As a Security Professional, I often get asked “Should we upgrade from an unsupported Operating System (O/S or not”)” questions. These are some of the more common questions.
-Should Windows XP be upgraded to Windows 7 / 8.1?
Is it really necessary to upgrade from Windows Server 2003 and Windows Server 2012 R2 to get the best performance?
Yes, Windows XP and Windows Server 2012 were great and productive. Many of you are very familiar with how to use it and how to manage it. Yes, it is still working as new and does what you need based on an older era.
While not supporting O/S does NOT mean that your XP’s or 2003’s will stop functioning, it does mean that there will not be a patch for your OS vulnerabilities.
You are probably aware that hackers are targeting “outdated O/S” if you follow the Cybersecurity news. They know that Microsoft does not support Windows XP or Windows Server 2003 after July 2015. Cybercriminals know that Microsoft won’t release security updates or patches to your Windows 2003 Servers. They will wait to attack you when you are not there.
The O/S’s that are not being addressed by new threads will pose a serious security risk and create compliance nightmares. Is it just Microsoft that will not support the old O/S? What about Microsoft Partners, Hardware vendors, and others? Most Microsoft partners work on a schedule product lifecycle so they will likely leave you alone. It is possible that you won’t receive a driver for your printer, as many vendors won’t make drivers for OS not supported by Microsoft.
Windows XP was an amazing OS, as was Windows Server 2003. The most popular OS in history, and the most widely used O/S. However, the Microsoft Security Intelligence Report(SIR) by security experts clearly shows that Windows 7, Windows 8 & now Windows 10 have much higher build protection rates.
What are the mitigation strategies? Based on Australian Government your top 4 mitigation strategy should be like this (publications/csocprotect/top_4_mitigations.htm)
1- Application whitelisting
Microsoft App Locker is a good starting point for your application whitelisting. (en-us/windows/applocker.aspx) Which will help you to specify exactly what is allowed to run in your desktops, including applications and installation programs. AppLocker requires a minimum of Windows 7 to be able…
It is necessary that your vendor supports the patching of your system. This is not possible for Windows XP or Windows Server 2003. Therefore, it is necessary to upgrade your O/S.
If you are unsure how to manage your Patch environment, I recommend Windows Software Update Services (WSUS), which provides Microsoft updates and Secunia Personal Software Inspector that allows you to manage third-party and Microsoft patches. Microsoft System Center and Secunia CSI are the best options for enterprise users. This will allow you to check the status of your patches for all your desktops. You must have all your O/S and apps patched in order to be able to obtain healthy status in Microsoft WSUS and Secunia PSI / CSI. This is only possible if you are up-to-date with Windows.
3- Restricting administrative privileges
This mitigation strategy might make Windows XP more secure. Don’t be discouraged that Windows XP doesn’t support the latest Microsoft Internet Explorer. This means that attackers could use known flows in unsupported IE to gain admin access to your systems. You can rest assured that Microsoft will respond to the attack quickly if you use a supported O/S. You are safe if you continue to use Windows XP/ Server 2003.
4- Creating Defense in Depth strategy
Defense in depth is a military strategy