Windows XP at home? Don't access corporate networks, says GCHQ

Windows XP at home? Don't access corporate networks, says GCHQ

Summary: Among the measures proposed by the data security branch of GCHQ to cut risks after Windows XP support ends is a block on government workers with the OS remotely accessing the network.


Government staff still running Windows XP at home should be denied access to corporate networks, according to the data security arm of UK surveillance agency GCHQ.

In newly-issued guidance designed to cut risks for government organisations after Microsoft ends support on 8 April for the 12-year-old operating system, the CESG lists the removal of remote access from Windows XP devices.

Discussing short-term measures, the guidelines' authors say some remote access solutions include end-user device posture checks on incoming connections.

"It may be possible for those posture checks to enforce that no Windows XP devices can be used to remotely access corporate systems," they write.

"This will reduce the risk of the enterprise network being exposed to a compromised unpatched device. This control would only help protect the enterprise network from attack as it does not protect any data stored or cached on a Windows XP device."

The CESG goes on to say that where organisations expose some internal services to unmanaged end-user devices under BYOD arrangements, this control could also help ensure that users do not remotely access organisational information from devices known to be vulnerable.

Figures suggest Windows XP still accounts for between a quarter and a third of desktops worldwide, even though it was first released to manufacturers in August 2001 and went on sale on 25 October that year.

When extended support for Windows XP ends in eight weeks, Microsoft will issue no further software updates or security patches for the operating system.

As well as suggesting the removal of network access from Windows XP devices, the CESG guidelines propose stopping remote workers using any machines still running Windows XP on the network.

Divided into four main areas, the CESG guidance suggests migrating away from obsolete software, short-term mitigations, and mitigations to reduce the scope and impact of compromised systems.

Measures include preventing access to untrusted services from XP machines or, where that's not possible, a reduction in the use of untrusted services in general. Also listed are preventing the use of removable media with XP devices, and converting Windows XP devices to thin clients.

Among the steps to reduce the impact of compromised XP machines, the guidelines suggest categorising the devices as unmanaged, to mark them out as less trusted on the network, along with the introduction of better monitoring and network zoning to cut the scope for malware to spread inside an organisation.

Although the guidance focuses on Windows XP, the authors say the principles apply to any software approaching the end of its support period.

More on Windows XP

Topics: Windows, Enterprise Software, Government, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • XP support ending.

    And all of a sudden every XP system is going to be dangerous.
    More likely that the NEW untried systems replacing it will be the danger.
    • Eventually an unpatched XP machine

      will become a bigger risk than a machine running a supported OS. If your machine can't be upgraded to a newer version on windows then it shouldn't be on the internet or you should install a version of Linux that still supports the hardware.
      Sam Wagner
  • That's stupid

    It doesn't say much about GCHQ's technical wherewithal.
    • I agree

      No organisation should be relying on a remote computer being a fully patched and secure unless it has full control and ownership. It should be controlling access and assuming that all remote devices are potentially insecure.
      However that is not what CESG was advocating. It was explaining many of the mechanisms that might make systems more vulnerable and how the risks might be mitigated. One of which "3.6 Mitigation: Remove remote access from Windows XP devices" another "4.2 Mitigation: Treat Windows XP devices as unmanaged". I think that it is disingenuous to quote out of context to grab headlines. Read the CESG article in its entirety to get your own interpretation.
  • XP systems and unsupported software

    An excellent article, with a heads-up for organisations and companies allowing people remote access to their networks.