Wednesday, January 15, 2014

Supporting the Unsupported
So the day is coming closer and closer when Microsoft will finally hit the delete button on support for Windows XP and Office 2003.  This means no more updates of any kind.  They are also ending support for Microsoft Security Essentials on XP.  That is Microsoft's free consumer Anti-Virus product.  So what does this mean?

For the home user, there is a pretty simple solution.  If you are still using a computer that is running Windows XP, then it is probably about time to get a new computer.  XP was released to computer manufacturers on August 24, 2001.  Microsoft continued supplying it to system builders through 2009.  So chances are you own a computer that could be anywhere from 4-12 years old. So high time to upgrade wouldn't you say?  Since I am the only IT guy in my family I get all the questions about why a computer is slow or why something isn't working.  If the system is 5 yrs old or greater I will recommend they just get a new system.  Certain things can probably be easily replaced but it will only be a matter of time before the next thing goes.  Eventually the motherboard is next.  Once that goes, you are pretty much getting a new system.  So if you are a home user and still have XP, you may want to update your budget for a new computer in the coming months.  While you are at it, you may also want to make sure you have been backing up your data and that it can easily be restored to a new system.  Unfortunately transitioning off XP to Windows 8 will be a bit of a shock, but it can be done.  I will cover that in another post soon.

For a business, it is a different story.  Many larger enterprises have been working on transitioning off XP for the last couple years.  At this time if you haven't been planning this transition, then you will need to consider some things when April hits.  You will need to determine how many systems are still going to be living on your network at that time and the risks associated with that.  No more security updates means that there is a very good possibility that we will see a huge increase in the number of 0-days released for XP and Office 2003.  So if you still have a need for these products on your network, you may want to consider isolating them off from your critical systems.  You will also need to make sure your security vendors will continue to support them until you can have them decommissioned.  If you can't isolate the physical systems, consider migrating them to Virtual systems that run in a more isolated fashion.  For example, if you have specific users such as Engineers who need legacy software support, consider getting them newer Windows 7/8 systems.  Install a virtualization platform and do a physical-to-virtual migration (P2V) of that legacy XP system.  Change the networking to NAT or Host Only, and test to ensure that their software still functions.  Chances are that if you haven't moved off XP then you probably don't have some of the more advanced security infrastructure in place such as Network Access Control (NAC).  A NAC system can assist in identifying and isolating unsupported systems.  The cost to implement some of these more advanced security measures may easily far exceed that of migrating off Windows XP.  So there is that to keep in mind.  The longer a company waits to do this, the higher that cost will be.

This is not a new announcement, Microsoft has been trying to end support for XP over the last 5 years.  It was the big enterprise customers that forced them to keep it alive.  Their main reason was that much of their legacy software was not supported on Windows 7 and/or the cost to migrate was to high.  As we like to say in consulting, "Pay me now or Pay more later."  We make recommendations not to fill our pockets, but to ensure that your environment operates at an optimal level to support your business.  If for some reason you did not take our advice at the time it was given, then there is a good chance you will need us to perform an emergency rush implementation of that earlier recommendation.  The increase in cost comes usually with premium rates being used, increased shipping costs for rush hardware, as well as possible additional product support from the vendors.  

So you have 82 days left to either finish your Windows 7/8 migrations and test all your software.  Or use that time to try and isolate those systems until they can be replaced at a later date.  Either way you have some work ahead of you so I suggest you get started.

UPDATE: On Wednesday (1/15/13) Microsoft announced they will extend support for their Anti-Virus products until July 2015.  Now keep this in mind, that does not mean that XP is safe, this is will just plug just one hole in an already swiss cheesed dam.  It is not a difficult thing to bypass anti-virus products on vulnerable systems.  If you are not able to migrate off XP this year then you may want to consider a couple additional options such as implementing an Application Whitelist solution such as Bit9's Security Platform and/or deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET).  Another revelation that was mentioned over the last couple days has been the fact that many ATMs are known to use Windows XP Embedded.  Now the banking regulations require that these devices are not on the internet, but that doesn't make them automatically safe.  There have been a number of stories where thieves were able to get physical access to the system in order to load malware or a secondary operating system via USB.  Again this required physical access to the ATM.  Other critical hardware that relies on XP Embedded include a number of medical devices and SCADA systems.