In the first part of this post, I looked at the background to the end of support for Windows XP in April 2014. In this (somewhat delayed, apologies) second part I will consider what those in the University will need to do if they are still using Windows XP, although hopefully much of the content will be equally useful for those elsewhere who are still maintaining XP systems. I will assume that readers are not in a position to consider putting off the problem through Microsoft’s Custom Support programme.
Microsoft are not continuing full support after AprilSince I wrote the first post there has been a slight relaxation in policy by Microsoft: support for Microsoft anti-malware products on Windows XP has been extended until July 2015. It is important to note that this is not the same as Microsoft extending full security support for Windows XP, despite what has been reported in some news articles (at the time of writing this states “Microsoft has decided to continue providing security updates for the ageing Windows XP operating system until 2015″).
Microsoft are simply adding a limited amount of protection and probably little that will not be offered anyway through third-party antivirus products which continue to support Windows XP after April. Note that Microsoft’s own blog post states “Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited.”
Our advice is that this changes nothing: continue pressing ahead with your upgrade and/or mitigation plans, as described in the remainder of this post.
What should people in the University do?
At the time of writing, Windows XP remains in widespread use around the University, although hopefully IT staff should have been aware of the end-of-support date for a year or more and upgrade plans are well under way. It is inevitable, however, that there will be parts of the University where it simply will not be possible to complete the process of migration away from XP in time. Moreover there will be other areas where XP simply must remain in use, as no other realistic option exists. So what should staff in this position be doing? As mentioned in part 1, “nothing” is not an option!
Risk assessment and prioritisation of upgrades
The most important thing to do in this situation is to determine where the greatest risks lie and to prioritise accordingly. For the purposes of this article I shall consider only the risks posed by the systems currently running Windows XP, although these must be assessed in the wider context of the overall risks in each department and college. Concentrating all efforts on upgrading XP systems and neglecting everything else is almost certainly not the path of wisdom; your “business as usual” activities are just that.
What is most likely to be attacked?
The vast majority of incidents handled by OxCERT can be attributed to one of three main causes: vulnerabilities in the user, vulnerabilities in public-facing services, and vulnerabilities in desktop systems and applications. To the disappointment of IT staff everywhere, replacing Windows XP will do little or nothing for the vulnerabilities in users: they will continue to make the same mistakes as before, for instance responding to phishing emails, or executing malicious email attachments. While local services have been targetted in the past (e.g. Blaster, Conficker), Windows XP is not normally considered an appropriate platform for public-facing services, so it is the third category that merits attention.
The major attack vectors against a desktop system are those which are likely to handle untrusted data from the outside world. For the vast majority of users, such data will mostly come through their web browser or their email client. Malicious content may trigger vulnerabilities in the core operating system, in the web browser or email client, in libraries and components used to handle particular types of content (for instance image display), in additional Microsoft sofware (eg Silverlight, Office) or in third-party software (such as Java and Flash). It is worth remembering that Internet Explorer 8 is the latest version of Internet Explorer to be supported by XP, limiting the amount that can be done to keep an up to date Microsoft web browser on an XP based machine.
Not all of the installed software will lose support next April. Given the size remaining XP userbase, many third parties will likely continue to support their own software on the platform for some time yet, including some Microsoft applications. Note that extended support for Office 2003 will end at the same time as that for Windows XP, so you’ll just have to get used to that ribbon, sorry. Importantly, most anti-virus vendors won’t cut support immediately: for University users, Sophos have committed to supporting XP until at least September 2015. Antivirus won’t come close to protecting against all attacks (it never did) but is nevertheless well worth having.
Clearly you will need to prioritise upgrades for some desktop users over others. Determining which users should be upgraded first will depend on local circumstances. You may go for senior and high-profile staff first on account of the confidential data they are handling. Then again, they may be those complaining loudest if something doesn’t work, so you may choose to start with users who are more accepting of the inevitable teething problems.
Specialist systemsWhat about the more difficult cases? Inevitably there will be some cases which are particularly problematic, if not impossible to upgrade. Firstly, Windows XP installations are also embedded into many devices, for example vending machines and scanners. Such systems may run a full XP installation, or they may run Windows Embedded. It is important to distinguish the two; not least the different support lifecycles. XP Embedded is supported until the end of 2016; indeed NT Embedded 4.0 remains supported until the end of August 2014. How, and indeed if, updates are delivered and applied is up to the manufacturer of the device, as are other security measures. Updates which are critical for desktop systems may well be irrelevant in the context of a particular embedded system.
If a device is not using Windows Embedded, however, the April deadline applies. If networked, they’re vulnerable to attacks, and indeed we have seen vending machines on unfirewalled public IP addresses which have been infected with malware. These systems won’t be the only cases which are particularly problematic, if not impossible to upgrade. We are aware of scientific and medical equipment costing six or seven figure sums which are controlled from XP desktops. Upgrading them is frequently not an option; indeed in some cases the original vendor is no longer trading.
Avoid unnecessary risks
With such systems we advise considering their essential usage. What software needs to run on the XP system? What, if any, network connectivity is required? For some systems it may be appropriate to disconnect from the network entirely. Beware though that may simply shift the risks. If switching from file transfer over the network to file transfer via removable media, bear in mind that removable media may harbour infections. A system that is permanently offline will not be running up-to-date antivirus, barring very frequent manual updates. Infections on removable media can be partially mitigated by disabling Autorun and Autoplay (some additional information is available for IT staff within the university).
If a system does need to retain network connectivity then consider placing it on a strictly-firewalled network segment. Consider applying a “default-deny” policy in both directions. For instance the only access required may be to a staging area on a local fileserver, in which case the only additional traffic expected might be with the local DNS resolvers and authentication systems.
Don’t forget the human risks – your precautions are futile if your users simply work around them because they see it is necessary in order to get their work done, for instance by reinstalling the software you removed, or by plugging a network cable back in. Be sure that possible usage cases have been considered as early as possible, and ensure that users understand why actions are needed. You’re not doing it to be awkward but to minimise the risks to their equipments and data, while trying to minimise the inconvenience to them in their work.
It takes all the running you can do, to keep in the same placeWhen you’ve finally dealt with that last Windows XP system (and the last Office 2003 installation), congratulations. Sadly, you’re unlikely to get much of a rest, as you’ll soon need to start worrying about the next one. End of support for Windows Server 2003 is in July 2015, Windows Vista in 2017.
Sometimes no explicit resourcing is required because you move to newer versions as part of natural system replacement cycles, but this will not always be the case, especially when dealing with software support lifetimes shorter than that of the hardware. It pays to ensure that your superiors are aware well in advance of when major upgrades need to be carried out, so that with luck the necessary resources can be made available in good time. Plan early, plan well, and stay safe.