Ghostbusters ref?
"Cats and dogs will live together,"
The XPocalypse is upon us, gentlebeings, and those of us who must keep XP around are doomed! Or so some very expensive marketing pushes would have us believe. As you know by now, I have to keep some XP systems around. In some cases they'll probably be around for a decade or more. If you believe the breathtaking hyperbole of …
Think about it.
They could take XP of the shelves for a few months, tinker with the OS a bit, rebrand/rebadge XP to "Windows Corporate" double the licence and cash in as IT everywhere would want to licence it. Give it another 5 years premium support (more $$) and hey presto
Roberta Is your mother's brother she don't talk about.... ^_~
It's almost as if you read Trev's previous post :-)
http://www.theregister.co.uk/2014/04/02/the_mathematics_of_trust/
He reckoned about $65 per year should hit the mark as an amount businesses would pay and enough to directly fund the necesary staff at MS. With the added bonus to MS of getting lots of people used to the idea of paying for an OS by annual subscription...
Microsoft does have an option like this, but only receiving application from very large company and had already set plan to migrate away from XP, and charging 200USD per machine for the first year, 400 for second, 800 for third etc., and it had been subscribed by UK and Germany government and etc.
Nice list of all the things to put on your shopping list of things to consider if you've simply no choice but to have XP lingering around, as so many of us do. I'm less concerned about XP in a Corporate environment however, way more worried about the army of consumer users who can't/won't ditch XP, or simply don't know any better. I think they'll be the real targets after the patches run dry.
....but this is only relevant to businesses who can afford a highly* competent windows/network tech to lock down their remaining IT systems.
For smaller businesses without access to the requisite techs with that kind of skillset, they will continue to run XP 'normally' and they will suffer, not necessarily because they don't take it seriously - but because they can't get their staff to not open flaky attachments at the best of times, never mind when the system is unpatched.
If you are in a position to lock down your XP machines in some way, fine - you can mitigate the risk. If you are not in a position to do something like that, then you need to exercise, at best, extreme caution backed up by disciplinary procedures that are enforced (IE treating opening malicious attachments in the same way you'd treat someone forgetting to lock the business up at the end of the night resulting in a robbery), and at worst, you need to throw money/hardware at the problem.
*As opposed to the sort of numpties who build servers with a RAID0 system partition. Yes, I've seen it, and yes, because I was called in after the server crashed. Windows techs may be ten a penny, but a significant minority of them shouldn't be charging more than 10p for their services. Such as the ones selling Norton as a solution to XP end of life. Which I've also seen from a local competitor...
"IE treating opening malicious attachments in the same way you'd treat someone forgetting to lock the business up at the end of the night resulting in a robbery"
OK, so you sack someone. Then there is a tribunal, and their representation asks the following: "Is it true that your business communications depend on an obsolete version of Microsoft Windows for which there are no security updates and no functioning antivirus products?"
The answer will not go down very well, will it?
I understand and have some sympathy with your views, but one has to allow for known human behaviour.
quote: "OK, so you sack someone. Then there is a tribunal, and their representation asks the following: "Is it true that your business communications depend on an obsolete version of Microsoft Windows for which there are no security updates and no functioning antivirus products?"
The answer will not go down very well, will it?"
Depends on the answer.
"My current business communications use enterprise standard products as are currently in use by the UK Government, and we are in the process of migrating to new systems with improved security. I would also like to draw your attention to the employment contract signed by the employee, specifically the "use of computer equipment" clauses which codify the expectations of vigilance, and diligence, required by employees when dealing with suspicious emails or files. Expectations which this employee failed to meet in this circumstance."
If you have contractual terms covering use (and misuse) of corporate computing resources, then it is reasonable to expect employees to adhere to those terms, is it not? Failing to adhere to those terms would be expected to trigger a disciplinary hearing, the result of which could potentially be dismissal, correct?
I'm tempted to invoke a driving analogy involving traffic lights being down (aka reduced security from XP hitting end of life) where drivers are actually expected to be more careful when crossing the junction than if the lights were working. It would make this user sound like one who just barreled through the junction regardless endangering life and limb, and we all know computer malware is nowhere near that dangerous, and that anyway computer security is strictly the responsibility of the IT department, not the end users. :)
OK, Norton is not the answer. But MS said that Security Essentials would continue to be supported, at least for a while. However, last week they turned its icon from green to brown, and now it is red. Surely if MSE is working as it should the icon should be green?
