How much would it cost to rewrite the client tools as an intermediate solution and in the long term to replace the something that can withstand the load?
That's a valid point, but the scale makes it far from trivial. We are talking about the energy sector here, it's high-stakes and high-load. The current backend isn't just a simple SQL instance; a standard MySQL/Postgres setup would likely choke under the sheer volume of real-time sensor data coming in every few seconds.
Rewriting the client isn't just a matter of "money", it's about finding specialized engineers who understand these specific industrial protocols and high-throughput architectures. In our field, "intermediate solutions" can take years to certify and deploy. That’s why we’re forced to maintain this legacy IE/ActiveX stack in a secure way while we evaluate long-term infrastructure overhauls.
If it isn't about money, you can find people who can do the work because they have direct relevant experience with similar projects.
And that's what your company needs. Because your questions suggest that your team has a very very long way to go relative to understanding the technology to a bet-the-business level.
You are absolutely right. From a strategic and business standpoint, hiring a specialized engineering firm to overhaul this is the only correct long-term move. I entirely agree.
However, I'm the systems administrator tasked with keeping the lights on and securing the endpoints today. I don't control the hiring budget, the strategic roadmap, or the checkbook. My immediate goal is practical risk mitigation: stripping local admin rights from standard users to secure our network, while keeping this legacy ship afloat until management approves that multi-year overhaul. Hence my current trench warfare with Procmon and shims.
You could try wine, failing that it might be possible to run the software in reactos. Would be cool to have reactos actually running in the energy sector. Especially if there's a big reactor going on.
Like others said ITT, a VM to remote in would be the best bet. Local admin can escalate to domain admin. One process as local admin is practically the same as plain local admin. And not just because MSIE is vulnerable.
A networked KVM solution could also work. There's various vendors for that and basically you just shelve a few spare boxes and have them run just the one thing you need. Make sure to have a firewall between the boxes and the rest of the network to isolate only required subnets from everything else.
Rewriting the client isn't just a matter of "money", it's about finding specialized engineers who understand these specific industrial protocols and high-throughput architectures. In our field, "intermediate solutions" can take years to certify and deploy. That’s why we’re forced to maintain this legacy IE/ActiveX stack in a secure way while we evaluate long-term infrastructure overhauls.