At work we have Win2008 R2 boxes that CANNOT BE UPGRADED to a higher version due to legacy software that customers still use and is a stupidly high security risk.
We’re doing the usual steps such as isolating the machines from the network as much as possible, but we also want to want to lock down the machines further down with a centralized solution working in a similar way as AppLocker on Windows. We yanked them out of the domain as well, which is why an external solution is needed.
We trialed Threadlocker for this specific use case, but it’s been an absolute disaster and we’re desperate for an alternative that works without blowing up the OS.
Anyone here got any recommendations? Looked around and didn’t find anything decent or any information if they work on 2008 R2 (BeyondTrust for example)
If your hardware can handle it, consider putting these 2 instances in a VM each on a Linux platform, like Proxmox or TrueNAS Scale. Restrict access to known IP addresses for each of these VM’s (so your customers can access them, but other access is denied). If you haven’t already, investigate SELinux (security enhanced Linux, policy-based rule sets for access to resources on Linux machines, championed by RedHat and others) I think Active Directory is the M$ sort-of-equivalent, but as a non-M$ user I can’t be sure 
To really solve the problem, inform the customers they need to change their workflow as you’ll be phasing out Win2008 R2 support in the not too distant future. Cite security risks and lack of official support by M$ as the main causes, work with them to find alternative solutions tailored to their circumstances, but remain firm on ending support on that set date. It’s not worth risking your company for liabilities when customers stick to ancient work-practices in their ICT 
2 Likes
It’s already virtualised and we got everything nailed down around the virtualisation side.
Issue is just hardening the inside of the OS.
Unfortunately we gave the customer an almost a two year retirement notice a year ago so we still gotta support it for the next year before finally killing off those boxes
1 Like