Using a dual homed network topology with vulnerable vintage machines having to traverse a gatekeeper gateway before reaching the internet router's primary gateway, and employing a good port blocking firewall at that secondary gateway, and even better still, enforcing statefulness from connections to require origination from the isolated segment to be reachable from outside, will effectively shut out most attacks that would even indicate that the system was even there to begin with.

(Bleh! Biggest sentence ever!)

There are ways to safely do this.

'Same segment as modern stuff!' .... is not it.

MattRocks wrote on 2025-12-09, 20:42:

Don't play with fire. Please keep your banking PC and everything your banking PC connects to - out of danger.

Thanks dad

badmojo wrote on 2025-12-09, 22:44:

MattRocks wrote on 2025-12-09, 20:42:

Don't play with fire. Please keep your banking PC and everything your banking PC connects to - out of danger.

Thanks dad

You're welcome, son.

So is anyone going to connect their vintage PC to the Internet and measure the outcomes? 😉

I've the following OS's on my home network. WFW3.11, Win95/98. NT3.51, NT4, 2k, XP, 7
No AV software, no updates, just the ISP's supplied routers default rules protecting me which also acts as the DHCP server.

Only once in the last 10 years have I gotten a virus, and that was because I was actively trying to download software using my Win7 computer. so 100% I was asking for trouble.
None of the others have had any problems but they are retro gaming PC's. I'm not surfing the web with them and are only turned on few hours a day at the most.

If your trying to use it as a daily driver I'd be a bit ore careful with WIn2k and up, they still share a lot of code with modern OS's
That said here is a video of someone exposing an old Exchange sever to the web, spoiler nothing happens. He gives good opinions why towards the end of the video.
https://youtu.be/lrkqgTfxJcM?si=CnGd_lYRLGoiW9-d

My idea of "network isolated" is... not connected to any network. I have no desire to take any of my old machines online, or even connect to my LAN. I happily transfer files manually (USB or SD).

Of course, I also have no interest in playing with old malware. So, it's a moot point. 😜

Though, on my modern hardware, all of my "sensitive" info is fully isolated, as in air gaped. Physical backups in more than one trusted location. Best form of security, when it really matters, will always be physical security for me. The only chance anyone ever has to get access to it would be to physically come steal it. 🤣

chinny22 wrote on 2025-12-10, 01:24:

… just the ISP's supplied routers default rules protecting me which also acts as the DHCP server.

Thanks for the video - I’ll watch it later.

On the point above, routers have vulnerabilities (just like other computers) and those vulnerabilities need patching (just like other computers). You are outsourcing your security to your ISP.

Not saying that is bad. There are pros and cons to every choice 😀

StriderTR wrote on 2025-12-10, 08:29:

My idea of "network isolated" is... not connected to any network. I have no desire to take any of my old machines online, or even connect to my LAN. I happily transfer files manually (USB or SD).

Of course, I also have no interest in playing with old malware. So, it's a moot point. 😜

Though, on my modern hardware, all of my "sensitive" info is fully isolated, as in air gaped. Physical backups in more than one trusted location. Best form of security, when it really matters, will always be physical security for me. The only chance anyone ever has to get access to it would be to physically come steal it. 🤣

There are different types of network isolated: VLANs, air-gapped, and others.

I have a plan to put old OS online with isolation, possibly via a patched proxy on a null modem or serial - I haven’t done it yet. Just thinking.

I've had a Win2000 system connected directly to my ISP (several different ISPs over the years, including cable, 3G, 4G, and now 500mbit fiber) for 22 years. Zero problems. I only reinstalled the OS once, in 2009, because the original 4GB HDD died.

There are semi-reasonable reasons to have 'net facing' capabilities, at least on a short term basis.

Like using 'windows update restored'.

chinny22 wrote on 2025-12-10, 01:24:

That said here is a video of someone exposing an old Exchange sever to the web, spoiler nothing happens. He gives good opinions why towards the end of the video.
https://youtu.be/lrkqgTfxJcM?si=CnGd_lYRLGoiW9-d

That was interesting mostly because he only monitored Port 25.

Say an attacker sweeps the net and gets a response from his Port 25 - what do they next?

Stick to Port 25? No. They should scan the other ports, and all the sensitive things he wasn't monitoring:

80 / 443 (OWA, IIS)
135 / 139 / 445 (RPC / SMB)
389 / 3268 (LDAP / GC)
110 / 143 (POP / IMAP)
High RPC ports

Why? They want to fingerprint the OS and software stack to identify vulnerabilities - because, unlike the "reviewer," the attacker won't want to stay blind!

And, would the attacker make a noise by hammering Port 25? No. Their probing would be quiet.

The observation is exactly what should be expected. The conclusion? Hmm..

MattRocks wrote on 2025-12-09, 20:42:

Don't play with fire. Please keep your banking PC and everything your banking PC connects to - out of danger.

