An enterprise guide to Windows XP security after end of updates for XP
A comprehensive collection of articles, videos and more, hand-picked by our editors
As time runs out on security support for Microsoft's Windows XP operating system, it is believed that a sizable number of companies are still struggling to start the Windows XP migration process or to complete the transition to a more modern platform. Security pros at organizations that have wrapped up large-scale XP migrations say it's best to focus on application compatibility and, more broadly speaking, not lose focus on the big IT picture.
The hardest bit is the 'application estate' and making sure your key applications are naturally compatible.
CIO, Wood Group
Microsoft will end support for its 12-year-old Windows XP operating system April 8. Even though it was several years ago when the Redmond, Wash.-based software giant first notified enterprises and consumers running XP of its decision to end support, XP remains popular despite its numerous recent security issues and the looming threat of widespread attacks once Microsoft's security patches stop coming.
Recent statistics from research firm Net Applications have shown that XP still runs on more than a quarter of PCs worldwide. Redwood City, Calif.-based vulnerability management vendor Qualys Inc. pegged consumer usage around 25% based on data from its BrowserCheck service; it also showed enterprise XP usage as under 20% as of March based on scans from its QualysGuard product, though Qualys expects that number to drop to approximately 10% by XP's looming end-of-life date.
Still, those percentages worry Qualys chief technology officier Wolfgang Kandek, who has warned enterprises that attackers will analyze future Patch Tuesday releases to determine what flaws Microsoft fixes in Windows 7 and 8, and then look for those very same vulnerabilities in XP.
"Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore," Kandek wrote in a recent blog post. "So you need a strategy for the XP machines remaining in your infrastructure."
For some organizations, the XP end-of-life date doesn't seem to be on their radar screens. Derrick Wood, group CIO for U.K.-based energy services firm Wood Group, said he came across one of his company's suppliers with the last month that had yet to move its approximately 9,000 PCs away from XP. Wood said the supplier only recently decided to migrate because its audit committee warned it of the serious risks associated running XP after its end of life.
"They concluded that they now needed to get off Windows XP onto either 7 or 8, but they were only doing it now," Wood said. "Therefore, the only way they could do it was to engage with a third-party, and it was going to cost them a hell of a lot."
Andrew Hertenstein, lead architect for data center and cloud management at Microsoft-centric IT advisory firm En Pointe Technologies in Gardena, Calif., said he has recently seen organizations trying to deal with the "low-hanging fruit" by cramming in as many fairly simple XP migrations as possible before April 8. For example, machines in call center environments are relatively easy to move from one platform to another, he noted, so an enterprise can transition those systems with little headache.
Application compatibility key to Windows XP migration
Those easier migrations are becoming fewer each day, though, Hertenstein said, with many companies lingering on XP because of mission-critical applications that only function on the aged OS. For example, a financial institution that relies on a Windows-XP-based application to perform sensitive transactions and trades can't simply move from XP to Windows 7 over a weekend.
Hertenstein said application compatibility is indeed the No. 1 stumbling block for En Pointe's clients when moving from XP. He said a smooth transition demands a great deal of up-front planning, which poses an especially vexing challenge for organizations still in the early stages of their XP migrations as April 8 approaches.
Hertenstein advised large organizations to use the Microsoft Application Compatibility Toolkit or a similar tool to determine which XP-based apps will function properly on a newer Windows OS. Once tested, applications can be categorized as being OK to migrate, needing some patching prior to migration, or being absolutely incompatible. Organizations can use that data to decide whether to retire an application, re-architect it or utilize an alternative option such as virtualization to keep it operational.
"It's all about planning," Hertenstein said. "You have to be very strategic when doing these types of migrations."
Before even beginning the migration process, Hertenstein said that large enterprises should have an understanding of where they want to be from an IT perspective six to 18 months down the road. For example, Windows 7 is the still the most popular option for companies moving from XP, but for organizations like hospitals that lack extensive, fixed-desktop environments, Hertenstein said the better option may be to deploy the more mobile-centric Windows 8, along with tablet devices. He said that now may also be the time to consider whether certain users could be moved to virtualized desktops.
Even just the basics of migrating applications over to Windows 7 or 8 requires some built-in lag time, according to Hertenstein, who emphasized that a large-scale Windows XP migration can't be rushed if the organization wants to be successful.
CIO Derrick Wood said the Wood Group is at the tail end of its move away from Windows XP and Vista, a process that began in mid-2011. Out of the approximately 20,000 machines that operate on its network, as of mid-March the Wood Group had only 200 PCs still running XP, with plans to either migrate those as well or to take precautionary measures to secure those systems, including removing them from the corporate network.
