In the labs at work we have two very expensive confocal microscopes that run on Win7 enterprise and have never been networked for a variety of reasons. To upgrade to Win10 requires about ~20k worth of hardware for each and isn’t a cost that we can recover from anywhere so is basically a non-starter for machines whose remaining lifespan is 2-4 years. We also have various other bits of perfectly functioning kit across the research site that are too expensive to replace en mass hooked up to machines that just can’t be upgraded to win10 for a myriad range of reasons.

Part of my role is leading efforts on research integrity and open science. A major part of this will be introducing electronic lab notebooks (with an audit trail) and for this to be effective all data from the point of capture through processing, storage, deposition to publication needs to be accessible on the network. We don’t want people wandering about with USB drives full of data as they do at the moment.

The current IT contact, locally known as “Dr.NO”, just point blank states that this is impossible, but my experience with most of them is that “no” doesn’t mean that it is impossible rather that it will mean more work for them. My ususal helpful IT contact at work is away on long term caring leave so can’t help me out with an honest asessment of the situation and suggestions for possible solutions/workarounds. I have some budget for staff time to help implement this but it would be really helpful in my discussions with IT if I could suggest X, Y or Z as part of a pragmatic solution.

So, is there a method to have a Win7 machine that can log on to to a network, save data to central servers but where it won’t endanger the network due to running win7, etc? They don’t need internet access, email, etc, essentially all they need to be able to do is transfer files captured using the specific software to the central file server.

I assume the issue is that windows 7 is EOL and therefore is not patched against existing and future exploits. In that case no, Something is either networked or not, and if the thing being networked is marked to be not suitable for networking (because it is EOL and unsupported) you are boned…

Of course you could just plug an ethernet cable into it, but i would suggest that being a rather high risk strategy if the worst happens and your entire lab is locked out by ransmomware.

I have same issue

Been told that under no circumstances will it be hooked up to any form of network.

I have software that hasn’t been ported to windows 10 in its current form and the new windows 10 version is missing key features.

Working our way through our stock of old 7 laptopz at a rate because they were all auld shite before we started.

I assume the issue is that windows 7 is EOL and therefore is not patched against existing and future exploits.

Pretty much as far as I know.

Are there any “creative” solutions?

I’m no network engineer but I would have thought you should be able to restrict their internet access and only give them write permissions to a very specific location.

But your challenge isn’t a technical one if your IT guy say no…

Are there any “creative” solutions?

Yes. put a business case in to spend the money and upgrade the equipment. If you are asking is there a hack. No.

Attaching a computer to a network is not a one way process, at some level there is communication back and forth. An exploit is exactly that, a way of doing something via a means you shouldnt be able to. Those ransomeware attacks that spread a couple of years ago, they were designed to search out unsupported / unpatched versions of software on a network. even if th computer initially infected was patched..

NAS drive with a direct USB connection. Pretty sure my netgear readyNAS will let me connect as a USB drive but then serve the files on the network.

What data do you need to get from these machines onto the others?

And is there any data that needs to go onto these machines from your networked ones?

If you really have to do this then I’d go old school and connect the windows 7 machines using a serial port. Then go get a serial file transfer utility like Kermit that allows you to transfer files over the serial connection and also allows the transfers to be scripted.

Make sure you set it all up so that the only thing the windows 7 machines can do is push data out the serial port.

It might not be practical if you fine sizes are large, serial comms aren’t quick.

We have a client with networked Win 7 machines. The clients threat profile is about as eye watering as it gets and they spend a great deal of money applying controls to mitigate the residual risk.

So, I would first ask; what’s the risk? Thats not just a matter of having an unpatched OS (which can be mitigated to some extent by additional controls, like purchasing an ESU) but has to take into account how attractive a target you are and the likely sophistication of the threat actor.

I wouldn’t say absolutely not; there are additional controls that can be applied to mitigate the risk.

The biggest are typically batches of about 100 12 Mb image files at a time but could be upwards of 50 Gb video at a time. Data traffic could be one way if necessary.

We are a govt associated research institute doing biological research in a possibly contentious area.

To upgrade to Win10 requires about ~20k worth of hardware

I’d be questioning this out of the gate. Does it? Why? What specifically works with W7 that demonstrably (rather than claimed) doesn’t work with W10? I’ve seen this argument a hundred times and 97 of them turned out to be horseshit.

If I had to implement your proposed scheme, I’d isolate and airgap it from anything else in the building.

Apparently it is the control hardware. Bespoke stuff so can’t shop around, it is a single vendor issue. And they have to be working at 100% so the facility managers aren’t keen to fiddle and risk losing functionality or accuracy.

If I had to implement your proposed scheme, I’d isolate and airgap it from anything else in the building.

I don’t know what this means……….

