Defeating Internet access to Win7

Topic

New Reply

Environment is LAN with network printer and two computers dual-booting Win7 and Linux Mint.  We have retained Win7 for additional storage and because a couple of needed programs have no Mint version.

We have uninstalled Firefox from the Win7 volumes, but, of course, the Windows OS includes Internet Explorer as a path to the Internet.  With Win7 abandoned by MS, we want to be sure that there is no longer online access via Win7 to thwart potential invaders.  AFAIK, this can’t be done selectively at the router.

Is it possible to remove this vulnerability by editing the Registry?  If so, I would appreciate some guidance to enable this non-tech to make this change.

 

Reply | Quote

Replies

You’ve already spotted the answer. 
https://www.askwoody.com/forums/topic/my-solution-to-the-demise-of-windows-7/#post-2041688

cheers, Paul

1 user thanked author for this post.

Slowpoke47

Reply | Quote

Thanks- back looking at that, starting with https://www.askwoody.com/forums/topic/my-solution-to-the-demise-of-windows-7/#post-2041184

Actually forgot about this suggestion, seemed daunting at the time due to prior (and accurate) shots to the foot, but feeling a little braver now, and will try it.

Reply | Quote

Other than access to a Win 7 (storage) by it’s Mint step-brother: does there need to be any access to a Win 7 from the other computer; or does either Win 7 (program/application) need print capability directly?

1 user thanked author for this post.

Slowpoke47

Reply | Quote

The only Win7 access truly needed, to just one of the machines on the network, relates to Canon camera software, unavailable in Linux.  I’m advised that the Wine cross- OS tactic is better avoided.

The two computers almost never need to share data, as all of the user files are on the PC and we use the laptop basically as a second Internet access portal.  That machine has no user files not duplicated on the desktop.  As for printing, Mint provides full access to the Win7 files, so no need to access the printer via Win7.

Reply | Quote

Where I was going with this is to note that disabling a network adapter kills ALL networking, including any intranet (local/in house) traffic, not just the internet traffic.

Something I am uncertain of – experts responses invited. When an adapter is Disabled/Enabled, does that propagate a change to the hardware (the adapter card), or only within the adapter code within the OS? Hence, would a Disable issued from Win 7 actually turn off the card, so that Mint-traffic also is halted?

Reply | Quote

PaulK wrote:

Something I am uncertain of – experts responses invited. When an adapter is Disabled/Enabled, does that propagate a change to the hardware (the adapter card), or only within the adapter code within the OS?

It would only be disabled in Windows if you used Device Manager to disable it.  If you booted to Mint, or even another instance of Windows on the same PC, if there was one, it would still work.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Slowpoke47 wrote:

The only Win7 access truly needed, to just one of the machines on the network, relates to Canon camera software, unavailable in Linux. I’m advised that the Wine cross- OS tactic is better avoided.

Why is it best avoided?  In a general sense, WINE’s a great tool, and has made great leaps in compatibility in a relatively short time.  I use it pretty often, and it works really well for a lot of things.

Now, if you’ve done some research (which I haven’t) regarding the software in question, it could be that this won’t work with WINE.  I don’t know how well it works with specific hardware items like a camera (presumably connected via USB).

Personally, this is the kind of thing I use a VM for (I use VirtualBox).  I have software to program my mouse and keyboard (both gaming devices that have onboard memory profiles) that I run from Windows 7 in a VM.  I haven’t even tried to run these in WINE, as my gut just tells me that this may not work, and a VM is so easy that I haven’t really had a reason to try.

WINE is good when I want something to run at native speed, particularly with regard to graphics, as if it were running on Windows on the same machine, but a VM is more compatible, and it’s easier to get things working.

In a VM, it’s actually Windows, so you just install the program like you usually would, whereas WINE can be a little more fiddly (though far better now than it was in the past).  Programs like Lutris make WINE a lot simpler to get set up, and if there happens to be a script on the Lutris site for the thing you are trying to install, it’s really easy, but the site is gaming oriented, so things like camera applications are less likely to have scripts.  You’d have to set it up manually, which isn’t hard, but you have to know what the Lutris options mean and what to do with them.

