The end of life (EOL) clock for Microsoft Windows 2008 and 2008 R2 Server and Windows 7 (all versions) has wound down, marking a significant milestone for the support of operating systems. However, now a new clock is ticking, counting the time until a dangerous, new exploitable vulnerabilities arise that will not be patched by MSFT. Barring any custom-extended support contracts signed on a case-by-case basis with Microsoft, none of these EOL operating systems will receive further security updates, features, or technical support after January 14, 2020.
Unfortunately, there are plenty of commercial and home applications that will not work on newer Windows server and workstation editions. This is not only true for the software, but also for hardware compatibility (typically in the form of drivers) that are not even installable on newer assets. In these instances where an upgrade path is not available, the only recourse for organizations is to plan for a complete replacement and, in the interim, implement a protection and mitigation strategy to support their current investment. However, the act of even supporting security solutions on EOL operating systems presents multiple problems from a regulatory compliance perspective.
Assessing Your End-of-Life Windows System Risk
Windows end-of-life is a considerable problem for any enterprise that still supports EOL operating systems and does not have a migration plan that can be implemented in early 2020. This is especially true for environments that have these resources forward-facing on the Internet or on laptops. The next major vulnerability discovered that is potentially remotely exploitable will leave these devices susceptible to a wormable exploit with no remediation strategy. If history has shown us anything regarding EOL operating systems used in production, WannaCry and NotPetya types of attacks will occur when the next critical exploitable vulnerability is discovered for these EOL platforms, and organizations will have very few mitigation strategies to work with.
In a nutshell, here are the major security risks for the end-of-life Windows systems:
- Lack of security updates for newly discovered vulnerabilities
- Lack of vendor support for security solutions that operate on EOL platforms
- Incompatibility with the latest security hardening guidelines due to lack of features / settings in older platforms
- Regulatory compliance violations
- Inability to support the latest security standards for authentication, certificates, etc. as these systems continue to age
How to Mitigate Risks for End-of-Life Systems
If an organization is unable to upgrade from Windows 7 and/or Windows Server 2008 / R2, or their upgrade path is delayed, they should follow these guidelines:
- Apply segmentation to separate all EOL devices from the rest of the network
- Enforce access control lists (ACLs) based on assets and ports to only trusted devices
- Remove administrative rights where possible and enforce strict privileged access management (PAM) to monitor all direct administrator or other authorized user activity
- Identity security vendors for AV, endpoint protection, log monitoring, etc. that can support an EOL platform for the duration your organization plans to support the resource
- If possible, limit all communications to the Internet and monitor for all out-of-band communications
- If the resource is mission-critical, consider licensing support with Microsoft. This is generally very expensive and may help justify the replacement cost of the legacy resource
Additionally, data center managers should consider the following EOL risks and mitigations:
- Discover all end-of-life platforms that are active physical and virtual machines and, most importantly, any dormant virtual machines, snapshots, templates, or powered off VMs that may be powered on or reverted that could introduce an unacceptable risk. An additional concern is to determine if any of the EOL platforms are used for QA. Ensure they are identified and there is a plan for decommissioning.
- Determine whether the data center can support network segmentation for EOL platforms used for legacy applications.
- Ensure Standard Operating Procedures (SOP) documentation is up-to-date to decommission EOL platforms and provisioning of new systems
Finally, aside from concentrating solely on trying to mitigate the risks from remaining on a legacy system, consider what is to be gained by migrating to the more modern Windows 10 , and Windows Server 2019 platforms and the opportunities this provides for your organization going forward.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.