Here we are. The day after the big XP apocalypse and we’re all still here. The Heartbleed SSL vulnerability has grabbed all the headlines the last couple of days for good reason. However just because you got some cash at the ATM this morning does not mean the XP threat has gone away or was somehow all hype. It has been widely reported quite recently that up to 95% of all ATMs were using Windows XP. That’s enough to make one wonder how these devices are continuing on using the now retired operating system. That’s because ATM and other systems are using Windows XP Embedded, a different product that has a different support arrangement. Depending on which version of Windows XP Embedded that is being used, that support goes out as far as April 9, 2019. Those are special cases that unfortunately don’t apply to everyone else. These systems are extremely locked down, patched and monitored for any issues.
That’s not the only surprising case, Eric Chiu, president & co-founder of HyTrust (www.hytrust.com), the cloud control company said:
“One issue that hasn’t been talked about is the fact that virtualization and cloud, which are transforming the data center, essentially make it so that operating systems can live forever. These technologies that run 70% of the data center remove the hardware dependence of the operating system so that older operating systems like XP will be able to run in data centers for the next 20 years. This has tremendous cost benefits for companies, especially given that they’ve invested lots of money into running applications on specific operating systems. Unfortunately, this creates a security nightmare and a hacker’s delight at the same time.”
Despite seven years of notification that XP would be retired, perhaps you did not have a choice. Your applications are tied to IE7 or XP itself, the budget was never there, your workforce is spread all over the world making upgrading systems a monumental task, the list goes on but here you are. You’re wondering how do we live in this post-XP world? Well, there’s been a lot of warnings, but not a ton of advice.
Living with XP – Tips to plan on
You can customize your plan of action based on some of the following tips.
Upgrade - We’ll start with the obvious. Go out there right now and get a bunch of Windows 7 or 8 systems. That’s not a real possibility in many environments and you are here reading this so let’s look at some other possibilities.
Switch OS – Try some kind of Linux OS update. If you’re daring and you really want to save on up-front upgrade costs you can try this route. Be warned that many may not find this to be a scalable enterprise answer. It requires a high degree of support training, application testing a knowledgeable base of users and perhaps some compromise around management. It could work in small offices of engineers rather well. Mac OS – forget it. If you weren’t willing to update to a low-cost $1200 dollar business machine you wouldn’t be considering a $3000 hobby system and the whole new world a completely different OS introduces.
Isolate the XP system - If you have a few XP systems you cannot let go of, isolate them on the network by any way possible. Have them run on their own VLAN, unplug them if necessary and when possible and minimize connectivity to the absolute minimum by reviewing local and network firewalls.
Consider a kiosk – If there’s one application or interface that is tied to XP that is holding you back indefinitely, consider putting up a shared machine that everyone can use. Minimize the amount of systems and live the benefits of one headache versus thirty.
Minimize Apps, secure the system – Clean those XP systems up. Remove everything except those applications you absolutely must have them for. Use your domain GPOs to lock down the system. Nothing else gets installed, nothing else is allowed to run. Activate DEP, the Data Execution Protection feature in Windows XP. Disable CD, DVD drives and USB ports wherever possible. These are vectors where threats can seep in.
Admin rights – Most environments allowed everyone to be administrators on their own system. That can no longer stand, it’s crunch time. Validate that only the expected administrative accounts are configured on each system and remove administrative rights for each user. Also remove unnecessary or unknown users.
Keep your entire environment up to date – Now’s a good time to address your entire practice. Computer ecosystems can harbor weaknesses that can affect these vulnerable XP systems on the network. Some of the usual suspects to keep on top of are Java, Office and Adobe products. You know the adage about the weakest link in the chain, well you know what that is, so keep all of your network, servers, antivirus, browsers and file systems up to date.
Edge protection – Given this perilous XP situation, Intrusion Protection and other security vendors have stated their ongoing protection for XP. This is valuable protection that can protect from vulnerabilities and exploits before they hit your network or get very far. Check with your firewall and network vendor to determine how their support will continue, it may be a matter of some updates and configuration.
Local protection – On the XP systems themselves, malware security will be essential. Malwarebytes, the world’s most respected – and downloaded – anti-malware company has promised to support XP users for life. Check with your antivirus and other endpoint protection suites for continued updates and operability.
Vendors have put out a good variety of advice and it is recommended to research and consider it all. Malwarebytes posted several tips including the following on their blog:
DO NOT USE INTERNET EXPLORER
UPGRADE YOUR MICROSOFT OFFICE 2003
Windows XP is not the only software being abandoned. Microsoft Office 2003 is also affected. There are many exploit-rigged DOC and XLS files that can use Microsoft Office 2003 to infect Windows XP computers.
Neohapsis adds the following tips in lieu of timely vendor patches:
Back up your computer. There are many online backup services available for less than $5 a month. If something goes wrong, you want to make sure that your data is safe. Good online backup services provide a “set it and forget it” peace of mind. This is probably the single most important thing you can do, and should be a priority even for folks using a supported operating system. Backblaze, CrashPlan, and SpiderOak are all reasonable choices for home users.
Watch and plan – Keep abreast of XP news, breaches and threats by watching the wire, Microsoft community and those communities of your vendors/partners. Planning is always advised, have a contingency plan. That could be thorough backup, wipe and restore procedures. It could also incorporate a shutdown and replacement system procedure. Be prepared for the inevitable as you should prepare for any outage or threat.
Migrate – Back to #1 – Plan your way out of this. The risks, costs and management of retaining a 12+ year operating system will only rise with the passage of time.