If you use WINE or a VM, you can run your camera application in the VM without having to reboot or stop what you’re doing in Linux.  When I used both OSes, I really hated having to shut down and boot into the other one, then do it again when I wanted to go back to where I was.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Slowpoke47

Reply | Quote

The only Win7 access truly needed, to just one of the machines on the network, relates to Canon camera software, unavailable in Linux.

Exactly what do you mean by “The only Win7 access truly needed…”?

Do you mean that there’s software on the Win7 machine for the Canon camera, such as a photo editing suite, that isn’t available for Linux?

If it is indeed a photo editing suite, you might be better off just finding a suite that’s written for Linux, and I’m sure you could get quite a few recommendations along those lines here on AskWoody.

If you need unfettered access between the Win7 machine and another machine on the network, it might be possible to set that up within your router, but you might have to disable DHCP and set up a static IP address within the router for the Win7 machine and whatever other machine the Win7 machine needs to connect to. There are folks here who could help you with that, provided your router will cooperate as well. Some routers made nowadays won’t let you into their their configurations deeply enough to set things up as I have described here.

As has been pointed out above, you could disable the network interface, but that also disables ALL connectivity to and from that machine.

Reply | Quote

Slowpoke47: “Is it possible to remove this vulnerability by editing the Registry? ”

Taking the overall initial comment as context, I am of the impression that the question is about disabling IE11 in the PC itself, not from the router.

If I am right about this, my answer would be: You might be able to disable IE11, but that will take away other capabilities of the operating system that might be still needed, because IE11 has a number of bits and pieces of software that are shared by other applications and by the OS itself. So someone here that knows more about this than I do could, perhaps, explain what, if anything can be done about IE11 that will not have unwanted side effects.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Slowpoke47

Reply | Quote

Maybe I’m missing something here, but if you have a wireless connection, just set it so that Win 7 does not automatically connect to it. That way you’re not disabling any network adapter and if you need internet access just connect through your wireless connection.

Control Panel —> Network and Internet —> Network and Sharing Center. To the right of the resulting screen find ‘Connections’ and click on ‘Wireless Network Connection’. Click ‘Wireless Properties’ in the resulting screen. You’ll see a new screen where you can uncheck the box ‘Connect automatically when this network is in range’.

1 user thanked author for this post.

Slowpoke47

Reply | Quote

I am just guessing here, mind you, that the question was about disabling only IE11, somehow, not turning off the WiFi connection to the router. There might be an interest in being able to use another, more trusted browser without IE11 skulking around, waiting for a chance to do whatever it might be that worries Slowpoke47.

It might be good idea, perhaps, to have, at this point, Slowpoke47 clarifying, in person, which of these various answers fits best his question, assuming anyone does.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Slowpoke47

Reply | Quote

The network consists of one desktop, one laptop, and a network-connected all-in-one printer.  Both computers currently dual boot Win7 and Mint.  The desktop, of course, is hard wired.  The laptop is used either via wi-fi or a wired connection.  Does your suggestion have any effect on the wired connections?

Reply | Quote

No, his suggestion would only affect the wireless connection within the laptop, as you say the desktop is hardwired, which implies it has no wireless dongle or connection on it.

Reply | Quote

OscarCP wrote:

It might be good idea, perhaps, to have, at this point, Slowpoke47 clarifying, in person, which of these various answers fits best his question, assuming anyone does.

Well, I have demonstrated my (mediocre) level of understanding here on multiple occasions.  My interest in disabling IE is for the sake of safety and privacy.

Back when this PC ran only Win7, I used Chrome for browsing before switching to Firefox some years ago to avoid Google’s telemetry.  However, I recall instances when selecting a link, e.g. in a downloaded doc, caused the OS to try to connect via IE, resulting in an unending cascade of IE pop-ups by default that could be aborted only by clicking on a red x “close all windows.”  The connection wasn’t established.  I learned to copy-and-paste Internet links into my chosen browser.

