Keeping a Win98 system off the Internet

Hello,

We have a small-office TCP/IP network consisting of mainly Win2K
systems. On the network is a network printer and a DSL router that
provides Internet access to all the Win2K systems.

We also have a Win98 system that we use to run some older programs.
Even though this system does not need to connect to the Internet, nor
share resources with the other systems, it does need to print to the
network printer. So it is connected to the office network.

I would like to know how I can ensure that this system is not
"connected" to the Internet, so that I don't have to bother with
updating anti-virus and firewall programs on it, nor patching Windows
itself.

No drive on this system is shared. And I have not configured the
gateway in the network settings, nor specified DNS servers. I cannot
reach the Internet from it. My question is "Can malware from the
Internet reach it?" Is there anything more I can do to isolate it from
the Internet? As it is, the router does NAT so there is already some
sort of firewalling taking place.

TIA,

G. Amik

Frankly, this is the "crunchy on the outside, soft and chewy on the inside"
approach to network management and it won't help you at all. If a computer
INSIDE the network is infected or brings in a virus or worm it will find
your Windows 98 system whether or not that system has an Internet
connection. Any security you get from "properly configuring" your Windows
98 system is false security.

--
Richard G. Harper [MVP Shell/User] (E-Mail Removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hello,
>
> We have a small-office TCP/IP network consisting of mainly Win2K
> systems. On the network is a network printer and a DSL router that
> provides Internet access to all the Win2K systems.
>
> We also have a Win98 system that we use to run some older programs.
> Even though this system does not need to connect to the Internet, nor
> share resources with the other systems, it does need to print to the
> network printer. So it is connected to the office network.
>
> I would like to know how I can ensure that this system is not
> "connected" to the Internet, so that I don't have to bother with
> updating anti-virus and firewall programs on it, nor patching Windows
> itself.
>
> No drive on this system is shared. And I have not configured the
> gateway in the network settings, nor specified DNS servers. I cannot
> reach the Internet from it. My question is "Can malware from the
> Internet reach it?" Is there anything more I can do to isolate it from
> the Internet? As it is, the router does NAT so there is already some
> sort of firewalling taking place.
>
> TIA,
>
> G. Amik
>

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hello,
>
> We have a small-office TCP/IP network consisting of mainly Win2K
> systems. On the network is a network printer and a DSL router that
> provides Internet access to all the Win2K systems.
>
> We also have a Win98 system that we use to run some older programs.
> Even though this system does not need to connect to the Internet, nor
> share resources with the other systems, it does need to print to the
> network printer. So it is connected to the office network.
>
> I would like to know how I can ensure that this system is not
> "connected" to the Internet, so that I don't have to bother with
> updating anti-virus and firewall programs on it, nor patching Windows
> itself.


<snip>

since win98 is not even close to secure...
I'd install a firewall and allow access to the printer and nothing else.
Once configured, there would not be a need for updating the firewall

On 21 May 2006 03:34:56 -0700, (E-Mail Removed) wrote:

>No drive on this system is shared.

The fact of the matter is, if you don't have file and printer sharing
installed (or installed but not bound to the Internet connection
tcp/ip stack), then you're substantially safer than later windows
versions which have significantly more background services running.

In this case, closing your open (listening) ports is easy since there
are none open. Hence a firewall will be a complete waste of time apart
from the miniscule added benefit of outgoing warnings. Also if the
win98 box doesn't know that the default gateway is your router then
even in the remote case of it getting some phone home malware
installed it won't be able to get out.

Therefore forget about the firewall, you will only be slowing down the
machine operation unnecessarily.

You will still be advised to keep av definitions up to date, though.
This is a different matter entirely. The machine may well get infected
by a virus regardless of its proximity to the Internet.


Jim.

James Egan wrote:

> You will still be advised to keep av definitions up to date, though.
> This is a different matter entirely. The machine may well get infected
> by a virus regardless of its proximity to the Internet.

and

Richard G Harper wrote:

>If a computer
>INSIDE the network is infected or brings in a virus or worm it will find
>your Windows 98 system whether or not that system has an Internet
>connection. Any security you get from "properly configuring" your Windows
>98 system is false security.

Would a virus on another system on the network be able to find this
system even if this system has no drives shared, nor is part of the
network workgroup, i.e., it does not even show up in Network
Neighborhood of the other machines?

Installing anti-virus software would be easy. Keeping it up to date
would be tedious since the system has no connection to the Internet,
nor to any of the other local machines. For this reason alone, I would
have to include it in the network workgroup -- so that it can update av
files from a network computer. Would the benefits of doing this
outweigh the disadvantages?

Thanks for your input.

G. Amik

On 22 May 2006 04:04:24 -0700, (E-Mail Removed) wrote:

>Would a virus on another system on the network be able to find this
>system even if this system has no drives shared, nor is part of the
>network workgroup, i.e., it does not even show up in Network
>Neighborhood of the other machines?

I wasn't particularly referring to network borne viruses. If anything
is ever installed or files copied to or from the machine by (say) a
floppy drive or flash (backup) drive or whatever, then there is some
chance albeit small that it may get a virus.

If you *never* install anything new and only ever use it for existing
programs and printing then maybe you can do away with av.

>
>Installing anti-virus software would be easy. Keeping it up to date
>would be tedious since the system has no connection to the Internet,
>nor to any of the other local machines. For this reason alone, I would
>have to include it in the network workgroup -- so that it can update av
>files from a network computer. Would the benefits of doing this
>outweigh the disadvantages?

This is what I would do though. You're not really increasing the risk
much by putting it on the LAN since there is nothing for the other
machines on the LAN to connect to.

If "on access" av scanning slows the machine down too much, you can
probably get away with just scheduling an "on demand" scan every now
and then and not bothering with on access.



Jim.