I used to do my online banking from a dedicated web browser running in a separate VM on my laptop.

mtest001 wrote on 2025-12-17, 14:44:

MattRocks wrote on 2025-12-09, 20:42:

Don't play with fire. Please keep your banking PC and everything your banking PC connects to - out of danger.

I used to do my online banking from a dedicated web browser running in a separate VM on my laptop.

That provides some isolation, and that is conceptually interesting.

Some huge Windows evolutionary differences:

• The chasm between Win9x and NT is that Win9x doesn't have that internal isolation. NT's security design isolates userland and kernel execution.
• The chasm between NT5 and NT4 is that only an NT5+ kernel can execute HTTPS/TLS1.2 - NT4 kernel can't by obsolescence (and NT4 userland can't by design).

For this reason, NT3/4 are effectively deactivated by the modern Internet. That means any malware written for NT5+ hits NT4 and dies there - that is actually useful. It makes me wonder, could an old PC incapable of running NT5+ do something uniquely useful?

[LAN TCP/IP] <-> [NT4] <-> [HTTP] <-> [patched cloud gateway] <-> [HTTPS/TLS1.3] << Attack

Wargaming:

• Attack one: Bespoke targeted hacking to humiliate you: First point of contact is the patched cloud gateway and that resists - the threat should end there.
• Attack two: Really bad zero-day exploit globally humiliates Win11 and FreeBSD and Linux: First point of contact is the patched cloud gateway and that is toast, so the threat continues and lands on the NT4 box that doesn't support any modern ciphers - the automated attack can't continue and can't phone home; it just dies.

If we assume the rest of the LAN is hardened with zero trust principles, monitoring, and kill switch - then unpatched NT4 could be more secure than unpatched NT5? Perhaps, in narrow use cases, even more secure than patched Win11?

The reason Attack two is a bit crazy is that when it happens (and it will) then NT4 would be fine in its isolation, but it wouldn't be able to trust any other data source. That makes me a lot like me - obsolete, isolated, and untrusting 😁

TLS can be implemented at the application level. OpenSSL was ported to Win95. The same build most likely works in NT4 although I have not tried it. Of course plenty of malware predated TLS as well so I don't see a real connection between these two things.

bakemono wrote on 2025-12-18, 14:11:

TLS can be implemented at the application level. OpenSSL was ported to Win95. The same build most likely works in NT4 although I have not tried it. Of course plenty of malware predated TLS as well so I don't see a real connection between these two things.

I'll try to explain in another way.

You have more browser choices on Win95 than you have on NT4 because Win95 abdicates all responsibility for what apps do. In contrast, NT enforces user/kernel segregation that basically means NT says "FO" to userland cryptography.

That "FO" forced web browser developers to rely on the crypto that is enabled by the NT kernel, which in the case of NT4 isn't very much - and that is why no TLS1.2 browsers were released for NT4.

On NT4, malware developers hit the same brickwall that web browser developers hit. There is malware for NT4, but it's primitive and can't do the kinds of things that later malware does. Installing current day malware on NT4 is like dropping live fish in the desert.

If you can find a decent browser for NT4 I'll print off this thread and eat my words.

Ok but the legitimate traffic will also not survive passing through the NT4 box, no?

mtest001 wrote on 2025-12-18, 20:36:

Ok but the legitimate traffic will also not survive passing through the NT4 box, no?

Good challenge, but NT4 can do blind TCP forwarding without decrypting/encrypting anything.

In that case NT4 cannot read the content, but it can measure the quantity and direction. It becomes an autonomous inline security centre capable of cutting suspicious feeds. That's genuinely interesting from a cyber security perspective.

"security through obsolescence" for sure is a new concept 😀

mtest001 wrote on 2025-12-18, 21:36:

"security through obsolescence" for sure is a new concept 😀

Do Cray mainframes get hit by ransomware? 😉

I have no idea where on earth this belief originated that NT somehow requires browsers/applications to use the OS's cryptography support and not their own, but see below:

https://github.com/rn10950/RetroZilla/releases

http://o.rthost.win/gpc/files1.rt/K-Meleon1.5 … 4en-US.tls13.7z (among others from https://rtfreesoft.blogspot.com/2024/06/weekl … s-20240601.html, see bottom of post)

The main problem with web browsing on NT 4.0, 9x, etc., is that the mainstream browsers dropped support quite a number of years ago, and most websites have [d]evolved to rely heavily on new HTML5/CSS/JavaScript features that those old rendering engines don't support. Even with the backported support for modern HTTPS encryption in these forks of old versions, you still are quite limited in what you can do on the modern web. I don't see why a cross-platform modern browser like Firefox or Chromium couldn't theoretically be ported to NT 4.0, but it would be a herculean task because of the extent the existing Windows-specific code relies on APIs available in newer versions, not to mention the build system's reliance on legacy-unfriendly compilers like modern M$VC or mingw-w64, and there just aren't enough people who have both sufficient programming skills/knowledge and interest in doing such things. Those who do tend to target the more popular likes of XP, Vista, 7, or 2000 in their backporting efforts.