Windows XP support end: 10 steps to cut security risks

Windows XP support end: 10 steps to cut security risks

Summary: Microsoft may have ended support for Windows XP but those left clinging to the aged operating system still have some ways of managing the risks.


With the demise of Microsoft support for Windows XP, those sticking with the 12-year-old OS undeniably face risks. The question is whether the risks are tolerable and manageable.

In most cases, Windows XP can still be used while firms try to complete migrations with the risk cut to an acceptable level, according to analyst firm Gartner — and without having to pay for costly Microsoft Custom Support.

"While doing nothing is an option, we do not believe that most organisations — or their auditors — will find this level of risk acceptable," vice president and Gartner fellow Neil MacDonald said in a report, Best practices for secure use of XP after support ends.

Between 20 percent and 25 percent of enterprise systems are still running XP, and one-third of organisations continue to use it on more than 10 percent of their machines, Gartner estimates.

For those still using the venerable OS after the end of routine Microsoft updates and security patches, MacDonald has come up with 10 best practices to minimise the risks.

Step 1: Restrict connectivity

Because the network is a prime route for attacks on vulnerable systems, minimising connectivity with other systems makes it easier to protect XP machines. Consequently, disconnecting XP devices entirely from the network is the best option.

But if access to specific applications is what's delaying a migration away from XP, MacDonald suggests a kiosk model, with users going to a centrally located departmental machine.

If you can't disconnect XP systems completely, the next step would be to block internet connections and limit communications to specific internal systems through a network- or host-based firewall.

Even with restricted internal access, isolate XP devices from other endpoint systems using virtual LANs or firewalls.

Step 2: Restrict apps

Lock down XP machines so they can't execute arbitrary code. This measure can be achieved through dedicated software, a host-based intrusion-prevention system, or Microsoft's Group Policy object (GPO)-based software restriction policies.

MacDonald says with the end of XP support, it's essential to allow only known-good apps to run.

Memory also needs to be protected, by activating XP's Data Execution Protection, with additional protection coming from Microsoft's Enhanced Mitigation Experience Toolkit, or EMET.

Step 3: Remove admin rights

A mandatory measure for all users remaining on XP machines to cut risk because 90 percent of malware runs in the context of the logged-in user.

Step 4: Bar browsing and email

Since most attacks come via email and the web, it makes sense to eliminate these vectors on XP devices. An up-to-date server-based system can instead provide these capabilities — for example, a remote desktop service or hosted virtual desktop server.

Step 5: Update software

XP may be out of support but other software running on the machines may not be and should be kept updated to minimise weaknesses.

It's important that antivirus, firewalls, software distribution clients, and browsers should be up to date, along with Java, Adobe, Office and other common infrastructure apps.

Step 6: Disable ports and drives

By disabling USB ports and CD and DVD drives, you are removing another route for the introduction of arbitrary executable code.

It's also possible to employ third-party tools to configure ports for write access only.

Step 7: Shield XP

A network or host-based intrusion-protection system can help protect XP machines. It's worth confirming with your network or host-based supplier that it will continue to research XP vulnerabilities and attacks, and provide filters and rules to block such attacks.

Step 8: Monitor XP, Microsoft and threats

As well as monitoring XP systems for signs of compromise, organisations still running the OS should keep a close eye on Microsoft.

Although the company won't disclose new vulnerabilities against XP to those who haven't paid for Custom Support, it may release information about critical vulnerabilities to, say, Windows Server 2003, which could affect XP.

It's also worth checking community chat boards and threat intelligence feeds, as independent sources of information.

Step 9: Plan for an XP breach

Those still running XP systems need to have a plan for isolating the machines in question in the event of an attack, as well as ways to restore them to a known-good state.

It's also important to understand the cause of the problem to prevent a recurrence, and to have a backup plan to move users to supported systems rapidly in a catastrophe.

Step 10: Study costs

A cost-benefit analysis could show whether the measures involved in staying with XP temporarily might actually end up outstripping a more rapid migration.

Topics: Security, Enterprise Software, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ZDNet's great advise

    Probably 90% of the people reading this have no idea what you are talking about.
    Not even a mention moving to Linux which is free.

    All this great advice coming from a nerd
    • Hello!! This article is written for *enterprises* still running Windows XP.

      Enterprise Windows sysadmins will have little trouble understanding the content of the article. The good ones will already have implemented this checklist.
      Rabid Howler Monkey
    • Linux is "free" only if you are already knowledgable enough to ...

      ... and have the time to devote to ... performing your own Linux systems administration.

