Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Will Preventing XP from Reaching the Internet Keep Me Safe?

//
We have an XP computer that we use for file backup. It needs to connect to our internal network but has absolutely no need to connect to the internet. Is there a way, for security reasons, to have no connection to the internet but still stay connected to our local network because our existing backup system works so well, we would prefer to not to have to update this computer at this time.

Yours is a variation on a very common idea that’s been cropping up lately.

Unfortunately, there are a couple of problems with it.

Become a Patron of Ask Leo! and go ad-free!

On a network but not the internet is difficult

First, I’m just not aware of an easy way to make this happen.

I believe the normal solution would take a more complex router than most people have. It really is a routing issue, I believe, since it’s the router that would need to block your XP machine’s attempts to connect out to the internet. Perhaps there’s a hack out there that I’m unaware of, but it would seem that any such attempt would be complex at the least, risky, and perhaps even fragile.

And it wouldn’t really get you the security that you think it might. It’s like an old adage you may have heard in high school health class. When you kiss someone, it’s like you’re kissing everyone they have ever kissed (at least I think it was kissing). Anyway, the point that your teacher was making was that human bacteria and viruses spread through contact. The same is true for computers; and that’s one reason we call viruses viruses. They replicate and propagate through contact.

Network connection plug RJ-45Now, eliminating internet connectivity from your XP box does make direct contact to the internet go away. However, it leaves that machine connected to your local network, which means it leaves that indirect contact in place. So, yes, your XP box could still be vulnerable to things that come in through other systems on your network. It’s a much smaller possibility, but it is a possibility that most definitely remains.

Networking is not the only way your XP machine could become infected. Transferring data back and forth via USB sticks is another possible vector. But being connected to your local network is definitely something that makes the machine more vulnerable than you’d really want it to be.

Disconnecting from important updates

And of course, removing internet connectivity from the XP box means any anti-malware tools on the Windows XP machine will not be able to keep themselves up to date: they won’t be able to update their database of malware definitions.

Microsoft Security Essentials (for XP) will continue to be updated for at least another year, and other anti-malware tools perhaps even longer than that. Given the risk of secondhand infection anyway, you still want that anti-malware tool updated.

So, in a case like this, my recommendation is: keep your XP machine connected to the internet; turn on the firewall, make sure your anti-malware tools are updating themselves regularly, and then use that machine for as little as possible. This is, perhaps, the single biggest thing you can do to reduce the exposure.

7 comments on “Will Preventing XP from Reaching the Internet Keep Me Safe?”

  1. Hi Leo. I have a couple of XP machines. One runs with the XP Home Edition and it appears Microsoft Security Essentials will continue to be updated. However the other runs with XP Professional, and on that machine MS Essentials is flagged as “At Risk”. There is a product available called “Malwarebytes” which claims to match Security Essentials protection. Do you have an opinion on how well it should serve?

  2. At the office, there are a couple of old applications which are used rarely — and don’t run on Windows 7 or 8. The output is a printout, which can be a PDF — and that can be taken by flash drive to a modern computer for actual printing. I’m planning to have a couple of computers operating completely standalone, then have users take the PDFs to modern computers. (Windows 8.1 Pro with Classic Shell)

    Comments?

  3. There is a straight-forward way of turning the Internet “on” or “off” while retaining internal network connectivity. The technique is a little more complex than the average tips given here, but I’ve used it for a couple of customers that wanted a specific PC to NOT be able to access the Internet, but COULD access other PCs on the network.

    First, determine your router’s IP address: in a command prompt, issue “ipconfig”. Your router’s IP address is listed for “Default Gateway”. For the following, let’s assume it’s “192.168.1.1” (it will usually end in 1 or 254.

    To turn the Internet “off”, in a command prompt, issue the command:
    ROUTE DELETE 0.0.0.0 MASK 0.0.0.0

    To turn the Internet back “on” again, in a command prompt, issue the command:
    ROUTE ADD 0.0.0.0 MASK 0.0.0.0 192.168.1.1
    (if your router’s IP address is other than 192.168.1.1, use that address)

    • Gary, can you explain a little more on the ROUTE ADD method to prevent Internet whilst allowing LAN access? Looks good and just what I need for a few key legacy boxes running machinery. Will file sharing to these still work? (Ie being able to dump files to these xp boxes from the other newer pcs that currently dump files to them).
      Thanks

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.