News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Remove Internet access from Win7 to avoid EOL problems.

    Posted on sotaAudioGuy Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 7 Win7 beyond End-of-life Remove Internet access from Win7 to avoid EOL problems.

    This topic contains 10 replies, has 5 voices, and was last updated by  liamZ 2 weeks, 5 days ago.

    • Author
      Posts
    • #1987006 Reply

      sotaAudioGuy
      AskWoody Plus

      I’m curious what you guys think of this idea.

      I have a win7 box that I’m converting to be just a backup file server for another win10 computer. I’ve disconnected the internet from the win7 box by specifying an unreachable gateway, although I still have local network connectivity for doing my backups. I’ve turned off windows update, and removed all apps that need to ‘phone home’. In fact, the win7 box is running headless, with no keyboard or monitor.  I can connect occasionally with remote desktop from a win10 machine for any routine maintenance.

      On my windows 10 machine, I’m using file history backup, and storing the backups on this win7 box over wired ethernet.

      Seems to be working well so far.

      Needless to say, I hope by doing this that I can avoid the ongoing Windows 7 security issues by never going on the internet.

    • #1987468 Reply

      Paul T
      AskWoody MVP

      You are assuming that none of your other machines gets malware that then affects the W7 box. To fix that you should use the firewall to close all ports that you don’t need for the file sharing service, but this still isn’t a guarantee.

      I see two methods to keep you running.

      1. Make an image backup of the W7 box regularly.
      2. Convert the W7 machine to FreeNAS or similar.

      cheers, Paul

    • #1987497 Reply

      mn–
      AskWoody Lounger

      I’ve disconnected the internet from the win7 box by specifying an unreachable gateway, although I still have local network connectivity

      Well, that’ll block a lot of “dumb” malware. Other things will spread through the local network if they get there and I think there was at least one that ran a network troubleshooter to try to get online? If the gateway is only specified locally, it might “fix” that automatically…

      I’d add at least a network-internal firewall.

      Also I’m fairly sure I wouldn’t use Windows 7 as a file server anyway.

      • #1995732 Reply

        Ascaris
        AskWoody_MVP

        Well, that’ll block a lot of “dumb” malware. Other things will spread through the local network if they get there and I think there was at least one that ran a network troubleshooter to try to get online? If the gateway is only specified locally, it might “fix” that automatically…

        That’s if the malware is already on the Windows 7 machine, though, and if it is, the game has already been lost. The idea here was to prevent the malware from getting into the Win 7 PC in the first place, not to stop its spread to the rest of the LAN once it takes root on the Win 7 machine.

        If the Windows 7 machine in question is the only one on the LAN, with all the others running 10, any malware that tries to spread to other PCs on the LAN will either fail because the vulnerability does not exist in 10, or it will succeed because it does, in which case using 7 won’t have been an issue.  That’s if malware is allowed to run on any PC in the LAN in the first place.

        The most common malware vector into a Windows 7 machine (or any other) is by direct action of a user of the PC.  There would not be any reason to do that on this machine… it would be silly to RDP into the thing and browse the internet from there rather than just using the machine acting as the RDP client to browse directly, and the user would not be running downloaded programs there either.

        Drive-by infections (exploiting of browser zero-days) are less common than self-inflicted wounds, and these would not happen either if the user is not doing any browsing from the machine.

        Less worrisome still are successful unsolicited attacks from the WAN, with the specially-formed “attack” packets fired blindly into the dark in the hopes of finding a machine with a given vulnerability at the other end (whether that be RDP, SMB1, or some other such thing). I am sure there are a ton of such packets flying around all the time, but the odds of one that actually matches a vulnerability you have at the right moment are not great.

        If the PC in question is behind a NAT router, as it almost certainly will be, any such unsolicited packets should be discarded by the router.  The router would have to forward the unsolicited attack packets to the Windows 7 machine in order for its relative vulnerability as an unpatched PC to begin to come into play, and under normal circumstances, that would never happen… the user would have to specifically set up port forwarding in the router to make that happen.

        So now there would have to be two successfully exploited vulnerabilities for the hypothetical attack to succeed.  The odds that any given malware’s blindly-fired attack packets would be able to successfully exploit a vulnerability in the router firmware in order to gain access to the network, then discover that a vulnerable Windows 7 PC exists (which would not be apparent from outside of the LAN), and then for that malware to whip out a Windows 7 vulnerability, Swiss Army knife style, to get into that machine… it’s extremely unlikely.  At that point, it would appear that the person in question is the subject of a targeted attack from a very sophisticated foe, not just some garden-variety malware.

        It’s always possible to dig a hypothetical hole from which it is impossible to escape, but the odds of that happening are quite small.  Regular old malware is the most common threat, and infecting oneself with it by not being careful is the most common means of getting it.  By not having any capability for browsing, the machine in question won’t be used for that purpose, so it’s already ahead of all of the other “used past the expiration date” Windows 7 machines out there.

         

        Group "L" (KDE Neon User Edition 5.17.3).

        1 user thanked author for this post.
    • #1995465 Reply

      liamZ
      AskWoody Lounger

      Hi, wich is the best way to remove internet access to a windows 7 machine, and at the same time have access to the local network?

      • #1995514 Reply

        Paul T
        AskWoody MVP

        You need to go into your network settings and specify the default gateway manually. Setting it to something like 10.10.10.10 will prevent any traffic heading outside your local network.

        cheers, Paul

        p.s. you also need to disable IPv6 if it’s enabled.

        • This reply was modified 2 weeks, 6 days ago by  Paul T.
        1 user thanked author for this post.
        • #1996005 Reply

          mn–
          AskWoody Lounger

          … the really best way is to first use a good hardware firewall to do most of the selective blocking, so you can also block all the various IPv6 access methods, multicast, fancy routing tricks, etc.

          Then also a software component on the W7 host to block proxies. A common malware trick is to gain a foothold in a LAN and then install a proxy there, and…

          There really is no limit to how much time, effort and money you can spend on that, the only question is “how much is enough?”

          1 user thanked author for this post.
    • #1995677 Reply

      liamZ
      AskWoody Lounger

      You need to go into your network settings and specify the default gateway manually. Setting it to something like 10.10.10.10 will prevent any traffic heading outside your local network.

      cheers, Paul

      p.s. you also need to disable IPv6 if it’s enabled.

      • This reply was modified 2 weeks, 6 days ago by  Paul T.

      Hi, thanks for answer but this does not work for me. After doing what you say, internet access is blocked, but also access from and to other computers on my local network.

    • #1995683 Reply

      liamZ
      AskWoody Lounger

      I tried in another computer and it worked.

      I think the reason it didn’t work on the first computer is the program binisoft windows firewall control.

      • #1996009 Reply

        Paul T
        AskWoody MVP

        Does it work if you disable binisoft?

        cheers, Paul

        • #1996310 Reply

          liamZ
          AskWoody Lounger

          No, after stopping and disabling binisoft windows firewall control service and program, it does not work.

          And I confirm that is the Binisoft program that is causing the issue.

           

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Remove Internet access from Win7 to avoid EOL problems.

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.