Government staff still running Windows XP at home should be denied access to corporate networks, according to the data security arm of UK surveillance agency GCHQ.
In newly-issued guidance designed to cut risks for government organisations after Microsoft ends support on 8 April for the 12-year-old operating system, the CESG lists the removal of remote access from Windows XP devices.
Discussing short-term measures, the guidelines' authors say some remote access solutions include end-user device posture checks on incoming connections.
"It may be possible for those posture checks to enforce that no Windows XP devices can be used to remotely access corporate systems," they write.
"This will reduce the risk of the enterprise network being exposed to a compromised unpatched device. This control would only help protect the enterprise network from attack as it does not protect any data stored or cached on a Windows XP device."
The CESG goes on to say that where organisations expose some internal services to unmanaged end-user devices under BYOD arrangements, this control could also help ensure that users do not remotely access organisational information from devices known to be vulnerable.
Figures suggest Windows XP still accounts for between a quarter and a third of desktops worldwide, even though it was first released to manufacturers in August 2001 and went on sale on 25 October that year.
When extended support for Windows XP ends in eight weeks, Microsoft will issue no further software updates or security patches for the operating system.
As well as suggesting the removal of network access from Windows XP devices, the CESG guidelines propose stopping remote workers using any machines still running Windows XP on the network.
Divided into four main areas, the CESG guidance suggests migrating away from obsolete software, short-term mitigations, and mitigations to reduce the scope and impact of compromised systems.
Measures include preventing access to untrusted services from XP machines or, where that's not possible, a reduction in the use of untrusted services in general. Also listed are preventing the use of removable media with XP devices, and converting Windows XP devices to thin clients.
Among the steps to reduce the impact of compromised XP machines, the guidelines suggest categorising the devices as unmanaged, to mark them out as less trusted on the network, along with the introduction of better monitoring and network zoning to cut the scope for malware to spread inside an organisation.
Although the guidance focuses on Windows XP, the authors say the principles apply to any software approaching the end of its support period.