Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Will Preventing XP from Reaching the Internet Keep Me Safe?

Question: We have an XP computer that we use for file backup. It needs to connect to our internal network but has absolutely no need to connect to the internet. Is there a way, for security reasons, to have no connection to the internet but still stay connected to our local network because our existing backup system works so well, we would prefer to not to have to update this computer at this time.

Yours is a variation on a very common idea that’s been cropping up lately.

Unfortunately, there are a couple of problems with it.

Become a Patron of Ask Leo! and go ad-free!

On a network but not the internet is difficult

First, I’m just not aware of an easy way to make this happen.

I believe the normal solution would take a more complex router than most people have. It really is a routing issue, I believe, since it’s the router that would need to block your XP machine’s attempts to connect out to the internet. Perhaps there’s a hack out there that I’m unaware of, but it would seem that any such attempt would be complex at the least, risky, and perhaps even fragile.

And it wouldn’t really get you the security that you think it might. It’s like an old adage you may have heard in high school health class. When you kiss someone, it’s like you’re kissing everyone they have ever kissed (at least I think it was kissing). Anyway, the point that your teacher was making was that human bacteria and viruses spread through contact. The same is true for computers; and that’s one reason we call viruses viruses. They replicate and propagate through contact.

Network connection plug RJ-45Now, eliminating internet connectivity from your XP box does make direct contact to the internet go away. However, it leaves that machine connected to your local network, which means it leaves that indirect contact in place. So, yes, your XP box could still be vulnerable to things that come in through other systems on your network. It’s a much smaller possibility, but it is a possibility that most definitely remains.

Networking is not the only way your XP machine could become infected. Transferring data back and forth via USB sticks is another possible vector. But being connected to your local network is definitely something that makes the machine more vulnerable than you’d really want it to be.

Disconnecting from important updates

And of course, removing internet connectivity from the XP box means any anti-malware tools on the Windows XP machine will not be able to keep themselves up to date: they won’t be able to update their database of malware definitions.

Microsoft Security Essentials (for XP) will continue to be updated for at least another year, and other anti-malware tools perhaps even longer than that. Given the risk of secondhand infection anyway, you still want that anti-malware tool updated.

So, in a case like this, my recommendation is: keep your XP machine connected to the internet; turn on the firewall, make sure your anti-malware tools are updating themselves regularly, and then use that machine for as little as possible. This is, perhaps, the single biggest thing you can do to reduce the exposure.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

9 comments on “Will Preventing XP from Reaching the Internet Keep Me Safe?”

  1. Hi Leo. I have a couple of XP machines. One runs with the XP Home Edition and it appears Microsoft Security Essentials will continue to be updated. However the other runs with XP Professional, and on that machine MS Essentials is flagged as “At Risk”. There is a product available called “Malwarebytes” which claims to match Security Essentials protection. Do you have an opinion on how well it should serve?

    Reply
  2. At the office, there are a couple of old applications which are used rarely — and don’t run on Windows 7 or 8. The output is a printout, which can be a PDF — and that can be taken by flash drive to a modern computer for actual printing. I’m planning to have a couple of computers operating completely standalone, then have users take the PDFs to modern computers. (Windows 8.1 Pro with Classic Shell)

    Comments?

    Reply
  3. There is a straight-forward way of turning the Internet “on” or “off” while retaining internal network connectivity. The technique is a little more complex than the average tips given here, but I’ve used it for a couple of customers that wanted a specific PC to NOT be able to access the Internet, but COULD access other PCs on the network.

    First, determine your router’s IP address: in a command prompt, issue “ipconfig”. Your router’s IP address is listed for “Default Gateway”. For the following, let’s assume it’s “192.168.1.1” (it will usually end in 1 or 254.

    To turn the Internet “off”, in a command prompt, issue the command:
    ROUTE DELETE 0.0.0.0 MASK 0.0.0.0

    To turn the Internet back “on” again, in a command prompt, issue the command:
    ROUTE ADD 0.0.0.0 MASK 0.0.0.0 192.168.1.1
    (if your router’s IP address is other than 192.168.1.1, use that address)

    Reply
    • Gary, can you explain a little more on the ROUTE ADD method to prevent Internet whilst allowing LAN access? Looks good and just what I need for a few key legacy boxes running machinery. Will file sharing to these still work? (Ie being able to dump files to these xp boxes from the other newer pcs that currently dump files to them).
      Thanks

      Reply
  4. 1) There is no easy way to keep XP off the Internet, and still connected to the LAN, so the alternative is moot.
    2) Very few anti-virus and anti-malware programs still support XP, and we can expect even those few to end support soon.
    3) Similarly, other software updates are ending XP support.
    4) So the entire article is useless

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.