Remove Internet access from Win7 to avoid EOL problems.

Topic

New Reply

I’m curious what you guys think of this idea.

I have a win7 box that I’m converting to be just a backup file server for another win10 computer. I’ve disconnected the internet from the win7 box by specifying an unreachable gateway, although I still have local network connectivity for doing my backups. I’ve turned off windows update, and removed all apps that need to ‘phone home’. In fact, the win7 box is running headless, with no keyboard or monitor.  I can connect occasionally with remote desktop from a win10 machine for any routine maintenance.

On my windows 10 machine, I’m using file history backup, and storing the backups on this win7 box over wired ethernet.

Seems to be working well so far.

Needless to say, I hope by doing this that I can avoid the ongoing Windows 7 security issues by never going on the internet.

Reply | Quote

Replies

You are assuming that none of your other machines gets malware that then affects the W7 box. To fix that you should use the firewall to close all ports that you don’t need for the file sharing service, but this still isn’t a guarantee.

I see two methods to keep you running.

1. Make an image backup of the W7 box regularly.
2. Convert the W7 machine to FreeNAS or similar.

cheers, Paul

Reply | Quote

sotaAudioGuy wrote:

I’ve disconnected the internet from the win7 box by specifying an unreachable gateway, although I still have local network connectivity

Well, that’ll block a lot of “dumb” malware. Other things will spread through the local network if they get there and I think there was at least one that ran a network troubleshooter to try to get online? If the gateway is only specified locally, it might “fix” that automatically…

I’d add at least a network-internal firewall.

Also I’m fairly sure I wouldn’t use Windows 7 as a file server anyway.

Reply | Quote

mn– wrote:

Well, that’ll block a lot of “dumb” malware. Other things will spread through the local network if they get there and I think there was at least one that ran a network troubleshooter to try to get online? If the gateway is only specified locally, it might “fix” that automatically…

That’s if the malware is already on the Windows 7 machine, though, and if it is, the game has already been lost. The idea here was to prevent the malware from getting into the Win 7 PC in the first place, not to stop its spread to the rest of the LAN once it takes root on the Win 7 machine.

If the Windows 7 machine in question is the only one on the LAN, with all the others running 10, any malware that tries to spread to other PCs on the LAN will either fail because the vulnerability does not exist in 10, or it will succeed because it does, in which case using 7 won’t have been an issue.  That’s if malware is allowed to run on any PC in the LAN in the first place.

The most common malware vector into a Windows 7 machine (or any other) is by direct action of a user of the PC.  There would not be any reason to do that on this machine… it would be silly to RDP into the thing and browse the internet from there rather than just using the machine acting as the RDP client to browse directly, and the user would not be running downloaded programs there either.

Drive-by infections (exploiting of browser zero-days) are less common than self-inflicted wounds, and these would not happen either if the user is not doing any browsing from the machine.

Less worrisome still are successful unsolicited attacks from the WAN, with the specially-formed “attack” packets fired blindly into the dark in the hopes of finding a machine with a given vulnerability at the other end (whether that be RDP, SMB1, or some other such thing). I am sure there are a ton of such packets flying around all the time, but the odds of one that actually matches a vulnerability you have at the right moment are not great.

If the PC in question is behind a NAT router, as it almost certainly will be, any such unsolicited packets should be discarded by the router.  The router would have to forward the unsolicited attack packets to the Windows 7 machine in order for its relative vulnerability as an unpatched PC to begin to come into play, and under normal circumstances, that would never happen… the user would have to specifically set up port forwarding in the router to make that happen.

So now there would have to be two successfully exploited vulnerabilities for the hypothetical attack to succeed.  The odds that any given malware’s blindly-fired attack packets would be able to successfully exploit a vulnerability in the router firmware in order to gain access to the network, then discover that a vulnerable Windows 7 PC exists (which would not be apparent from outside of the LAN), and then for that malware to whip out a Windows 7 vulnerability, Swiss Army knife style, to get into that machine… it’s extremely unlikely.  At that point, it would appear that the person in question is the subject of a targeted attack from a very sophisticated foe, not just some garden-variety malware.

It’s always possible to dig a hypothetical hole from which it is impossible to escape, but the odds of that happening are quite small.  Regular old malware is the most common threat, and infecting oneself with it by not being careful is the most common means of getting it.  By not having any capability for browsing, the machine in question won’t be used for that purpose, so it’s already ahead of all of the other “used past the expiration date” Windows 7 machines out there.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

1 user thanked author for this post.

liamZ

Reply | Quote

Hi, wich is the best way to remove internet access to a windows 7 machine, and at the same time have access to the local network?

Reply | Quote

[Paul T]

You need to go into your network settings and specify the default gateway manually. Setting it to something like 10.10.10.10 will prevent any traffic heading outside your local network.

cheers, Paul

p.s. you also need to disable IPv6 if it’s enabled.

• This reply was modified 3 years, 11 months ago by Paul T.

1 user thanked author for this post.

liamZ

Reply | Quote

… the really best way is to first use a good hardware firewall to do most of the selective blocking, so you can also block all the various IPv6 access methods, multicast, fancy routing tricks, etc.

Then also a software component on the W7 host to block proxies. A common malware trick is to gain a foothold in a LAN and then install a proxy there, and…

There really is no limit to how much time, effort and money you can spend on that, the only question is “how much is enough?”

1 user thanked author for this post.

liamZ

Reply | Quote

[Paul T]

Paul T wrote:

You need to go into your network settings and specify the default gateway manually. Setting it to something like 10.10.10.10 will prevent any traffic heading outside your local network.

cheers, Paul

p.s. you also need to disable IPv6 if it’s enabled.

• This reply was modified 3 years, 11 months ago by Paul T.

Hi, thanks for answer but this does not work for me. After doing what you say, internet access is blocked, but also access from and to other computers on my local network.

Reply | Quote

I tried in another computer and it worked.

I think the reason it didn’t work on the first computer is the program binisoft windows firewall control.

Reply | Quote

Does it work if you disable binisoft?

cheers, Paul

Reply | Quote

No, after stopping and disabling binisoft windows firewall control service and program, it does not work.

And I confirm that is the Binisoft program that is causing the issue.

 

Reply | Quote