Unknown just what this reaction by IE says about its functionality.  Seems like, if it were 100%, those links would have just opened.  On the other hand, regular update notices continued to appear from MS and Macrium.  And on the third hand (unusual anatomy!), once I uninstalled Firefox in Win7 a couple of days ago, MS suddenly showed the system as up to date, no updates needed, although there were previously several offered, same for Macrium.

Bottom line is that I would like to take whatever precautions I can, given my non-tech abilities, to secure the digital premises from intruders, just as we lock the doors to the house when not home.  Perhaps I should have worded my question along those lines.

Reply | Quote

If you were still keeping the Windows 7 install internet connected, blocking IE could help in some way.  Do you have any need for internet or intranet on the Windows 7 install?  An easy way to break the internet and intranet connection – if your internet connection is wireless, open the connections list and disconnect, and to prevent a mis-click, also tell it to forget the password.

If you use a wired internet connection, the most effective way to block all connection is to go to device manager, find the wired network connection device under network adapters, and set it to disabled.

Neither of these will block internet when you boot Linux.

If you want internet to be blocked, but to keep some local area network access, setting a fake DNS server in internet properties could work.

If you don’t want to block internet, then you would be in the group of people using unpatched Windows 7 for internet access.  Many of the people in that group are using what I would call advanced, and layered ways to try to block viruses.  All of the methods that on a patched system would have been considered overkill and paranoid can be useful in this case.  Sandboxie, firewall software – see the post https://www.askwoody.com/forums/topic/keep-running-windows-7-safely-for-years-to-come/

1 user thanked author for this post.

Slowpoke47

Reply | Quote

anonymous wrote:

Do you mean that there’s software on the Win7 machine for the Canon camera, such as a photo editing suite, that isn’t available for Linux?

The Windows app downloads the photos from the camera.  Alternatively, I could get a card reader, but this is easier, without removing the card, etc.

Reply | Quote

anonymous wrote:

If you were still keeping the Windows 7 install internet connected, blocking IE could help in some way. Do you have any need for internet or intranet on the Windows 7 install?

No need for internet access via Win7, just on Mint.  If intranet equates to our LAN- I’d guess that during our Win7-only years, the computers “spoke” to each other only 2 or 3 times.  At this point, anything like that would be via Mint.

So if I go into both Win7 Device Managers and disable the wired and wi-fi connections, is that effective protection against infiltration via IE?

Reply | Quote

I believe if you disable in device manage both wired and wireless, you are almost 100% safe.  Your main remaining risk would be from files you run from a drive you plug in, or if you share files from your Linux partition, and one of those, or a file already on your computer, has a virus that was not noticed before.  Even if you got a virus, it could not send anything anywhere, unless it was clever enough to enable your network adapters.

1 user thanked author for this post.

Slowpoke47

Reply | Quote

If that’s the case, and web access via Mint remains unaffected, that looks like the best strategy, and one that I can easily follow.  As far as the chances of unintentionally importing a virus, we are careful about where we go online and what we download.  That said, I think it’s false security to say you have a zero chance of being infected.

Reply | Quote

anonymous wrote:

Do you have any need for internet or intranet on the Windows 7 install

@Slowpoke47

I did not see a clear answer to this. What MUST your W7 machines connect to and HOW?

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

wavy wrote:

anonymous wrote:

Do you have any need for internet or intranet on the Windows 7 install

@Slowpoke47

I did not see a clear answer to this. What MUST your W7 machines connect to and HOW?

Was above post https://www.askwoody.com/forums/topic/defeating-internet-access-to-win7/#post-2087209 not the answer to your question?

