Even though it is more than 12 years old, Windows XP remains the second most popular installed version of Windows...
after Windows 7, running on 31% of all PCs, according to NetMarketShare.com. Many organizations never bothered to upgrade from XP to Vista due to the latter's poor reception. This led to a number of customized enterprise applications becoming even more entrenched in the XP environment. As more time and resources were invested in XP, the case for upgrading became far less compelling.
However, despite its popularity, Microsoft is ending support for Windows XP on April 8, 2014. There will be no more Windows XP security patches, no more automatic updates and no new support information. Research suggests that Windows XP is 21 times more likely to be infected by malware than Windows 8 and, although machines running XP after April will start and run as usual, the chances of infection could jump by two-thirds (based on malware infection rates in the two years after Windows XP Service Pack 2 went out of support).
XP security: The risk is too great
Running XP endpoints in the enterprise is quickly becoming an unacceptable risk, and most large companies (90%, according to research firm Gartner Inc.) are either in the process of migrating to Windows 7 or Windows 8 or have already done so. However, many small to medium-sized businesses have not even started preparing for Windows XP's end of life, despite Microsoft's calculation that it takes at least a year for companies to fully migrate away from XP. While some firms have held on to the belief that Microsoft would not end support when so many are still using it, others are suffering from planning paralysis or have shied away from the task altogether.
The reality is that doing nothing is no longer an option; support from Microsoft will not be extended. Simply put, XP lacks the modern attack-prevention and mitigation capabilities built into newer versions of Windows. Also, hackers can reverse-engineer new security patches for supported versions of Windows to find underlying XP flaws and turn them into working exploits. This has already happened to Oracle's Java updates, with hackers finding working exploits for outdated versions.
Another major risk of not migrating from XP to a newer version is increased system downtime. Many software and hardware vendors will no longer support their products if they're running on Windows XP. The chances of attacks succeeding will be higher, and there will be limited options available to prevent repeat attacks. For the most part, administrators will be on their own when it comes to solving problems. Though Microsoft will offer extended support, it will be incredibly expensive.
Windows XP migration planning
More on Windows security
With the end of Windows XP security updates, enterprises must plan ahead
Windows 8 security features improve on Windows 7 security
Keys to a Windows 7 upgrade project plan
Don't ignore Windows 8 security when examining desktop vulnerabilities
Organizations must start looking at improving protection for XP-based applications and devices while finalizing plans to move away from XP. Be sure to run an Nmap OS detection scan to find all the devices on the network that are still running Windows XP. Once detected, security on these machines can be improved in the interim by deploying Microsoft's Enhanced Mitigation Experience Toolkit 4.0, which allows administrators to apply a variety of mitigation technologies -- such as Data Execution Prevention, Structured Exception Handling Overwrite Protection, Address Space Layout Randomization and return-oriented programming -- to applications and processes that don't use them natively.
One short-term solution for those needing to support mission-critical applications past April 2014 is running XP in a virtual environment; Microsoft offers a version of XP that runs as a virtual machine (VM) under Windows 7. While XP will not be supported, having Windows 7 as the host operating system will offer additional protection. Another option is to use Citrix in a similar VM scenario, but unless administrators are already familiar with supporting a Citrix environment, it could become an expensive distraction.
Until XP machines can be upgraded or cycled out, I highly suggest locking down and isolating them whenever possible to reduce the chances of infection. A privilege management product will help prevent new or unwanted programs or code from executing, while virtual patching and, if appropriate, a Web application firewall will provide additional layers of defense.
It is important to note that these are only temporary solutions. All legacy applications should be rewritten and migrated sooner rather than later, because running mission-critical applications on an increasingly vulnerable and unstable operating system is asking for trouble. While rewriting applications and upgrading licenses and hardware may be costly, a data breach could set your enterprise back even more. Also know that running unsupported software is oftentimes a breach of many regulations and standards.
Microsoft has been extremely blunt about the dangers users will face once Windows XP end of life arrives and support ends. If an enterprise continues to use XP, it will be a prime target for cybercriminals who always favor widely installed systems with known yet unpatched vulnerabilities. Enterprises that cannot migrate immediately must prioritize quickly and make a decision on which temporary mitigation strategy best suits their needs until an upgrade is completed.
My advice? Begin working your migration strategy now if you haven't already. Don't be forced to react in a panic once the reality of unsupported software has already disrupted enterprise operations.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website, http://www.hairyitdog.com, offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Securityand has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme.