Mate of mine has an expensive PC set up it mostly runs stuff for running some kind of vinyl cutter. He wants to make sure it never gets any malware on it so does not connect it to the internet.

He also has a Mac. He uses this for all internet activity.

He want's to know if he networks the PC and Mac would there be any way for the PC to get infected?

He would like to pass some files (mostly images and maybe trusted files) from one computer to the other.

So two questions really.

1) If he networks the two machines how at risk will his PC be?

2) Any advice on making sure his PC never gets infected. He says he has used AV in the past but to no avail. Thus the drastic "no internet on this machine" policy.

To be safest his Mac would need to have two network ports so the PC wouldn't be connected to the router, but ultimately if it's attached to anything I could get infected...

But ridiculously unlikely.

To be safest he shouldn't network it - especially if it's a mission-critical machine. As soon as it's networked it isn't safe by definition. The real question is "Is my desire to network the machine more important than the need for the machine to work?"

Personally I'd get another cheaper PC to quarantine the files on before they ever went near the production machine. Put them on the quarantine machine and leave them for 24 hours. Once nothing bad happens, transfer them by freshly DOD-formatted memory stick to the critical machine.

Failing that, he could dual-boot his machine such that he has two copies of the set-up; in case one gets infected he can still run on the other. One set-up would have the network connected; the failsafe wouldn't use the network nor any of the same files.

However, if the machine really is that important, it shouldn't ever be networked nor come into contact with foreign devices (e.g. CDs, floppies, memory sticks, MP3 players, etc.). This was how I ran Audio-Visual computers for a conference centre - we went from around 20 infections per month to 3 per year.

I can't imagine it's any more mission critical than any of the modern print production systems that are connected to the Internet. As long as he doesn't use it to browse the net, he'll be fine.

I guess that there are layers of security.

Obviously if you never connect it to the net in any way, nor introduce new files and data then the machine is 100% safe.

If you run a PC with no security and browse the net with not thought for security then your are pretty certain to pick up a nasty at some point..


In between we have a spectrum.


What I THINK he wants to do is

Run the PC purely for his business to cut his product.

Run the Mac for Admin, and for a home computer.

He would like files to be sent to the Mac (via Email etc) then pass them to the PC via either WiFi or cables. At the moment he would do the same via "sneaker net"

If his kids use the Mac but have no permissions to access the PC is his PC safe? (from what his kids might do)

Also would some kind of AV on the Mac be of any value do you think? (I don't think he wants to use AV on the PC because of the constant need to upgrade it which would require direct internet connection.)

I don't have much to add to the facts rustybucket presented, but I'll tell you what I would do if it was me.

On the PC, put it on the network with a static IP address, no default gateway, no File and Print Sharing enabled - just the minimum TCP settings of address and mask.

Then, install a nice FTP server (such as FileZilla) on it with a single user allowed to upload to a single folder. This is easily accessed by any computer (PC, Mac, Linux or most others) on the network, and the security is easy to control. Simply never tick the "remember password" box on any of the computers so the kids or whoever can never get in by mistake.

Enable Windows Firewall to ensure everything is blocked except for the FTP server. This shouldn't be nescessary, but it's an extra level of reassurance.

Windows File Explorer (My Computer on XP) has simple drag-and-drop support for FTP. From the Mac, I'm sure it's easy enough too.

I think that's a good compromise. The PC is on the network, but not on the Internet and only accessible through one specific method with one specific user name and password.

I'm sure you've already talked to him about the importance of backups? If you don't have your data on three different media, you've already lost it. Nothing is sure in life except death and tax. Hard disks are no exception; they will always die.

^

That seems like a fantastic and full answer JJ. I am printing it out and sending it to him.

Thanks

CC

Don't forget, you will need to install AV software on either the PC or the Mac, if the files are coming in from outside!

Just because the Mac won't be infected by a Windows virus, doesn't mean that it can't act as Typhoid Mary, passing on the infected files from outside onto the Windows PC. I'd install Microsoft Security Essentials, it is relatively light and free, then check the incoming files, before opening them.

Since installing MS Essentials, I've never had a virus problem. In fairness I've only ever had one virus on any of my PCs and that was over 10 years ago.

Personally, I would install an AV application on the mac and use a USB drive to transfer the data to the PC, but I am wondering how important it is to connect the PC to the internet occasionally, to download Windows updates, etc?