Windows XP end of support – Mitigating the security concerns

Only a few more days now, and Windows XP will officially be end of life.  April 8, 2014 will be the last day that Windows XP or Office 2003 receive any bug fixes of any sort.  Of greatest concern, this means they will both stop receiving fixes for security vulnerabilities.  If a vulnerability is found any time after April 8, then attackers will enjoy its use for the foreseeable future.

“But I have to keep Windows XP”

I’ve heard all sorts of reasons why people will be running Windows XP past April 8, but if I get rid of the foolish reasons, it boils down to the following list:

  • Windows 7 migration won’t be finished in time
  • Legacy software isn’t compatible with Windows 7 and due to cost/timing can’t be upgraded yet
  • Legacy software works on Windows 7 but isn’t supported
  • SCADA or other control systems
  • Cost of migrating off XP is currently unaffordable

Dispelling a few of these reasons

This article is supposed to be about mitigating XP security issues while you have it, so I won’t spend a lot of time harping on about this, but if you are keeping XP for support reasons, I hate to be the one to point out that the platform the legacy application is sitting on isn’t supported, so I don’t understand the support argument.  If it’s a control system or its business critical and it can’t be made to work on Windows 7 or newer, then I understand you may need a bit more time to finance and solution a transition plan.

If you are purely trying to keep XP going as long as possible to save money, then let me be the first to promise you that keeping XP alive once life support is pulled on April 8 it is going to cost a whole tonne more money than migrating, even if it does mean a large purchase of hardware and software licenses.

Mitigation techniques – From best to worst

1. CLEAR WINNER: Terminal Services 2003 / Citrix XenApp

  • This is by far the most elegant solution. If an application runs on Windows XP, then it will also run on Server 2003. Since Server 2003 has support until April 2015, this gives you one more year to finish your migration or plan your application upgrade.  This is also a good solution to keep in place. As you move forward to Server 2012 terminal services you’ll have a very robust solution to support remote workers, BYOD and much more.

2. Air gap (Unplug either the PC or the network it is on)

  • If you truly unplug the PC, that will certainly stop network borne attacks, but don’t forget things like CD and USB drives or other removable media. These are still an attack vector.

3. Network isolation

  • If you can’t literally and completely disconnect the XP network from the rest of the organization/Internet then you can attempt to restrict all traffic flow with the exception of some very limited traffic that you know is required. In other words, default to DENY ALL and only allow some specifics. There is certainly a fair bit of opportunity here for attack, but with good isolation, you should be able to prevent most attacks and contain any that do happen.

4. Quasi-Isolation

  • There isn’t a good technical term for this, but I’ve heard all sorts of plans for blocking web traffic or SMB traffic, etc.  I’m calling this category “quasi-isolation” because there’s so many available attack vectors and it’s only a half-hearted attempt to block users from actively soliciting malware (which users have a tendency to do). If you are going to attempt a combination of workstation configuration, router ACL’s and firewall rules – I’m calling it the quasi-isolation strategy. I wish you much luck, and remind you of non-web traffic, email attachments and removable media.

5. Depend on End-Point Protection (HIPS/AV)

  • Because antivirus products never fail and no machine with end point protection ever gets infected, this is a great strategy.  Sorry, that was a lot of sarcasm if you couldn’t tell.  At the very best of times, AV will catch 90 per cent.  That’s assuming a full patched machine. Vulnerabilities could be found in any part of the underlying OS, so even if the AV can catch everything, it may not be able to prevent compromise. If you have to run XP past April 8, I certainly encourage you to get very aggressive in locking down host based defences such as host firewall, host intrusion prevention and antivirus.  Layer this approach with as much network isolation as you can and hope for the best.

6. Prayer

  • It may not be a technical solution, but it certainly can’t hurt.

7. Virtualization

  • Let me be very clear.  Operating system virtualization is NOT a security strategy. VDI is not a security strategy. Running Windows XP in a virtual machine does not improve its security posture in any way. The OS is the same virtualized or physically installed. The same vulnerabilities will exist. The same security considerations exist. You could argue that VDI means at least you know where all the XP machines are. Agreed. But let me tell you, I’m not keen to have them all inside my datacenter beside my most critical infrastructure assets. Also worthy of mention here, is that Microsoft will support MED-V but not XP if that’s part of your strategy.

Time to Move

Depending on your specific situation and functionality requirements, you can use some, all, or a blend of the above seven mitigation techniques to continue with Windows XP past its support date. It remains to be seen exactly what flaws will be uncovered and what attack vectors are required to exploit them.  Only time will tell.  In the interim, the best strategy is to accelerate your migration to a newer operating system. If that isn’t possible right away – layer on as much defence as you can and hope for the best.

Brian Bourne
Brian Bourne
Brian Bourne started his career back in 1992 working on large, complex infrastructure for one of the big Canadian banks. Today he provides leadership to 3 separate companies, a professional services firm, CMS Consulting Inc., a managed services firm, Infrastructure Guardian Inc., and what has become the largest security event in Canada, the Security Education Conference in Toronto (SecTor), operated by Black Arts Illuminated Inc. Brian is also the co-founder and sits on the current executive of TASK, a Toronto based security user group with over 3100 members. When he’s not working or triathlon training, he’s spending time with his amazingly supportive wife and kids or wrenching in the garage.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.