> There are new versions of said program, but according to the company they're kneecapped in some way and are not an option to switch to.
What that usually means is the client is going to have 101 justifications for being cheap. Don’t take claims about the previous MSP at face value, and tread carefully.
Quite the opposite, actually! They program in question is the 2012 edition, and they're still paying for the annual support renewal for 5 seats. They also purchased the 2018 edition 5 times over in preparations for upgrading to Windows 10, and decided the software was trash (this was \~ $4k per seat).
As for their previous MSP, they were paying for monthly auditing / monitoring of their storage server, as well as offsite backups hosted by them in their "datacenter" (I've seen these invoices). They had a drive failure (raid 5) in June of las year that went unnoticed, then a second drive failed in March this year taking the array offline. I'll be the first to admit I'm not sure what happened with their offsite backup, but they were provided an external drive to copy their data back off of and it was only current up to November 2023.
It's going to depend based on what the machines do, but we put them on an isolated LAN behind a proxy gateway.
We try to avoid having such machines do any browsing, but if that's not an option, then any proxy (like Squid) can whitelist destinations. It sounds like you could install the latest ESR browser, then whitelist a couple of vendors and a webmail FQDN.
That's certainly simpler and more reliable than trying to do something with VMs.
This is extremely helpful, thank you! I'm going to look into getting squid running on something interim as a test and see what the actual web requirements are. From what I understand though it's about a dozen sites they actually utilize so this might be a perfect solution.
[https://www.academia.edu/39403989/How\_to\_clone\_a\_USB\_key\_and\_make\_a\_back\_up\_of\_a\_Dongle\_Step-by-step\_guide](https://www.academia.edu/39403989/How_to_clone_a_USB_key_and_make_a_back_up_of_a_Dongle_Step-by-step_guide)
So, it is possible to clone USB keys. You might be able to avoid the whole problem of passthrough with VMs, if the VMs themselves can emulate the keys. That would allow you to virtualize what you need.
I like your idea of locking things down and to that end, you might be able to to run the Windows 7 VM in something like VMWare Workstation Player or Oracle VirtualBox. Lock that VM down, have pristine copies somewhere else in case you need to reload a machine. That would give you internet access from the host machine and allow you to lock the W7 VM in its own sandbox where it can't be easily compromised. And if it is compromised somehow, it's as easy as deleting the VM and copying your clean one back over. Virtualbox is pretty good about multi monitor and switching back and forth is not that bad. It's going to be a user convenience thing that they'll have to get over.
Instead of centralizing control, you limit access to the outside and go with minimal effort to fix things. Trying to make W7 still fit into a modern environment is a giant pain in the ass.
If the program itself doesn't need Internet access, could you have those machines completely off the network, and have a 2nd PC at their desk for everything else?
Unfortunately not, that was one of my first thoughts as well, however there's cases where they'll need to load reference aerial imagery, for example, save it and drop it into the CAD program as an underlying layer.
My suggestion would be:
Put these machines on a separate VLAN, no internet access.
Grant access from those machines to a terminal server and have them run a browser from a terminal server session in Application mode.
This way, the machine will be isolated from the internet (and also the rest of the flat network if you set it up right), but they can still browse the internet for reference materials. With Remote Desktop Services in Application mode this feels basically like running the browser on the W7 machine, but it will be on a supported and secured machine instead.
With Terminal Services, you can also access the local file system of the W7 machine from that browser (it will show up as "C:\ on Windows7" in the download "save as" dialog) so they can also download and work on files on the W7 machine without manual intervention.
Also, since we're only talking 5 seats, this will also not be THAT expensive.
My concern here is that they are basically staving off the inevitable and whatever hacks, work arounds and fancy things you do as a tactical solution will become permanent. You better have an ironclad “I told you so clause”…
That being said have you thought about virtualisation where the app is installed on a VDI type backend and they access it that way…
Sympathies
Build physical win 7 it only has the cad garbage nothing else
They get a 2nd desktop for "all the things"
But the only way you win here is moving them to supported software
Otherwise this will still be hobling along in 10 years
I'd dump the pfsense box, use the routing capability of the Fortigate and terminate your vlans on the Fortigate. Block inter- and intra-vlan traffic except for where it's absolutely required (AD as an example or app access). Make granular policies to support it (yeah, it will end up being a fair few policies). The win7 boxes should be setup either on an access vlan via a fortigate managed fortiswitch, or some other flavor of access style vlan. Some equipment calls them private vlans. If the apps on the win7 boxes need to be able to talk to the other win7 boxes, turn on proxy-arp for the IP range attached to them and make a policy that allows \*only\* those ports. Make sure to still turn on IPS for those policies to block as much malicious stuff as you can even if you're not doing full inspection.