We have a hardwired ISP connection and router.  The LAN is wired/wi-fi and includes one wired desktop, a wired printer/scanner/fax with its own IP address, and a laptop which can connect via wi-fi or cable.  Both computers dual-boot Mint and Win7 and the Win7 OS’s no longer have web browsers other than IE, which is integral to Win7.

Canon camera software for downloading photos, currently installed in both machines, does not have a Mint version, so unless I buy and deploy a card reader, I need the Win7 OS to be able to use the camera.  Once downloaded, the photos can be edited in Mint.

Also, the Win7 file system is, at this point, helpful as additional storage.

None of the foregoing entails web access.

Since IE at best was mediocre, and MS has thrown Win7 under the bus for home users by ending support, I’m concerned about potential vulnerability of the LAN to invasion via IE.  My intent is to prevent IE from connecting to the web.

Reply | Quote

[Ascaris]

Slowpoke47 wrote:

Canon camera software for downloading photos, currently installed in both machines, does not have a Mint version, so unless I buy and deploy a card reader, I need the Win7 OS to be able to use the camera. Once downloaded, the photos can be edited in Mint.

Unless the camera uses a proprietary protocol for accessing the camera (which would be surprising), it should not be necessary to use the Canon software.  Have you tried connecting it while Mint is loaded?

Edit: I have a Canon digital camera, and I just connected it to my desktop PC using a USB cable.  Normally I remove the SD card and plug it into one of my card readers (all three of my main PCs have one), so I had not yet tried it this way with Linux.

Neon immediately recognized the camera and presented the options of browsing the images with the file browser or importing them into Gwenview (the default picture viewer in KDE).  I would expect Mint to do something similar!

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

• This reply was modified 5 years, 3 months ago by Ascaris.

1 user thanked author for this post.

Slowpoke47

Reply | Quote

Most cameras should be accessible with the right utility in Linux, maybe needing to set on the camera mass storage or mtp mode.  If you take pictures in jpg I think it is likely you can copy them with Linux.  If they are in raw, I’m not sure if your Canon software converts them.  You could try asking about this, mentioning your camera model and if they are raw on a Linux support forum.

1 user thanked author for this post.

Slowpoke47

Reply | Quote

Yes it did, missed it. Disabling sounds good, I would first (just for kicks) set the net work adapter to have a private static IP to a network you are not on. ie you are using 192.168.0.xxx for your local use 192.168.3.xxx for the W7 machine and then disable.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I have a question about disabling the WiFi, assuming one has Win 7 in dual-boot with Linux, as Slowpoke47 and I both do:

Disabling WiFi in Windows 7 is probably a good idea after EOS, because it ends once and for all the possibility of any nasty problems that browsing from the no longer patched OS might bring, as long as one can still use WiFi from Linux.

So, question: Disabling WiFi in Win 7 would it, or would it not also disable WiFi in Linux?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

If done via the windows network settings I can see no reason why Linux would have a problem, having said that it would of course be possible to make a wifi adapter that has s/w to disable the H/W its self. UEFI/Bios is now addressable from the O/S and if it is an onboard wifi (as is now common) that could be a thing. So now having spent a couple of minutes NOT really answering your question I will await other responses.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Answered at 2087031 .

Reply | Quote

OscarCP wrote:

So, question: Disabling WiFi in Win 7 would it, or would it not also disable WiFi in Linux?

Disabling wifi in Windows should not have any effect on the wifi state in Linux.  In most PCs, there are two levels of “off” for wireless networking (using Windows as an example here).  You can tell the wireless card to turn off the wireless function, in which case the networking will be disabled, and no data will be able to pass through, but the card is still recognized by the PC.  This is the mode the card is in if you select “airplane mode,” which is now a bit of a misnomer, given that a lot of flights now have inflight wifi.

You can also disable the card in the Device Manager, in which case you would have to enable the card again before using it.  That’s what I would do if I wanted to disable wifi on a Windows 7 installation… it’s more definitive than simply turning off the wifi.

In either of these two cases, turning the wifi off in Windows would not change anything in Linux.