Since MS are being deliberately difficult, they deserve an obstinate response.
>Surely if MSE is working as it should the icon should be green?
It is working! The icon is red because you are now running an unsupported version of Windows...
Personally, I would uninstall MSE and install a third-party firewall & security suite such as Comodo or Agnitum (both do freeware versions).
Additionally or alternatively EMET is quite a useful tool to help harden the system. Whilst it isn't the same as Deep Freeze, Steady State etc. it does enable you to force the usage of many security features inherent in XP...
I am the originating AC - Thanks to Numptyscrub for responding to Keithpeters perfectly salient point in the manner I would have had I not been working and missed this thread. I have worked in the past in places where IT security and disciplinary proceedings are related, and while it's not a solution, when someone gets put on a written warning for getting a network share encrypted, it makes everyone remember that they can't just sit there opening crap up willy nilly if they like their jobs. Or even if they don't like their jobs, but would like to keep getting paid.
I just wanted to add to everyone banging on about AV software and firewall products being a solution; they are not. They are a band-aid on a bifurcation. I'm going to go on something of a rant here, so skip to the end if you feel the need.
AV software does NOT patch a vulnerability in a core OS stack that allows remote code execution - it simply allows you to prevent one method of that expoit getting to the machine after it has been discovered and catalogued - if you are part of the zero day infection (which, incidentally, last longer than zero days) that specifically targets unpatched systems (And this goes for any OS) then you are just as fucked as if you had not bothered to put AV software on there at all because the only thing that will stop that vulnerability is an OS patch - anything else is a half-measure and isn't acceptable if you have valuable data or processes running on your systems.
If you have firewall software, that will not stop a user from running the file from a USB pen.
If the underlying vulnerability is not patched, then all it takes is a minor change to the delivery vector (see the recent recursive attachment email infection to get past network edge and local AV email scanning systems : http://www.theregister.co.uk/2014/04/08/spam_attachment_within_spam_attachment_ruse_deployed_by_bank_trojan_slingers/ ) and you're still fucked because that underlying vulnerability will never get fixed.
Antivirus and firewall software are not a solution to an unpatched system, and anyone who claims otherwise should not be in a position to be handling security processes for any system that requires it's data/process/service integrity - and particularly if you are looking after SMBs or any other kind of business client.
For you garage radio streaming system (as noted by someone else below) which doesn't have sensitive data on it, it's not as big a problem. If you look after a small company, congratulations, telling them to just keep their AV and firewall software up to date to protect them may properly fuck them up in three months time, because someone has re-patched a delivery method for Cryptolocker or a similar, effectively irrecoverable infection. All it takes is for the company to get hit with something like that, and not have the cashflow to pay the bitcoin ransom, and you could have cost half a dozen people their jobs. Remember that.
Repeat after me....
AV and firewall software are not a solution for an unpatched system
AV and firewall software are not a solution for an unpatched system
AV and firewall software are not a solution for an unpatched system
@AC relying on policies and written warnings
"Repeat after me....
AV and firewall software are not a solution for an unpatched system"
So, we are back at the Tribunal, and you have admitted that the system is both unpatched and can never be patched as the manufacturer has declared it obsolete with many years, I repeat Sir, years, nay, half a decade's warning.
The complainant's representation now claims that your policy is, in effect, asking him/her to operate a machine without guards in place and with open hatches. And no goggles or safety shoes.
What might your response be?
PS: my lovely 12h day is tomorrow.
Ey up Keith. AC again. Hallo!
I'd kick that back up the chain 'o command and get the directors and beancounters who turned down multiple requests for systems refresh funding to take the stand; to use your analogy, they refused to pay for the guards and hatch covers despite being told the risks repeatedly by myself, in writing. Signed in triplicate and sent to all the directors to ensure they were all aware, and that I refused to take responsibility for it. So can I leave now, ta?