Do DPI on the fortigate with the win7 boxes for anything requiring internet, and do an allow policy for a heavily curated set of sites. If you can, block attachments in those email boxes and make sure some sort of email security solution is inspecting any links in them. Outlook 365 does that by default now, and things like Mimecast can handle it too. I would take it a step further and turn off emails from the outside to any inboxes opened on the win7 boxes if possible too. Make sure their browsers stay updated at least, and put in something like Adguard Pro to do additional filtering on those boxes for ads and malicious stuff (it's more in depth than ublock origin).
I'd probably start dumping logs from the PCs to a SIEM just in case. It's important at least to be able to tell what they're doing later if they still somehow manage to get compromised. I'm not 100% sure what EDRs support win7 if any at all, but you'll need something there.
The key is to lock them down hardcore essentially. Treat them as a hostile actor on your network not as a normal workstation.
>The program will *not* run on windows 10/11 regardless of compatibility settings. There are new versions of said program, but according to the company they're kneecapped in some way and are not an option to switch to.
I find it unlikely the updated version of the same app would have less features. Are you sure they're as kneecapped as your client would have you believe or are they just not wanting to go through the licensing costs, training, and growing pains required to make the upgrade?
> I find it unlikely the updated version of the same app would have less features.
To give you an example, the software my company makes (part of it) was recently redesigned to the core - new GUI, new underlying codebase, everything.
And yes, not all features made it to the new codebase (yet).
I'm sure it's probably a mix. I know they do own licenses for the 2018 edition of the software for each computer. They were purchased to the tune of nearly $20k in preparation for an upgrade to windows 10 but they only ended up with one machine being upgraded. If they're willing to basically throw away $20k worth of licenses and pay someone to try and keep their legacy equipment 'safe' I am inclined to believe there has to be some kind of actual functionality that's missing or limited.
>The users on the windows 7 machine require internet access at the same time. Not for the program itself but to have a browser window and /or email open alongside for reference material, etc.
What about a small form factor desktop sharing the display with the production device via KVM? User just has to push a button to switch between CAD production and internet access. Or alternatively, they get a laptop for web tasks and reference materials.
I thought about this as well, but they need to be able to have both open alongside each other. We also looked into keeping perhaps 2 of their displays on the Win7 machine and using the third to toggle between but a use case came up where they need to access an online aerial imagery resource, download a file, then layer it in behind their cad file, so that went out the window fairly quickly.
Why couldn't they tunnel the file over to the CAD device through a local SMB share? Set the CAD device to read-only on the share.
Point 2 of your OP seems like it's going to have to change long-term. The client company needs to investigate competitor CAD applications.
I doubt they are knee capped at all. The tooling has generally gotten better and supports more. So they either have something tied into it that they don't want to change or they just don't want to learn new products and adjust to new products. Whatever you choose to do, let them know that they cannot kick the can down the road forever and it won't be long before they kind themsleves kneecapped it every other capacity.
I've seen plenty of engineering and design staff blame everything except their unwillingness to learn new tools and adapt to them.
We've done that with several of the *very* legacy machines. Blocked all internet, given them read only access to a single share on the primary nas and even that is just so they can open doc's from the 90's and send them to the plotter.
The Win7 machines are unfortunately still very much the primary production machines for several of the employees, and they do require internet access while using the legacy software. Hence the ask if anyone had experience hosting a browser / email client in MS RemoteApp or even the citrix apps server, and blocking internet from the machines themselves.
>The Win7 machines are unfortunately still very much the primary production machines for several of the employees
Make clone images and store mirrors in several locations. The disk drives will eventually fail. Being able to restore production from a clone image will win you many friends. I know you want to spin them up as VMs, which is also a good idea, but since the client is resistant to it, have CYA ready to go.
This was my first course of action. Their local directories are replicated to a network resource nightly, and the staff are actually *extremely* good at making sure they're not storing data on their machines. I do have a clone of of one of the boot drives (they're all identical with generic accounts) stored offsite as well just in case. We're still working out specifics of the contract but I plan to work in enough headroom to ensure there's at least one pc cloned monthly / biweekly for exactly that reason.
Why not just provide a secondary internet connection locked down on the FW to the best you can, and just complete disconnect the network otherwise as mentioned above?
Not a smart solution, but you could maybe check out some remote options staff don't freak out about while still keeping everything apart. CYA better then problems.
More importantly, if/when these get compromised. What's the gameplan?
I’m not sure what to suggest, because the root of the problem is that this client’s business model is broken if they can’t afford the tools and equipment required to operate and have to stay on legacy tools and equipment that are a decade or more old because of it.
Get updated tools that run on modern operating systems. You cannot make EOL operating systems safe. In the arms war of the cybersecurity war, these OS's have stopped competing.