      Few but the largest businesses have those resources readily available.
      M Wagner
      • Linux is "free" only if you are already knowledgable enough t

        One word sums up your post Nonsense.
        • IDIOT

          One word sums up your comment and it's idiocy, people like you should be banned from posting any kinds of comments on these sites as you don't appreciate the time and effort it took for the editor to compile this researched doc. I am also quite perplexed as to why you had Linux as "free" in your heading as uhhh hem Linux is Free you monkey, however you do get paid versions like SLES / Zentyal / Untangle etc. BUT they would always offer a community edition available which works just as well.

          In summary we would see how much "nonsense" this doc has been if you have been hacked and your system has been infiltrated by bots.
  • Or Switch to a Free Linux OS

    Why waste that old Hardware, its bad for Planet Earth.
    Get the most worth out of your PC as long as it works well.

    How to Break free from the cycle of Planned Obsolesce?!!??
    Stay safe with Linux.
    There is a very good chance Linux OS will run well with older hardware with lower specs
    Switch to the free, safe, secure & awesome OS:
    Its the worlds most popular free OS. It has free upgrades & security updates. It has a free office suite, LibreOffice that comes standard along with other great apps/programs.
    For those who like the Windows look, I would recommend: & for older computer with lower specs or
    Or try Linux Mint:
    Because the Linux option is free & now so easy (user friendly) one must give it a try. You have so much to gain.
    Lots of people give their time, effort & money to make these great products that they just give the world for free. So they may not have the huge ad budgets & would need users like us to spread the word. Although its free, you are welcome to donate if you like the software.

    For those worried about Office 2003 support ending try LibreOffice or OpenOffice.
    Time to check out the free, safe, secure & feature-packed LibreOffice. Its truly multi-platform & takes just a few minutes & clicks to install.

    Try it now you have so much to gain:

    Thunderbird is excellent as well.

    I feel most people should find it great. All they need to do is try it out 1st in a LiveDVD or LiveUSB.
    • If that was true, why are you cutting and pasting the same post

      over and over?

      Could it be that you found many have tried your suggestions, and found them seriously lacking? I find myself agreeing with you on that.

      Do you get a sales commission?
    • Neither LibreOffice nor OpenOffice can replace MS Office

      You can always tell the posters who have never used certain features in MS Office or else they would never suggest that LibreOffice or OpenOffice could replace them.

      For example anyone who has ever used and depends on the Track Changes in MS Word, knows that the other offices don't even come close.
      • I dont think so...

        LibreOffice or OpenOffice (Apache) are good, and free, alternatives to MS Office for +90% of users!
  • How about step 1. Find a windows 7 machine

    If you don't want to jump to windows 8 get a machine that still has windows 7 or like the nerd (no offense man)mentioned above get on linux. Your basically telling people to just cripple windows xp with no fuction to anything just a stand alone desktop with no internet or email. This may work in the corporate office but not in the consumer world.
  • Use Windows Steady State

    I simply do not understand why everyone who has a XP computer does not have Windows Steady State installed on it already.

    All you have to do to get rid of malware is to restart the computer and it is restored to the clean state it was in before.

    When Microsoft stopped supported this tool when Vista came out, I cursed them and I curse them to this day for making obsolete one of the best tools ever, since now I am back to cleaning up malware off friends and families computers.
    • HorizonDataSys Reboot Restore Rx

      is a free (as well as supported via their forum) Microsoft Steady State replacement. Unlike Steady State, Reboot Restore Rx provides MBR protection.
      Rabid Howler Monkey
  • The best thing is

    The best thing is thing is to recycle your Pentium 4 PC and get a modern Windows 7 or 8 computer.
    Pollo Pazzo
  • Step 11

    Wear a burkha.

    Seriously, if you did all the steps in this article, you'd not be able to use your PC.
  • This is a very well thought-out list of mitigation strategies

    Sadly, few of the Windows XP die-hards out there who haven't already implemented any of these are going to do so.
    M Wagner
  • Windows XP support end...

    Step 11: Put the computer in a box and bury it the deepest as possible.
  • So now what? Advice for the REST of us.

    This may be good advice for small to mid-sized companies, but what about the single-family home user? How are they to "eliminate these vectors" when many are using XP on older systems with wireless routers for internet access to email, amazon shopping, or even searching online job boards for a new career? It's tough enough to keep connections paid much less buying all new devices for everyone just because investors want a greater ROI. I certainly agree that using a non-Microsoft product is a viable option, and advisable, but guess what? Hackers, theives and foreign leaders read these articles as well and adjust their strategies even faster than the average Western user.