I'm a slippery motherfucker, I tells thee ;-)
AC
PS: We're getting into the realms of pedantry now, but I think you get my point ;-)
"they turned its icon from green to brown, and now it is red"
Yes. So those who can't or won't switch will get used to seeing a red shield icon due to EOL and won't notice if, for example, it's a warning that it didn't start/has stopped. Ditto the pop-up EOL warning training the users to click it off without reading it.
As opposed to the sort of numpties who build servers with a RAID0 system partition.
I saw one of those at the last place I worked. On that server was a Wiki containing the only real documentation for one of the products they sell.
I got called in after the first-line guy had the brilliant idea of re-formatting one of the drives to get around the disk crash...
Vic.
My garage PC runs XP and will be staying XP. I use it for playing internet radio, viewing service manuals, finding parts on fleabay, and other mundane tasks. I am actually looking forward to not getting update warnings and the resulting 30 minute download/install/reboot sagas. As for security, it has a half decent AV package and all my data is backed up elsewhere, so if it does get Pwned, I'll just wipe it and reinstall XP. Its an Athlon X64 3400+ with 3Gb RAM so although it would run Linux I just can't be bothered to faff about (it has some wierd RAID mirror for the primary disks) to get it working. When it gets infected I may look at Linux or I may just bin it and buy a cheap Win7 box.
To be honest, that's a perfect candidate for a Linux install by the sounds of it.
Drop the RAID if it's hardware based (or soft-hard, like the SilI3112, etc) and just drop Linux on it, and you can set up a linux software RAID mirror if you really feel the need.
If it really is just an internet client, throw a live Mint/Ubuntu/SUSE boot disk at it, and see if it behaves itself. If so, back up the data, nuke it, and carry on.
Bear in mind that if that machines talks to any network stores you have, and you get Cryptolocked - you're humped, period.
I'm not one for pushing Linux on everything, but if it suits, it suits. I'd say it's worth a sniffle if you find yourself bored in the garage at the weekend with a couple of beers to keep you company.
Steven R
"As for security, it has a half decent AV package and all my data is backed up elsewhere, so if it does get Pwned, I'll just wipe it and reinstall XP."
You're working on the assumption you'll know immediately if it gets 'pwned'. In reality it might be some time, by which time the bad guys might have your bank details, your friends email addresses, and as stated above have Cryptolocked your remote file store(s).
If/when you "wipe it and reinstall XP", will you be able to reinstall the existing patches from Windows Updates (will these still be on offer after today)? If not you'll just be making a bad situation worse.
Your complacency is worrying: I think you should listen to the Linux suggestion, or just shell out for a cheap copy of Win7 from FleaBay.
As long as you don't have anything important on it, or do anything like using it to buy something over the Internet, you may accept the risk. But as soon as you read your email, buy some of those parts or something like this on that machine, log on to some site, or the like, you're accepting a not little risk. No FW or AV will protect you enough - and the problem is not what they may delete, is what they could steal without you even knowing it.
Just accepting the risk isn't good enough. It's plain irresponsible.
You might not care about your systems, if malware gets on it - but what bothers me is another drone in the DDoS/spam botnets which hurts everyone.
It's not only you who's effected when your old Windows machine gets infected. Again.
Well, for that you have the far bigger problem of incompetent users and those used illegal copies which of course don't patch system because they're afraid of being identified and their system locked down. They could run the shiniest lates OS but will click on any "pOwn me" sign as long as it is pretty and colorful.
At every opportunity you mention illegal copies of Windows - How come you're always banging on about it? Have you just had to buy your first legit copy, or something?
Nobody else even mentions it.
(If you know the right channel, you can get MS software for free... from MS. Legit)
It's funny most still think malware is designed to crash or wipe your PC. Sorry, that's not 1987 anymore. Most malware is designed to infect you, and stay hidden, while stealing data silently, or perform operations on the bot C&C behalf (spam, DDoS, attack other machine, host illegal contents,do anything illegal you like on someone's else machine....), often even rented to someone else for a given task. Only crappy malware (there's that too) will do something you'll notice easily enough (yes, there's ransomware also, but that's a one-shot malware type). It make take years to discover a well hidden infection.