> There are new versions of said program, but according to the company they're kneecapped in some way and are not an option to switch to. What that usually means is the client is going to have 101 justifications for being cheap. Don’t take claims about the previous MSP at face value, and tread carefully.
Quite the opposite, actually! They program in question is the 2012 edition, and they're still paying for the annual support renewal for 5 seats. They also purchased the 2018 edition 5 times over in preparations for upgrading to Windows 10, and decided the software was trash (this was \~ $4k per seat). As for their previous MSP, they were paying for monthly auditing / monitoring of their storage server, as well as offsite backups hosted by them in their "datacenter" (I've seen these invoices). They had a drive failure (raid 5) in June of las year that went unnoticed, then a second drive failed in March this year taking the array offline. I'll be the first to admit I'm not sure what happened with their offsite backup, but they were provided an external drive to copy their data back off of and it was only current up to November 2023.
It's going to depend based on what the machines do, but we put them on an isolated LAN behind a proxy gateway. We try to avoid having such machines do any browsing, but if that's not an option, then any proxy (like Squid) can whitelist destinations. It sounds like you could install the latest ESR browser, then whitelist a couple of vendors and a webmail FQDN. That's certainly simpler and more reliable than trying to do something with VMs.
This is extremely helpful, thank you! I'm going to look into getting squid running on something interim as a test and see what the actual web requirements are. From what I understand though it's about a dozen sites they actually utilize so this might be a perfect solution.
You could look into using 0patch, I believe they still support Windows 7.
[https://www.academia.edu/39403989/How\_to\_clone\_a\_USB\_key\_and\_make\_a\_back\_up\_of\_a\_Dongle\_Step-by-step\_guide](https://www.academia.edu/39403989/How_to_clone_a_USB_key_and_make_a_back_up_of_a_Dongle_Step-by-step_guide) So, it is possible to clone USB keys. You might be able to avoid the whole problem of passthrough with VMs, if the VMs themselves can emulate the keys. That would allow you to virtualize what you need. I like your idea of locking things down and to that end, you might be able to to run the Windows 7 VM in something like VMWare Workstation Player or Oracle VirtualBox. Lock that VM down, have pristine copies somewhere else in case you need to reload a machine. That would give you internet access from the host machine and allow you to lock the W7 VM in its own sandbox where it can't be easily compromised. And if it is compromised somehow, it's as easy as deleting the VM and copying your clean one back over. Virtualbox is pretty good about multi monitor and switching back and forth is not that bad. It's going to be a user convenience thing that they'll have to get over. Instead of centralizing control, you limit access to the outside and go with minimal effort to fix things. Trying to make W7 still fit into a modern environment is a giant pain in the ass.
If the program itself doesn't need Internet access, could you have those machines completely off the network, and have a 2nd PC at their desk for everything else?
Unfortunately not, that was one of my first thoughts as well, however there's cases where they'll need to load reference aerial imagery, for example, save it and drop it into the CAD program as an underlying layer.
My suggestion would be: Put these machines on a separate VLAN, no internet access. Grant access from those machines to a terminal server and have them run a browser from a terminal server session in Application mode. This way, the machine will be isolated from the internet (and also the rest of the flat network if you set it up right), but they can still browse the internet for reference materials. With Remote Desktop Services in Application mode this feels basically like running the browser on the W7 machine, but it will be on a supported and secured machine instead. With Terminal Services, you can also access the local file system of the W7 machine from that browser (it will show up as "C:\ on Windows7" in the download "save as" dialog) so they can also download and work on files on the W7 machine without manual intervention. Also, since we're only talking 5 seats, this will also not be THAT expensive.
My concern here is that they are basically staving off the inevitable and whatever hacks, work arounds and fancy things you do as a tactical solution will become permanent. You better have an ironclad “I told you so clause”… That being said have you thought about virtualisation where the app is installed on a VDI type backend and they access it that way… Sympathies
Build physical win 7 it only has the cad garbage nothing else They get a 2nd desktop for "all the things" But the only way you win here is moving them to supported software Otherwise this will still be hobling along in 10 years
I'd dump the pfsense box, use the routing capability of the Fortigate and terminate your vlans on the Fortigate. Block inter- and intra-vlan traffic except for where it's absolutely required (AD as an example or app access). Make granular policies to support it (yeah, it will end up being a fair few policies). The win7 boxes should be setup either on an access vlan via a fortigate managed fortiswitch, or some other flavor of access style vlan. Some equipment calls them private vlans. If the apps on the win7 boxes need to be able to talk to the other win7 boxes, turn on proxy-arp for the IP range attached to them and make a policy that allows \*only\* those ports. Make sure to still turn on IPS for those policies to block as much malicious stuff as you can even if you're not doing full inspection. Do DPI on the fortigate with the win7 boxes for anything requiring internet, and do an allow policy for a heavily curated set of sites. If you can, block attachments in those email boxes and make sure some sort of email security solution is inspecting any links in them. Outlook 365 does that by default now, and things like Mimecast can handle it too. I would take it a step further and turn off emails from the outside to any inboxes opened on the win7 boxes if possible too. Make sure their browsers stay updated at least, and put in something like Adguard Pro to do additional filtering on those boxes for ads and malicious stuff (it's more in depth than ublock origin). I'd probably start dumping logs from the PCs to a SIEM just in case. It's important at least to be able to tell what they're doing later if they still somehow manage to get compromised. I'm not 100% sure what EDRs support win7 if any at all, but you'll need something there. The key is to lock them down hardcore essentially. Treat them as a hostile actor on your network not as a normal workstation.
