Windows XP support end: 10 steps to cut security risks

Microsoft may have ended support for Windows XP but those left clinging to the aged operating system still have some ways of managing the risks.
Written by Toby Wolpe, Contributor

With the demise of Microsoft support for Windows XP, those sticking with the 12-year-old OS undeniably face risks. The question is whether the risks are tolerable and manageable.

In most cases, Windows XP can still be used while firms try to complete migrations with the risk cut to an acceptable level, according to analyst firm Gartner — and without having to pay for costly Microsoft Custom Support.

"While doing nothing is an option, we do not believe that most organisations — or their auditors — will find this level of risk acceptable," vice president and Gartner fellow Neil MacDonald said in a report, Best practices for secure use of XP after support ends.

Between 20 percent and 25 percent of enterprise systems are still running XP, and one-third of organisations continue to use it on more than 10 percent of their machines, Gartner estimates.

For those still using the venerable OS after the end of routine Microsoft updates and security patches, MacDonald has come up with 10 best practices to minimise the risks.

Step 1: Restrict connectivity

Because the network is a prime route for attacks on vulnerable systems, minimising connectivity with other systems makes it easier to protect XP machines. Consequently, disconnecting XP devices entirely from the network is the best option.

But if access to specific applications is what's delaying a migration away from XP, MacDonald suggests a kiosk model, with users going to a centrally located departmental machine.

If you can't disconnect XP systems completely, the next step would be to block internet connections and limit communications to specific internal systems through a network- or host-based firewall.

Even with restricted internal access, isolate XP devices from other endpoint systems using virtual LANs or firewalls.

Step 2: Restrict apps

Lock down XP machines so they can't execute arbitrary code. This measure can be achieved through dedicated software, a host-based intrusion-prevention system, or Microsoft's Group Policy object (GPO)-based software restriction policies.

MacDonald says with the end of XP support, it's essential to allow only known-good apps to run.

Memory also needs to be protected, by activating XP's Data Execution Protection, with additional protection coming from Microsoft's Enhanced Mitigation Experience Toolkit, or EMET.

Step 3: Remove admin rights

A mandatory measure for all users remaining on XP machines to cut risk because 90 percent of malware runs in the context of the logged-in user.

Step 4: Bar browsing and email

Since most attacks come via email and the web, it makes sense to eliminate these vectors on XP devices. An up-to-date server-based system can instead provide these capabilities — for example, a remote desktop service or hosted virtual desktop server.

Step 5: Update software

XP may be out of support but other software running on the machines may not be and should be kept updated to minimise weaknesses.

It's important that antivirus, firewalls, software distribution clients, and browsers should be up to date, along with Java, Adobe, Office and other common infrastructure apps.

Step 6: Disable ports and drives

By disabling USB ports and CD and DVD drives, you are removing another route for the introduction of arbitrary executable code.

It's also possible to employ third-party tools to configure ports for write access only.

Step 7: Shield XP

A network or host-based intrusion-protection system can help protect XP machines. It's worth confirming with your network or host-based supplier that it will continue to research XP vulnerabilities and attacks, and provide filters and rules to block such attacks.

Step 8: Monitor XP, Microsoft and threats

As well as monitoring XP systems for signs of compromise, organisations still running the OS should keep a close eye on Microsoft.

Although the company won't disclose new vulnerabilities against XP to those who haven't paid for Custom Support, it may release information about critical vulnerabilities to, say, Windows Server 2003, which could affect XP.

It's also worth checking community chat boards and threat intelligence feeds, as independent sources of information.

Step 9: Plan for an XP breach

Those still running XP systems need to have a plan for isolating the machines in question in the event of an attack, as well as ways to restore them to a known-good state.

It's also important to understand the cause of the problem to prevent a recurrence, and to have a backup plan to move users to supported systems rapidly in a catastrophe.

Step 10: Study costs

A cost-benefit analysis could show whether the measures involved in staying with XP temporarily might actually end up outstripping a more rapid migration.

Editorial standards