Can you dual home a Win 10 machine?  Stick an extra network card in, connect the Win7 machine to the Win 10 machine so it can only write to a specified file space and then connect the Win10 machine on the other network port to the network.  There is no direct connection to the Win7 machine from the network so there should be no direct exploits.  The Win10 machine is really only providing a shared file space via a sort of buffer.  Can be a super cheap Win10 machine as it isn’t doing any work really.

<brainstorm mode>
This may not work for you and I’m not an IT expert, but I’ve seen something similar for different reasons. Keep the network that the Windows 7 machines need to be on as a stand alone, airgapped network. Provide basic Win 10 boxes that can handle email and internet for people who need them, and KVM switches so that they can use either system. Do not allow any USB connections to the Win 7. Any data on the Win 7 that needs to be exported is saved by the users to a dedicated area and then copied, by trusted admins, onto a clean, new DVD or similar, read onto the Win 10 and destroyed. Users are not allowed to copy anything off the Win 7 – sooner or later, somebody would use infected media.
<\brainstorm mode>

Apparently it is the control hardware.

What is? That’s a non-answer. What, specifically, doesn’t work under W10 and why? That’s the question you need to ask.

I don’t know what this means

It means that within that environment, nothing that connects to it connects to anything else ever. If you’re using ‘notebooks’ to access it then those notebooks access nothing else other than this. No corporate network, certainly no Internet.

they have to be working at 100%

That’s an unreasonable expectation of any technology. You can plan for this using redundancy – eg, buy two of them – but any single point of failure is a time bomb. High availability of critical systems is often defined as “five nines” or 99.999% uptime, which allows for about five minutes’ outage a year. Only an ignoramus or a maniac would either promise or expect 100% uptime from a single system.

so the facility managers aren’t keen to fiddle and risk losing functionality or accuracy.

Then they need to decide which of several worst-case scenarios is least important.

“If it ain’t broke, don’t fix it” was all well and good until WannaCry took out fully a third of the NHS.

I mean,

Your budget might be best spent on a consultant who comes with liability insurance.

@cougar By working at 100% I mean in terms of working, and being able to verify that it is working, within its specified technical limits (xyz accuracy, laser and optics control, etc.) rather than uptime. They break fairly frequently b<span style=”font-size: 0.8rem;”>ut this is covered by service contracts.</span>

Even though the manufacturers say it won’t work it may do but there is no way of knowing, and, if it goes wrong, whether we will have borked 500k of microscope with no future repairs covered as it would violate the service agreement in perpetuity. The frustrating thing is that one of them is only 4 years old but we hadn’t migrated to win10 then so just went for the 7 option with no thought to the future! I will ask for specifics yet again and see if I get an answer.

@leffeboy is that a bona-fide solution or will the network support bods have kittens if I even suggest it<span style=”font-size: 0.8rem;”>? </span>

What is? That’s a non-answer. What, specifically, doesn’t work under W10 and why? That’s the question you need to ask.

I’m guessing that if you crash the microscope and it’s running Windows 10, the manufacturer is going to run a mile.

If the rest of the network is up to scratch security-wise, and you get IT to supply the USB drives, and you forbid people from plugging them into their home machines, I’d be sticking with that.

My current and previous institutions both resolve this using vlans, which essentially separate network traffic running over the same physical infrastructure into separate groups, permitting hardware to be essentially isolated on the network. Instruments needing access to central storage/analysis compute are on a separate vlan which has no access to the rest of the campus network, other than the dedicated systems they need to connect to, or the external internet. The PCs attached to many instruments also frequently can’t run AV software since this can interrupt their normal operation (which can ruin a £20k sequencing run, for example), so these also aren’t allowed near the standard network either. Seems to work ok…

is that a bona-fide solution or will the network support bods have kittens if I even suggest it

It’s an idea, it’s not completely crazy. The only exploits left would be ones that are transmitted through files so you need some sort of av software on the win10 machine. It’s not ideal but neither is your situation 🙂

Ah, vendor bullshit.

So ask why a piece of hardware just four years old is reliant on an eleven year old OS that has been superseded by a dozen subsequent major OS releases and went end of life six months ago. Four years back Windows 10 was already on its third release, W7 was obsolete when you bought the kit.

leffeboy is that a bona-fide solution or will the network support bods have kittens

I’m not a network bod and I’d shit bricks at the notion of sticking in something that could potentially turn into a bridge.

@jca thanks, I will suggest that.

@cougar I agree that buying a win7 operated machine was a mistake but unfortunately I was nothing to do with the decision, I’m just having to deal with the fall out.

@flaperon I may do that. Just get a cheap networked win10 box and USB drive bolted to the table with a long cable to go between the machines

You could always take a contractual angle to this, or threat of losing future business. Open a request for information (e.g. the start of the purchasing and bid cycle) for a couple of vendors. Include the current vendor who sold you the previous microscope. Ask for a win10 requirement. When they come back and say “20k” you say too expensive. Ask if they can upgrade the current one for say 5k to win10 with ongoing support patches blah blah.

This might not fly and requires purchasing (assuming you have a separate person/department for it). Maybe you have done this already.