If AV and FW were really effective, we would not be here talking about vulnerable machines. And the more "0 day" XP will be vulnerable to, the less AV and FW will be able to protect you, there are dozens of effective techniques to avoid detection and make local AV and FW wholly useless - when you compromise a machine, you can also control the software running on it. You may sleep happily while someone else enjoys your machine and your data, or open your eyes and acknowledge that false security is usually equal to no security at all.
Well the simple things you can do over and above what you say (if you aren't already doing them):
1. Ensure you normally use the PC as a non-admin user.
2. Give the admin user a simple password that you can remember - this is to stop simple "run as admin" actions.
3. Install Chrome or FireFox and use these browsers instead of IE.
4. Take a full disk image, to simplify recovery.
Whilst the machine won't be fully secure, it will probably be good enough for most practical purposes...
"Give the admin user a simple password that you can remember - this is to stop simple "run as admin" actions."
Give admin user a "complex" password that you can remember. At least 16 characters long (disables unsecure NTLM hashes) - better, create another admin user, and disable the Administrator one (use gpedit.msc do to that). Beware that to change the XP home password IIRC you need to enter in safe mode or something alike.
Disable useless and unused services, especially if running as LocalSystem. Downloand SysInternal's Autoruns anche check what is started automatically - remove whatever you don't need.
>Give admin user a "complex" password that you can remember.
In the context of the garage, the important thing is that this password needs to be kept safe and accessible, so that it is remembered for periodically use but also is not so simple that users just get in the habit of using "run as admin"...
>Disable useless and unused services
Well two key services I suggest are: Windows Update and Security Centre.
Also do a final full update, confirm the system is stable and disable non-essential third-party auto updaters eg. Adobe Acrobat Reader.
This post has been deleted by its author
"I put Windows 8.1 on them, and supprisingly they are quite quick, interface is sucky but the preformance is ok for what they were doing before."
What specifications were the machines? I'd like to try Win8 on an old(ish) laptop.
Coat icon: just the machine specs everyone, this thread isn't for moaning about interfaces/TIFKAM/ or advocating Linux.
No problem. The only other thing I can think of is that there are lots of machines of that era (I was fortunate with the model I was using) that are kind of marginal when it comes to some driver support and video driver support in particular. It's often possible to use older drivers in compatibility mode, but it can be a bit of a chore to get them working. I had a similar experience with running Windows 7 on a Dell Dimension D410, where Vista drivers would work if installed in compatibility mode. An interested exercise, but definitely a bit of patience required.
"XP at home, one PC too old so just risking it."
No, don't do that. As someone else pointed out, you're risking it becoming part of someone else's botforest, and that can hurt everyone, not just you.
If it can run XP, it can run some lightweight linux. Look into it.
Just upgraded my better half's circa 2008 XP laptop to Win 8.1 (thank you student discount) and it runs fine. 1.6Ghz with 2 GB, plus a 500 GB HD. Took a few minutes for me to figure out where control panel was, but other than that it's heaps easier for her to use than XP ever was. Installed a couple of apps for her, transferred her itunes and good to go.
Then she tells me they've been using Win 8 tablets at school for ages and she knows how to use the interface better than I do.
Last year, I put the Win 8.1 Trial onto a vintage 2007 Lenovo Thinkpad T60, 2GB ram.
It ran fine, with good hardware detect, but I did not like it. It's back to XP, with the red MSE icon I complained about in an earlier comment.
Tip: never access internet from an admin account. That one measure greatly reduces risks.
The biggest remaining risk is if a usb memory stick passes infections to my other machines.
Pott: "There are lots of reasons why this isn't always possible – hardware dongles, the need to power proprietary hardware cards and so forth.."
Well, yeah, but lets take a step back here. If core business equipment is aged and there's no money and/or willingness to invest in serious replacements or upgrades of any kind, we're talking about a bigger, non-technical issue which will affect the production and security of such places in many ways.