At the beginning of its multiyear migration process, Wood said his organization was running approximately 2,300 applications, including different versions of the same applications. The company had to review many of those applications individually to determine whether each one needed to be remediated or retired, with Wood noting that the company "didn't really understand what our application estate was" before the migration.
From the editors: More on Windows XP migrations
Continuing to run Windows XP past it end-of-life date will not only open organizations up to a variety of security risks, but also expose them to potential regulatory compliance issues. Resident SearchSecurity enterprise compliance expert Mike Chapple recently laid out why running Windows XP puts an organization at risk of being PCI noncompliant, and the PCI SSC itself hasn't entirely made it clear whether XP will pose an issue in this regard.
For those organizations that still need help pushing through a Windows XP migration, sister site SearchEnterpriseDesktop recently featured some tools and services that may make the process easier.
Now, he said the Wood Group is down to approximately 700 to 900 applications in its environment.
"The hardest bit is the 'application estate' and making sure your key applications are naturally compatible, and [ensuring that] you have gone through regular testing of those applications to move to the new platform," Wood said. "In many cases, it allowed us to retire these applications that may have been important at one point in time, may have had one or two users, but the migration forced us into making that decision."
Adelaide, Australia-based oil and gas exploration firm Santos Ltd. also completed a major multiyear Windows XP migration at the end of 2013, with the company transitioning approximately 8,200 machines from XP over to the Windows 7 platform.
Not all of those machines could be successfully migrated, according to Andrew Speer, IT security coordinator at Santos, who said that approximately 40 machines will continue to run XP after its end-of-life date. To ensure their security, Speer said those machines will have restricted Internet connectivity, and other steps will be taken to remove potential infection vectors, including the possible removal of programs like Outlook. Santos also utilizes a third-party antimalware vendor that has promised to continue supporting XP systems, Speer noted, while the company explores ways to retire its legacy machines.
Even for the majority of XP-based systems that the company did migrate, Speer said his firm experienced a number of application-compatibility issues. For example, Santos decided to make use of AppLocker, a security feature that was new to Windows 7, for application whitelisting, but encountered a number of unexpected hurdles in the form of specialist utility programs and minor productivity tools installed in nonstandard locations. The company eventually managed to roll out AppLocker to all Windows 7 machines, Speer noted.
More vexingly, Santos encountered a variety of poorly written applications that expected users to have administrator-level privileges on their machines, disregarding longstanding security best practices. The company had already decided to make a concerted effort to reduce the number of users with admin privileges, Speer said, which meant using third-party software from vendors such as AppSense to create virtual instances of XP to securely run its legacy applications.
"It was a challenge to convince people that they could still undertake their job without needing ongoing administrative privileges on their machine," Speer said. "My advice for others in the same position would be to start from a position of highest security and only make exceptions as needed, rather than trying to retrofit or activate enhanced security features after the rollout is complete."
Is extended support an option?
Though Microsoft has pushed hard for enterprises to migrate away from Windows XP by April 8, the company has left a costly option open for those organizations that simply can't migrate: Pay for extended support.
Custom support plans for enterprises running Windows XP tend to be negotiated on a per-machine basis, and according to a January 2013 report by Stamford, Conn.-based IT analysis firm Gartner Inc., Microsoft has made such plans quite pricey, with customers being quoted prices between $600,000 and $5 million for the first year alone, depending on the number of supported machines or even the number of patches required.
The Wood Group considered paying for Microsoft's extended support for the approximately 200 machines lingering on XP, but CIO Derrick Wood said the idea was quickly dismissed by executives due to the prohibitive cost. Microsoft provided two different models of support, according to Wood, with one designed for a minimum of 700 machines for 12 months, and the other operating on a per-seat basis. At minimum, Wood said the company was looking at $150,000 for the first year of support, and depending on the number of patches required, that figure could easily exceed $2 million per year.
Cost was not the only factor in the Wood Group's decision to avoid paying for extended XP support though, according to Wood, who said he can now base all IT projects off a solid platform in Windows 7 until 2020.
"My other hesitation in taking out that extended support was that it's almost a get-out-of-jail card," Wood said. "And we lose the impetus to completely get off XP."
Hertenstein acknowledged that Microsoft has put many organizations in a position where they have few options but to pay a premium for extended XP support, especially if such an arrangement extends beyond a year, but said that it may be the best option left for organizations that have waited until the "eleventh hour" to migrate simply because it provides them with more time for planning.
"I don't agree with companies that just say, 'I need to get off XP and onto Windows 7 now because of support.' You're going to create your own problem again when you need to move off Windows 7," Hertenstein said. "This is a good time to be as strategic as possible."