How to safely connect a Windows machine that CAN’T have anti-virus (due to real time demands) to the internet via a Windows machine that is protected?

Posted on

QUESTION :

I have a Windows-based machine that cannot have anti-virus installed due to the performance impact that would have on the machine’s role as the controller in a live radio studio mixing console. This setup is a commercially available system not one I am building myself.

I believe the question has value beyond the application in broadcast radio, for other domains that need deterministic real-time performance – or as close to that as possible.

I have found anti-virus software can use a significant amount of CPU-cycles/processing power particularly when updating virus definitions and then installing them. In fact I’ve observed machines lock-up/freeze for several seconds why the definitions are updated following their download.

The expected slow-down/freezing during anti-virus updates is unacceptable in a radio studio environment as it would result in unresponsiveness of the console, resulting in “dead air” – silence on air and a bewildered presenter. Ant-virus updates occur as soon as they are made available and its preferable to install them as soon as possible but this is unpredictable.

The machine needs to be connected the internet so that:

  • Remoting: it can be controlled remotely using VNC for station management or some presenters working from home
  • Streaming: it can stream the broadcast to an off-site internet radio streaming server for internet -based listeners
  • FTP: it can accept files, e.g. pre-recorded radio shows, reports, music for automated playout or use in a live show. Also for logging presenter output, for download by station management for review
  • Local Networking with other on-site studio machines and office machines that are connected to the internet

Presenters will not use a web-browser or email on this machine, they use another machine. So the need for internet is for essential management reasons.

So I propose to connect it to the internet, without anti-virus installed and Windows Updates to be scheduled manually at off-peak times, via another machine that filters traffic and scans it for viruses. How could this be done?

ANSWER :

I would use a hardware firewall to protect the machine from both the Internet access and intranet access. I hardware firewall will give you reliability and speed.

I would start with the machine having all the traffic blocked and then only allow those IP address, ports, protocols and directions that are needed for it to work. For example, if there will be no web surfing, then I wouldn’t add a rule to open port 80 out. If you have a remote administrator, I would allow the ports for VNC in from their IP address. The same for FTP. This way if you aren’t talking from the right IP address you are blocked. Also, if someone tries to go out on the machine and check their email they are blocked.

I would also set these rules up for the rest of the intranet. I would only create rules to allow communication to those computers/ports/protocols needed. This way if a machine on the intranet gets compromised, it will have a harder time to spread to the unprotected machine.

Basically, this machine would be in a DMZ configuration.

I would also run Spybot Search & Destroy and SpywareBlaster and immunize the machine. There is no real time cost to this because it isn’t a scan, but just a configuration setting. All this does is basically blacklist ActiveX controls and bad sites in the Hosts file. This can prevent a machine from being infected by preventing some bad things from being executed. Of course, you would have to allow via the hardware firewall the ability for the machine to update. You can do this manually or white list those sites.

The firewall you choose should be able to alert you of problems. I would flag some rules to see if anyone is attempting to do anything they shouldn’t (i.e. checking email, surfing the web, someone attempting access to the FTP port (especially if left on the default ports)). I use a Zywall which has all the above features, but there are many companies. One thing you should consider is hardware firewall have specifications on throughput. You want to get a firewall that can process the information fast enough.

The remote users could also VPN in to some firewalls, that way you don’t have to publicly expose some things like VNC or FTP.

Also, some VNC software will allow you to use certificates to authenticate. This could help because it will allow better security because no username/password to guess and the end user could run the software and it would just work (less for the end user to remember). If not, I recommend using Keepass and having it generate a high entropy password that would be difficult for machines to break.

I hope these tips help.

(Also, because this is a business critical machine, I would image the system so if something did happen, you could get back to a known good state.)

A computer that’s isolated enough from the network can’t be infected.

As long as you don’t share its hard disks, that you uninstall any Microsoft or third-party that listens on TCP/UDP ports (such as IIS), and that there’s only one safe working application, then there’s no way that it can be infected.

Conclusion: Antivirus is not required.

However, I see Windows Updates as being a far greater danger to such a vital machine, as there’s always the chance that it will break your Windows installation. I would set Windows Updates to “check but let me choose when”, and make sure to take a backup of the system before. It would help in this case for the system disk to contain only system and applications, with data being stored on another disk/partition. This way, you can take an image backup of the system disk before applying the Windows Updates once a month and be sure in case of problem of being able to restore a working system.

I wouldn’t bother. Antivirus doesn’t help too much so long as you’re not opening dodgy email attachments or downloading a lot of executable files. For example, Steve Gibson of Security Now don’t run any antivirus.

Having a router between the computer and the internet is far more important.

If you want to be safe, I would recommend you take a look at Microsoft Security Essentials. It is a very fast and small anti virus program and it works very well.

I used to use no antivirus and was safe for many years, but the fact is, MSE and some others (if you do a bit of research) take up next to no hard drive space, under 50MB of memory, and very low cpu cycles, if you want to be safe, there really isn’t a reason not to use it.

Quite frankly, any machine that would slow down due to (any) anti virus program, I would say that in this day and age, should not be relied upon for a serious production environment anyway.

After this, you may want to look at simply using the Windows Firewall and block everything other than required ports.

Lastly, your radio program, you may want to go to task manager and increase the priority so it gets a higher share of CPU time.

Leave a Reply

Your email address will not be published.