So lets look at the situation where there's at least some will and financing available. There are enough PCI centronics or serial port cards for dongles which can be made available to the virtual machine. Having some ISA card to support? USB to ISA card adaptors do exist (eg Arstech) and drivers will be able to detect the redirected IRQ, DMA etc. The hardware costs are not the problem here but time for testing and troubleshooting might be. Especially for timing-sensitive equipment this solution might run into trouble though or as some report, for any non-plug&play cards. So what is being invested in is a supported solution and the work of an engineer to sort it out. But for mission critical equipment that cannot be replaced (yet), it seems worth a try.
that USB support in things like Hyper-V and (probably?) Virtualbox are geared towards USB mass storage and standard devices, rather than a software protection dongle (looks like VMWare copes a bit better with this).
There are also some Open Source projects that provide what amount to USB over IP, which are apparently intended to solve those sorts of problems (dongles, etc) inside a VM. Not tried them yet myself, but the idea sounds like it has some potential.
...grab yourself a copy Windows Steady State, the backbone of libraries and schools for years.
it's hard to find via MS, but there some out there on decent 3rd party sites.
Install,set up policies, turn on Disk protect and bang, a free mini VM. Not that hard to do the basic stuff either, although some tweaks can mess things up (like turning off system tray can bugger up printing).
best of all IT'S FREE.
Deep freeze is good, use it on Win8 machines as Steady State was XP only.
Another reason for the need to keep Windows XP is that it was the last version of Windows that was able to communicate via NetBEUI, the extended NetBIOS over Ethernet protocol.
Although it died out as a standard peer-to-peer protocol for PCs many years ago, there were some automated manufacturing systems that used NetBEUI for control purposes, and some of these are still in use. The use of a protocol other than TCP/IP prevents such systems from being implemented in a VM.
NetBEUI works under 32-bit Windows 7 (and Vista). I've done it and others have too. With Vista/Windows 7 you'll still be on borrowed time since they're going to be killed by MS in a few years from now.
Also, why do you think protocols other than TCP/IP cannot be used in VM? Try bridging or dedicating your ports.
I think I shall print that large, frame it and hang in on the wall next to the rather blood stained* "The only entity in the universe capable of sustained growth is the universe itself."
* From beating managers & the occasional politicians head against it.
I keep repeating this because everybody thinks a VM is a cure all....
If you use VM in bridged mode, that bypasses the host OS's AV and firewall. The VM will get infected, all your other VMs will get infected, and maybe the host OS will too. You might as well drop the VM and perform a native XP install (or leave the current installation alone). If you use the VM in NAT mode, you don't have this problem, but maybe your application won't work anymore.
I have several Windows 95 machines, and they are all happy and have never been pwned. My only headache is explaining the old 8.3 filename limitations to recent college graduates. That and the DST time change is three weeks late in the spring and one week early in the fall.
I'm going to buy another SATA disk and install it in the spare bay. I had tried dual partitions XP/Linux but grub has an unfortunate habit of messing with bootblocks which can be a complete pain in the posterior.
Mint should be able to mount and read the windows partition if necessary.
Et voila, then over time when XP's usefulness fades i'll keep the old drive spun down and still have the backups that i made on DVD...just in case.
In other words, never boot again from the XP partition unless it's really necessary.
An excellent write up with very useful links, thanks.
"Buy yourself a PCI USB card, put it in a baggie and tape it to the inside of the sidepanel."
An alternative to the card would be a Motherboard header (4 pin MPC Female) to USB (USB A Female) 15cm cable. They're about 2 quid or less on Ebay. Unless the PC is very very old, the motherboard should have USB header somewhere. The advantage of course is that in addition to being internal, you can lift the lid and hot plug it. The other point to remember is that Windows Virtual PC, XP Mode can be enabled to supports USB. (which is actually the default)
You *can* hot plug an internal USB header, but if you some how plug it onto the wrong pins, then you've just sent 5V down the wrong wire, and your motherboard and/or peripheral are both fried.
Either be double careful when plugging it in, or just leave it plugged in inside the case. No one will ever open it up to look inside anyway (and if they did they could use their own internal header).
http://www.digi.com/products/usb/anywhereusb
Use one of these to expose a dongle to a vm, using a wyse as a full blown pc rather than a remote entry point is madness. Another thing people love to forget about the "xpocalypse" is that 2003r2 goes eol in 2015, so if you are so desperate get all the xp-only apps into 2003r2 vms(protip windows server datacenter licensing with SA let you create a unlimited number of 2012r2,2012,2008r2,2008 and 2003r2 and so on for each licensed server). Oh one last thing, before destroying your desktops with glue, you can disable usb ports via gpo(or you can kill the usb subsystem by driver removal) in a reversible way http://support.microsoft.com/kb/823732/en-us.