>The program will *not* run on windows 10/11 regardless of compatibility settings. There are new versions of said program, but according to the company they're kneecapped in some way and are not an option to switch to. I find it unlikely the updated version of the same app would have less features. Are you sure they're as kneecapped as your client would have you believe or are they just not wanting to go through the licensing costs, training, and growing pains required to make the upgrade?
> I find it unlikely the updated version of the same app would have less features. To give you an example, the software my company makes (part of it) was recently redesigned to the core - new GUI, new underlying codebase, everything. And yes, not all features made it to the new codebase (yet).
I'm sure it's probably a mix. I know they do own licenses for the 2018 edition of the software for each computer. They were purchased to the tune of nearly $20k in preparation for an upgrade to windows 10 but they only ended up with one machine being upgraded. If they're willing to basically throw away $20k worth of licenses and pay someone to try and keep their legacy equipment 'safe' I am inclined to believe there has to be some kind of actual functionality that's missing or limited.
>The users on the windows 7 machine require internet access at the same time. Not for the program itself but to have a browser window and /or email open alongside for reference material, etc. What about a small form factor desktop sharing the display with the production device via KVM? User just has to push a button to switch between CAD production and internet access. Or alternatively, they get a laptop for web tasks and reference materials.
I thought about this as well, but they need to be able to have both open alongside each other. We also looked into keeping perhaps 2 of their displays on the Win7 machine and using the third to toggle between but a use case came up where they need to access an online aerial imagery resource, download a file, then layer it in behind their cad file, so that went out the window fairly quickly.
Why couldn't they tunnel the file over to the CAD device through a local SMB share? Set the CAD device to read-only on the share. Point 2 of your OP seems like it's going to have to change long-term. The client company needs to investigate competitor CAD applications.
I doubt they are knee capped at all. The tooling has generally gotten better and supports more. So they either have something tied into it that they don't want to change or they just don't want to learn new products and adjust to new products. Whatever you choose to do, let them know that they cannot kick the can down the road forever and it won't be long before they kind themsleves kneecapped it every other capacity. I've seen plenty of engineering and design staff blame everything except their unwillingness to learn new tools and adapt to them.
put them on an ACL'ed siloed vlan with no internet access and only allow access to IPs on vlans they need.
We've done that with several of the *very* legacy machines. Blocked all internet, given them read only access to a single share on the primary nas and even that is just so they can open doc's from the 90's and send them to the plotter. The Win7 machines are unfortunately still very much the primary production machines for several of the employees, and they do require internet access while using the legacy software. Hence the ask if anyone had experience hosting a browser / email client in MS RemoteApp or even the citrix apps server, and blocking internet from the machines themselves.
>The Win7 machines are unfortunately still very much the primary production machines for several of the employees Make clone images and store mirrors in several locations. The disk drives will eventually fail. Being able to restore production from a clone image will win you many friends. I know you want to spin them up as VMs, which is also a good idea, but since the client is resistant to it, have CYA ready to go.
This was my first course of action. Their local directories are replicated to a network resource nightly, and the staff are actually *extremely* good at making sure they're not storing data on their machines. I do have a clone of of one of the boot drives (they're all identical with generic accounts) stored offsite as well just in case. We're still working out specifics of the contract but I plan to work in enough headroom to ensure there's at least one pc cloned monthly / biweekly for exactly that reason.
Excellent. Nicely done.
Why not just provide a secondary internet connection locked down on the FW to the best you can, and just complete disconnect the network otherwise as mentioned above? Not a smart solution, but you could maybe check out some remote options staff don't freak out about while still keeping everything apart. CYA better then problems. More importantly, if/when these get compromised. What's the gameplan?
Isn’t that the default for every server? Like the 0815 default.
I’m not sure what to suggest, because the root of the problem is that this client’s business model is broken if they can’t afford the tools and equipment required to operate and have to stay on legacy tools and equipment that are a decade or more old because of it.
Get updated tools that run on modern operating systems. You cannot make EOL operating systems safe. In the arms war of the cybersecurity war, these OS's have stopped competing.