Hello! We use Hexnode for all our modern endpoints, but we have a few Windows 7 machines running legacy industrial software. Because they are air-gapped and OS-incompatible, they are completely unmanaged.
I know network isolation is step one, but what should we be doing on the actual machines themselves to harden them? Since we can’t push GPOs or scripts via Hexnode to these specific PCs, I’m looking for a manual checklist of what we should lock down on the OS level.
16 Views
I’d highly recommend removing local admin rights for whatever user account is auto-logging into that machine. In our shop, we also physically disabled the USB ports (via BIOS and honestly, superglue) because operators kept plugging in infected thumb drives to load legacy design files. Definitely curious to see a formal checklist though.
I was going to suggest virtualizing them, but if your industrial equipment relies on physical serial ports (RS-232) or specialized PCI cards to talk to the machinery, VDI probably won’t work. We are stuck doing manual OS lockdowns. AppLocker is a pain to set up manually on Win 7, but it’s helped us. What else should we be turning off?
Hi @noah-blake,
Network isolation is crucial, but as the community mentioned, applying host-based hardening directly on the legacy machines adds a necessary secondary layer of defense.
Without Hexnode to automate these configurations, you will need to perform a Manual Standard Operating Procedure (SOP) on each Windows 7/8 unit. In addition to @skylar ‘s tip about local admin rights and USBs, here are the primary steps you should take:
1. Disable SMBv1: Legacy systems are highly susceptible to ransomware propagation via SMBv1. Open the command prompt as an administrator and run: dism /online /disable-feature /featurename:SMB1Protocol
2. Remove Non-Essential Services: Reduce the attack surface by disabling any service that the legacy application does not strictly need to run. Common candidates include the Print Spooler, Remote Registry, and NetBIOS over TCP/IP.
3. Configure a Local AppLocker Policy: Use the Local Security Policy editor on the machine to configure AppLocker. Restrict executables so that only the specific legacy industrial application is permitted to run.
Maintenance & Sunset Plan: Keep in mind that sandboxing is a temporary risk-mitigation strategy. We recommend:
Quarterly Audits: Manually check these machines to ensure the software and configurations haven’t drifted.
VDI Evaluation: If hardware connections allow it, see if the legacy app can be migrated to a Windows 10/11 virtual machine running in “Compatibility Mode,” which would allow it to be brought under Hexnode management.
(Disclaimer: Always test these configurations, like disabling SMBv1, in a staging environment first, as legacy industrial software sometimes relies on older, insecure protocols to function!)
Don't have an account? Sign up