Where to even begin...
A) Lots of dongles are supplied by the vendor and are parallel, serial or even SCSI (!) only. In some cases the vendor wants several hundred thousand + application upgrade (which doesn't work with the $7M industrial device, natch), and so on to get a USB dongle. In other cases the vendor simply doesn't exist anymore, or no longer supports the application. Your view of this issue is simplistic and small.
B) A VM is not the solution to all ills, no matter how hard you want it to be.
C) Lots of software will detect that you are using a server OS and promptly refuse to work. You can't shim everything.
D) Anything you can disable by GPO I can enable with a virus. You can't "enable" a glued USB port.
Your solutions are all based on the mentality of a whitepaper-wielding MCSE. Sorry, but we're off the reservation as of today.
There are a whole lot of people with XP machines that just don't give a flying f*ck! ... Its not their only or main machine, they don't do online banking on it, they don't have sensitive info on there, or any precious photos. If and when it blows up they'll just junk it.
These types of users don't appreciate security warnings. They find the whole thing damn boring and geeky as hell, and we ignore them as an audience in the tech world. Some are retirees, some are students, some are kids, some are busy families etc.
From where I stand, they sure as hell aren't getting the message, and even if they did, they wouldn't do anything, in much the same way as those at certain higher risks should buy carbon monoxide or radon detectors, or get their cholesterol checked, but won't do it ever! Risk and perception of risk is a funny ol thing!
All this panic and hand-wringing.
Well I still have a Windows 2000 PC running quite happily for undemanding tasks. I'm posting this from it, in fact.
Can't say I've had any security problems since extended support finished nearly 4 years ago.
(Nor, indeed, before then. The machine hasn't even ever needed re-installing in the course of 13 years of daily use and various upgrades.)
I run ZoneAlarm on it and take other precautions, but don't have anti-virus.
Admittedly, I'm the only user, and not a typical one, so not everyone would necessarily get away with it. Certainly not a recommended IT strategy for institutions; but still, I can at least assure you that the world definitely doesn't end just because Microsoft discontinues support. So don't panic.
I had to rid a friend's Windows 7 machine of a staggering amount of malware for him the other day, including Chrome browser hijacks, so even with a supported and fully patched OS and a modern browser, user behaviour is a far more important factor in vulnerability to baddie attack.
Of course, I will have to put Linux on my old stalwart eventually because more and more bits of the web just don't work in FF3, but the hardware should have life in it yet with the upcoming LTS release of Lubuntu...
No sense in adding techno-waste to the world's mountain at Microsoft's behest.
We've been using that in the labs here (a University) for 13 years now, and it works very well. On machines from Win95/98 up to Win7. Get a virus or worm or a torched registry? Reboot and the machine is back to pristine condition.
The only downside is that the XP OS itself is still vulnerable. So the reboot will clear out the virus/worm, but sooner or later you'll pick it up again. On a desktop machine that is rebooted daily, that's probably OK, but for, say, a CNC machine that's only rebooted once in a great while, it's not as much help. Although in any case, the reboot will restore your machine to the condition it was in when you installed DeepFreeze.
In 13 years, I've yet to see a virus/worm defeat DeepFreeze on the computers here. At least not viruses/worms that come in through Windows. I don't thinkDeepFreeze offers any protection if you accidently boot from an infected USB stick or floppy or the like.
Faronics also offers an Antivirus product. It is not very good. We tried it for a year or two, but didn't much care for it.
Hi there, I use this method in practice with my Windows NT, Windows 98 and Windows 2000 systems. The solution is simple: use a proper IDS+Firewall solution to control the access of this subnet to the net.
If you are impoverished, consider a "unified threat management" device. I've used the Netgear devices to great effect, though I honestly prefer Juniper's boxes. You could always build your edge device from a Linux box running snort and squid as well.
