We have a windows server (we'll call it ServerA) that has a critical vulnerability. For the next few months, we cannot patch this system. I was thinking about this. The only two systems that need to access this system are ServerB and the vulnerability scanner.
I was thinking about using Windows firewall to allow traffic from ServerB to ServerA over the specific TCP port it needs. This seems easy enough. My confusion is, how do I allow this for the vulnerability scanner? I think would need to allow all ports, but then I'm allowing the scanner full access to the system. Not sure that makes sense
The other thing I thought of was creating an ACL on the L3 switch that only allows traffic with those source addresses to ServerA, but network management doesn't seem to want to be bothered with that
How would you all isolate this?