There might be other ways to reduce the upgrade cost.

Is this a legacy software migration thing?

Legacy box from triangulate?

Is this a legacy software migration thing?

Legacy box from triangulate?

Not sure what this means, sorry…..

Virtualise the Win7 install on a Win10 machine!

At my work we run an old CAD package and similarly old PLM system that isn’t compatible with Win10. Our desk workstations are all Win7
Our management have been telling us for at least 5years that we will be upgrading to the latest and greatest, but it never happens; then there was mass panic when they all realised that Win7 was not going to be sorted anymore.

My understanding is that we have paid Microsoft a lot of money to extend Win7 support. I don’t know how long this is for and guess it can’t go on indefinitely, but you might be able to get extended Win7 support of you can fling some money at Microsoft?

I am an IT infrastructure engineer and this is achievable in a way that should satisfy your IT depts concerns about win 7 vulnerabilities.

They would need to create a separate ‘storage’ network (VLAN) that sits between the windows 7 network and the main LAN (the area your IT are trying to protect). This storage network would host some kind of dedicated file storage device (file server,NAS etc).

Both networks would have access the Storage network (with appropriate firewall rules) but no direct access to each other.

Depending on your existing infrastructure, the cost for implementing this would vary but it would be no where near the 20k you’ve been quoted for migrating the software to win10.

(Edit – This sounds a lot like what JCAs post described further up the thread)

Cheers all for the suggestions, will try and raise them on Monday.

This entirely depends on the current infrastructure.

1). Is there structured cabling in place to all devices that need to sit on the new network and can that structured cabling all patch into a new, dedicated switch?

2). Are all the devices that need to connect up currently standalone or also have other network connections?

3). This microscope – is WIn7 embedded in it or does it run as a normal PC that the microscope connects to via USB or something? If embedded does the device have a network (RJ45) port, if not what does it have?

4). Do you have approx. £300-500 budget for a NAS?

5). Do you have someone willing to manually assign IP addresses to any device that connects to the new network?

6). Are the machines connecting able to join a Workgroup (and is someone able to manage creating the accounts)?

7). How valuable is the data (you need to think about backups)

8). AV could be a bit of a nightmare, hooking up a load of expensive Windows-based devices to a network will mean they’re all as vulnerable as the weakest link (e.g. some numpty still just plugging in a USB stick from home that they don’t know has malware on it). Even if the data isn’t valuable I guess the devices being able to run is, how rebuildable are they (i.e. reinstall on Win7), does it need the vendor to do it?

My current and previous institutions both resolve this using vlans, which essentially separate network traffic running over the same physical infrastructure into separate groups, permitting hardware to be essentially isolated on the network.

Depends how much security you need, VLANs aren’t security boundaries (google VLAN hopping) but granted it would help prevent most malware spreading over a network (unless you have multi-homed machines on the network).

5). Do you have someone willing to manually assign IP addresses to any device that connects to the new network?

Why?

The best thing would be to take these to Win10, obviously, but as you’ve said- cost= £££, and there’s some vendor bull to wade through.

The standalone ‘microscopes and storage’ network using VLANs isn’t a bad idea.

Another solution is to use some kind of highish-end firewall at the edge of the microscope part of the network, acting as a perimeter; would involve separating it out onto its own LAN/VLAN but you sound like you wouldn’t be averse to this. This would act as the gateway to that part of the network.

Checkpoint do a ‘Sandblast Network’ appliance that does this very thing. You basically get all the endpoint stuff that you need in a plug-in box. Disclaimer- I work for them, and we routinely suggest this solution to customers in your legacy position.

OP is not facing a unique problem. We’re supporting, or trying to support Win7 and even XP PCs because they client is unwilling or unable to upgrade because the (relatively simple) software it runs to operate frighteningly expensive equipment won’t run on Win10 or 8/8.1

The manufacturers usually want an insane amount of money for compatible software, I know it’s not cheap developing software.

The only way I know of doing what the OP needs to do securely is to go down the WIn7 ESU route

https://docs.microsoft.com/en-us/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq

It will let you kick the can down the road until 2022.

We are a govt associated research institute doing biological research in a possibly contentious area.

you’ll never get dundonians to eat salad

Why?

Well to avoid a having a DHCP server but I’d forgotten about APIPA which I guess is what you’re implying?

‘avoid a having a DHCP server’

DHCP relay FTW.

Well to avoid a having a DHCP server but I’d forgotten about APIPA which I guess is what you’re implying?

Nah, APIPA is even more shit, it serves one purpose in the world and that’s to tell you that your DHCP server is broken. (-:

Rather, deploying a DHCP server (or forwarder as above) isn’t rocket science. Not that I’d seriously suggest it as an enterprise-grade solution, but you could plug in a £20 domestic ADSL router and you’d have DHCP. Life’s too short to be setting static IP addresses on client devices if the total number of devices on the segment exceeds two, screw that.