The goal here is to figure out what websites you absolutely need to access and whitelist those sites. Then you monitor absolutely every attempt to reach any other website and set up alerts. You use the UTMs + blacklists to make sure that the worst of the baddies are filtered, and the IDS (or IDS components of the UTMs) to do inline analysis of the stream and check for anything untowards.
If you need internet access - no matter how limited - on your XP box, I strongly recommend heading towards a "read only" XP environment (or at least use Deep Freeze) so that when you get infected (and even with all those defenses, it's a when, not an if) you can revert to a "known good" state.
I am nor a X or a P, but I wonder about this X and P a lot. I cannot understand or believe this new "understanding" between X and P where X defines when X drops the shirt and P can have it all. Why all this waiting for X when a P. As a teenager, and the P, waiting and waiting, for X for no avail, still pissed off with this, then huge a P, waiting for the X. What the hell is going on here, is P still waiting and waiting for X to tell when he can have it in. I cannot believe it, at all, there is no other explanation to this cook up than a agreement between X and P. Fuck you both, I would say, but will not, understanding how long you P has waited for this. And to level this smoothly off, business is business. Bull, and goodby.
'Put it on its own subnet and VLAN, wall it off from everything'...
"...but the exact systems with which it will need to communicate"... Can someone explain a little more about how to setup this option please?
Well now, that's a larger discussion. I'm not sure how much you know about systems administration, so I have to make a few wild guesses in how to explain it.
I am presuming you know how to put multiple systems on their own subnets or VLANs. (I.E. all Windows XP boxes will be on 10.0.100.0 /24 while you rprimary network is 10.0.1.0 /24). If not, the rest of this comment can't help you as you need a lot more fundemental networking knowledge than I can lay down here. (We're talking "design of your network" level stuff that will probably take a few hours of back and forth.)
Presuming you know what a router is and how subnets and VLANs work, let's look at how you can take a system that's pesudo-isolated via subnet/VLAN and really wall it off from the outside world.
1) The Windows XP firewall of it's own is shite. Ditch it and get something better that lets you lock things down more granularly.
2) Deny all by default, then whitelist IPs you want to allow.
3) Get a UTM that supports a SOCKS proxy. This proxy will be your Windows XP box's access to the outside world (and will have to be whitelisted at the XP box.)
4) Have the UTM block all websites/services/applications except those explicitly allowed. Allow those you really need.
5) If you need to allow services through to this Windows XP box - and not just basic websites - get a Palo Alto Networks box. Nothing else will do.
6) Disable *all* protocols you don't absolutely need. IPX/SPX, NetBEUI, IPv6, etc. Even Microsoft file services. If it doesn't absolutely need to be there, bin it.
What you end up with is a Windows box that can't be easily discovered by a network scan (because it's on a different subnet/vlan and shouldn't respond to pings that don't come from whitelisted partners.) This system will only be able to contact systems you absolutely need it to contact, and if it needs internet access at all if goes through a hardened unified threat management system that not only prevents you from going to Bad Places, it should be able to examine the content being delivered to your system and do things like "strip out malicious javascript, prevent flash" and whatever else is needed.
Garbage in = garbage out. By restricting what can get "in" to that machine down to the very barest minimum core you can minimize the risk of it becoming infected. Frankly, I would bet the security of a Windows XP machine so defended over the security of a fully patched Windows 8.1 machine that is "defended" by nothing more than Antivirus and a NAT box any day.
If you need more help than that, I'd point you at the spiceworks forums, or encourage you to reach out by e-mail. I would be able to either provide you some consulting services directly or get you in touch with a local sysadmin who can do all of the above (and more) to make sure your systems are hardened.
Given the Ghostbusters bit, I guess Trevor might be exaggerating about gluing the USB ports. I could just as easily disable USB in the BIOS. Saves me the trouble of hanging a PCI USB card anywhere and having to pull out the screw driver to open a case.
In most environments I am able to keep cases fairly clean. In others, opening a case is an archeological expedition through layers of dead skin cells, the mites eating them, hair, dander, fur, spider webs (sometimes owner-occupied,) dead bugs, maybe a small rodent, etc. Ick.