Hey everyone, we have fully standardized our modern fleet (Windows 10/11) on Hexnode UEM, but we still have a handful of legacy Windows 7 and 8 machines hanging around for business-critical operations (mainly running some old CNC machinery software).
Since these machines are End-of-Life and cannot be managed via Hexnode, I’m worried about them being a blind spot and a security risk to the rest of the managed fleet. What is the best practice for isolating these devices at the network level?
9 Views
We run similar legacy CNC machines. The VLAN isolation is a lifesaver, but definitely log your firewall traffic for a few days before strictly enforcing any “Deny All” rules. We found out the hard way that the software needed a random UDP port open to talk to an internal licensing server. Monitor the traffic first, figure out what you need, and then drop the hammer.
We are in a similar boat. One big issue we ran into was a shop floor operator unplugging a legacy terminal and plugging in his personal unmanaged laptop to get internet access. It triggered a massive alert on our end. You really have to treat these legacy ports as hostile. Wondering if there is a good standard checklist to lock this down?
Hey everyone! There’s a great discussion cooking in here! Legacy Windows 7/8 systems do represent a significant vulnerability gap, especially since they lack modern protections like Credential Guard and remain unpatched against zero-day exploits. Since you cannot push policies to these devices via Hexnode, the network is indeed your most reliable compensating control.
We highly recommend treating these legacy machines as “Hostile Guests” and implementing a Logical Network Isolation (Micro-segmentation) strategy. Based on our best practices, here is the checklist to set up that network sandbox:
Legacy VLAN Assignment: Isolate all of your Windows 7/8 devices into a dedicated “Legacy VLAN” (e.g., VLAN 99) separate from your main managed network.
Stateful Firewall Rules: * Deny All Outbound: Block the legacy machines from accessing the internet completely.
Deny Lateral Movement: Block all traffic from your Legacy VLAN to the Managed VLAN (your Windows 10/11 subnet) so an infection cannot spread.
Scoped Inbound: As @sky mentioned, allow only the specific ports required for the legacy application to function.
MAC Filtering: To solve @roosevelt ‘s issue, enable Port Security on your physical switches. This ensures that someone cannot just unplug a legacy machine, plug in a personal device to that “Legacy” port, and bypass your network rules.
By locking down the network boundaries, you prevent those unmanaged assets from being used as a pivot point into your secure infrastructure.
Don't have an account? Sign up
