internet if necessary without compromising the physical machine security.

It should be possible that on the same physical machine to allow external
network access for a VM and block the other apps from accessing the Internet.
You can probably do it from the firewall or use a separate IP for the VM and
block all IPs from your router except the IPs of the VMs.

The VM should be used only for browsing the internet.

------
valarauca1
You could attempt to move to a VM, this'll likely fail. I know a KVM
environment _should_ work theoretically but it may not.

If that fails you'll likely need to go with an air gap. Transfer all data in
and out via flash drive and run nightly virus scans on host computer and the
XP one. If you can't air gap the XP computer. Nightly virus/mal scans,
allocate more time for IT preemptively, and maybe prayer?

Weekly/Monthly hard drive images are likely a good idea also.

:.:.:

Also stock pile old hardware for it. Trying keeping a few functional ATA hard
drives on hand, spare PCI cards if you need them. In all honesty have 1 or 2
computers that can serve as drop in replacements on failure is likely a good
idea.

~~~
chrisBob
We don't have extra parts, but the service team does and the machines
themselves are getting hard to come by. I tried shopping for a computer with
more than one PCI slot recently, and spent days just trying to figure out what
is in computers from Lenovo, HP and DELL. That is not an important spec to
list anymore.

I will do the math with my boss; a duplicate machine might be a good idea
while they are still around.

------
caleb23
I would recommend an air gap, disabling autorun, removing the CD hardware, and
any hardware used to connect to the internet. You could also remove any other
hardware and uninstall the drivers you don't need such as a webcam.

Here is a good article on the Malwarebytes Anti-malware blog for some
recommendations: [http://blog.malwarebytes.org/security-
threat/2014/04/windows...](http://blog.malwarebytes.org/security-
threat/2014/04/windows-xp-you-have-served-us-well/)

------
monknomo
I would stockpile parts for the machines and take them off the network. If you
have enough spares and your computers aren't exposed to outside attacks, I
don't see why they couldn't hum along for another decade or two.

If you keep it up long enough, you might even get an article:
[http://www.pcworld.com/article/249951/if_it_aint_broke_dont_...](http://www.pcworld.com/article/249951/if_it_aint_broke_dont_fix_it_ancient_computers_in_use_today.html)

~~~
chrisBob
I think I will start with just pulling it off the network. People like to be
able to easily move the data, but it is probably worth making them use thumb
drives now.

~~~
fest
And while you're at it- definitely disable every possible autorun option.

------
fractal618
keep them non networked, if you are really afraid of xp without support

