To those planning tooperating system even after Microsoft ends support next year, the is simple: Don't do it.
But despite the chorus of warnings, there are fallback measures for diehard XP users, who could still constitute as many as 40 percent of businesses. One in five of the organisations currently using the OS intend to stick with it after the 8 April 2014 end-of-life deadline for support, according to research from software consultancy Camwood.
Ovum principal analyst Roy Illsley said the critical thing for organisations who found themselves dependent on the OS on the wrong side of the deadline was to look at where XP was positioned in terms of access to the internet and the outside world.
"Because the one big thing you're not going to get is any more security updates for XP. You can hide it behind firewalls and everything else but if somebody spots an opportunity and a flaw in the XP operating system and writes something that gets into you — most of that will come in through the internet and emails," Illsley said.
"Antivirus will help but the real issue is with an unsupported OS is once someone spots a flaw, that's a weakness you're not going to have fixed unless you pay Microsoft a shed-load of money, and nobody's going to do that.
"If you've got a particular application that's got to run on XP, then it's how to ring-fence that device so that if it gets infected, it's not going to spread out to any others. Because that's the critical one."
Isolate the XP operating system
That approach of isolating the operating system is being adopted by Graeme Hackland, CIO at Lotus F1, who is confining the remaining role of XP at the Formula One racing team to specific, offline tasks.
"We will still be running XP beyond the end-of-life date mostly in labs and we've narrowed the purpose of that machine down to, 'It runs a jig' or 'It runs one thing'," Hackland told a recent roundtable.
But the trouble is many of those organisations sticking with Windows XP are not planning to be so circumspect, according to Paul Veitch, director, application development at services firm Avanade UK.
"The problem that we see is that people are still going to run their business on [Windows XP]. It's not point problems; it's their entire business," Veitch said.
"Key for those organisations is that at the end of life you won't have support from Microsoft or if you choose to go into extended support then you'll be paying larger and larger fees," he said.
"Clearly, that helps create a business case [for migrating] but you're putting at risk your IT organisation, your desktop and your end users by not having a supported operating system from Microsoft."
Microsoft's withdrawal of support
Becausewas at the heart of the issue, Ovum's Roy Illsley said organisations must face up to the risks and focus on how this problem will be addressed.
"You've got to look at support for the operating system. Do I need support? Is it stable? Do I need constant calls to Microsoft — have I had that over the 10 years I've been running it? Probably not. But if you've got an old OS, how do you make sure it's safe, it's secure and still operating successfully," he said.
"It's recognising how much of a risk it poses and minimising that as much as possible. If it's an application that's on the network that everybody uses, then that is a really big risk if you're not going to move that off XP."
As well as assessing the risk posed by the operating system itself, organisations also need examine the apps that are running on it.
"If you're running an application that's that old, have you got the code? Have you got the escrow for the code? How can you make sure that the app still works? The operating system may not be anything significant to you. Actually, that may be the least of your concerns because the application might be completely and utterly at risk and unsupportable."
According to Illsley, organisations deliberately or reluctantly running legacy XP after the end-of-support date should think about the issue in three distinct stages.
"It's a case of ring-fence it — make sure it's secure, it's in a play area, a sandbox of some sort — then evaluate the risk and formulate a plan to move off it," Illsley said.
"You've got to have a backup plan even if that's a case of running it in a cloud service. Give it to someone else to run isolated, so that it's away from you. If there's any infection, it's not going to come back onto you because all you're doing is you're logging on to a browser to access it."
Illsley said organisations might even be able to move Windows XP by putting it in a virtual container.
"AppZero do server app migration between Windows server OSes. They don't do it on the desktop but some technology like that might be a way of containerising and packaging up the app so that it can run in Windows 7 but as an XP virtual machine," he said.
"There are always ways around it. It depends on how much money you want to spend, how important it is to the organisation and what risk it poses. Those are the three things that you just have to juggle and balance up."