On some laptops, there’s a third level of disabling wifi.  There may be an actual hardware switch (not necessarily a physical one that you can see; it could be internal) that turns off the card.  I don’t have any experience with this kind of setup, so I can’t say for sure how it typically works.  All of my laptops have been the more common variety, the soft-off kind, where pressing the wifi button (if there is one) does not physically switch off the wifi, but instead sends a signal to the OS that it should turn off the wireless function (like the first example in the paragraph above).

I would expect even the hardware switched wifi laptops to return to a default state (perhaps defined in the UEFI/BIOS setup) at each boot, in which case Linux would not even be aware that anything had changed in Linux.

I can envision some edge cases where things operate differently (in the PC world, there are endless different hardware configurations out there, and right when you say “it’s always like x,” you end up finding an example where it isn’t), but these would be comparatively rare, if they do in fact exist.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Slowpoke47

Reply | Quote

Ascaris wrote:

Unless the camera uses a proprietary protocol for accessing the camera (which would be surprising), it should not be necessary to use the Canon software. Have you tried connecting it while Mint is loaded?

Never occurred to me.  What a great idea- I’ll try it!

Reply | Quote

Ascaris wrote:

Unless the camera uses a proprietary protocol for accessing the camera (which would be surprising), it should not be necessary to use the Canon software. Have you tried connecting it while Mint is loaded?

Pleasantly surprised to find that Mint not only saw the camera instantly, but the functionality of the app is greatly superior to the proprietary Canon software.

Also- just went into Device Mgr> Network Adapters on both machines looking to isolate Windows from the web.  In both cases, found menus of 25 or more entries, went down the lists and disabled any that were enabled.  Each machine then displayed a red x over the network icon in the tray.  Perusing Control Panel in each case seems to indicate that the Win7 OS is now isolated, which was the goal.  No more pop-ups from MS or Macrium offering updates.  As far as I can tell, Mint OS’s are unaffected.

Looks like I asked for help in the right place.  My thanks to all who offered suggestions!

Reply | Quote

It’s been a week or so since my visits to Win7 Device Mgr in both machines.  AFAIK, web access was halted.  Before that, MS was nagging me to install updates, and after disabling the connections, Update showed the “computer is up to date” message.

Yesterday, on booting Win7, the familiar popup “new updates are available” appeared.  I assume this means I missed something and need to go back for another look.

Reply | Quote

Disabling both wired and wireless in device manager should not have been 25 settings, it should have been one for each.  See https://www.windowscentral.com/how-enable-or-disable-wi-fi-and-ethernet-network-adapters-windows-10#manage_network_adapter_devicemanager

Check if you are now online.  From a command prompt ping any IP address that on another computer responds to pings.  Like ping 64.30.228.118 .  If  any packets are received, that means you are online.

1 user thanked author for this post.

Slowpoke47

Reply | Quote

Thanks for the insight.  At the moment, we are down to just one computer.  When the other one gets out of surgery, I’ll try it.

What I did in both Win7 systems was to go into Device Mgr and disable anything in the list that was enabled, as I couldn’t tell from the syntax what each entry was.  Of course, this also blocked the network printer from the Win7 OS’s, but we don’t really need that anyway.

Reply | Quote

Have you considered assigning a unique, static IP address to each Win7 system and then blocking those addresses from internet access (in, out or both) using the router?  You have to be certain to use static addresses outside of the range of addresses used by the DHCP server in the router.  Intra-LAN traffic should not be affected.

If you find that the Win7 systems need access to an internet service, such as DNS, that can explicitly be permitted in the router.

Reply | Quote

That works well but requires router access and not all supplied routers allow you to change those settings. Plus it’s 2 changes rather than just the PC. Less is better, if possible.

cheers, Paul

Reply | Quote

When you give the NICs a static ip address and leave the gateway and DNS blank you’ll be almost there. Just without gateway Windows considers the network public and you may want to turn Network Discovery and File and Printer Sharing on for this type.

Reply | Quote