IT Administrator guide to Windows XP end of life risks and solutions

posted on April 11, 2014 by | Leave your thoughts

There is a lot of talk about Windows XP support end of life to cause major internet security disaster. For that reason everybody is urged to either pay millions to Microsoft to get extended support or to move to a supported operating system, namely Windows 7 and Windows 8.

What are we talking about?

The end of life of XP means that Microsoft will not publish Windows XP updates to the general public. Corporations and government who wishes to continue receiving updates have to pay Microsoft for extended support.

Having no more security updates means that Windows XP is not considered as being a suitable OS to conduct business and Microsoft would like you to pay to either upgrade or for extended support.

The Windows XP update and activation services will still be available. It means you will still be able to install and patch systems up to the latest public update (April 2014).

What are the risks?

Nuclear mushroom

Windows XP end of life, according to most medias.

  • Hackers may have stacked exploits in prevision of the end of life. They will be sure these exploits wont be patched and possible to exploit freely.
  • Reverse-engineering of the XP patches. If hackers can put their hands of the paid security updates, they will be able to identify vulnerabilities.
  • Reverse-engineering of the Windows 7 and Windows 8 may give away vulnerabilities in Windows XP. Because some code is shared among these version, reverse-engineering of the security updates can allow to discover vulnerabilities in Windows XP.

The China syndrome

China is interesting because it’s probably the place with the most computers and risk and the where IT practices are mostly bad.

It is estimated that 55% of the computers in China still run Windows XP. Windows XP is a popular mainly because it has been massively hacked and bad practices increases dramatically the vulnerability of the Windows XP in China:

  • Hacked versions don’t  come with Windows update. It seems updated are seen as an annoyance most of the time and disabled anyway.
  • It is quite common to surf the internet using PPPoE directly from the computers, without using a router. Even if Windows Firewall is enabled by default since SP2, it is a great risk to expose a computer to the internet without the protection offered by NAT. These computers can be discovered by scans and exploited for what they have. And there is a long list to choose from knowing that they are mostly un-patched.
  • Lack of understanding of the risks:
    • Disable the Firewall instead of actually configuring it
    • Disable the updates if they force you to restart
    • Download/install anything
    • Rely mostly cracked software often containing malwares

These computers are certainly already infected and actively exploited and the stop of the releases of new updates should not make any difference.

Is windows XP broken now?

Windows XP is a very mature operating system for the years it’s been around and its low resource usage can be attractive to recycle old hardware.The end of update wont change the quality of the operating system , the only change is that there is more pressure on users and IT staff to ensure responsible usage of these users. I bet that these systems will still be around for years, especially in embedded applications such as ATMs.

The end of update wont change the quality of the operating system

Remember that most of the breaches that happened last year were permitted by flaws in the applications running on top of the operating system and not in the operating system itself, the top 3 went as:

  1. Java web plugin
  2. Adobe Flash
  3. Adobe Acrobat Reader

How to safely use Windows XP?

The key is to follow the best practices, now with a little more pressure than before the end of life.

Educate your users to the dangers and the importance of a responsible behavior because if Windows XP is going to go BOOM it will certainly be a user pressing the detonator.

Most of the problems will happen when a users surfs on an infected website which can be any site, even Youtube. Or opens infected email attachment, download a PDF, plugs a personal key drive etc… So your job will be to discipline users, just a little more than usual.

As an IT Administrator, Do:

  • Use SP3 with the latest patches applied (April 2014)
  • Use a router (NAT), if you need internet access. Yes, it seems it’s not obvious to everyone
  • Do not disable Windows Firewall. Do I really need to explain why?
  • Make sure users are Standard (unprivileged) User. 92% of Microsoft 147 critical vulnerabilities  in 2013 were mitigated by removing administrator rights
  • Use administrator rights only when needed
  • Make IE unavailable. It gives too many possibilities of hacks when surfing the net. Replace it by a modern browser with automatic updates. Chrome and Firefox will continue to support XP for some time.
  • Enable “Click to play“, it is not  a big burden and will protect effectively against some plugins exploits such as Adobe Flash and Oracle Java. For harden security you can completely disable any plugin and also block JavaScript.
  • Disable Java browser plugin. It has been proven that the browser plugin is just not possible to make safe and it is rarely required. Note that there is nothing wrong with using trusted Java desktop apps.
  • Disable JavaScript in Adobe Acrobat Reader. Note that it can be a good idea to use an alternative reader such as Nitro Reader, also disabling support for JavaScript.
  • Educate your users to the dangers and the importance of a responsible behavior because if Windows XP is going to go BOOM it will certainly be a user pressing the detonator.
  • Keep Microsoft Office up to date. Microsoft Office 2003 retired and it would not be wise for example to exchange Office files with customers with the duo Windows XP/Office 2003
  • For devise like POS, unplugging/disabling/gluing accessible USB ports can be a good idea

Note that most of these recommendations are also valid for Windows 7 and Windows 8. I just think it worth to go an extra step as we don’t know what lays ahead in the future of XP.

You should consider replacing Windows XP quickly when:

  • There is frequent web-surfing involved
  • Frequent software installation is required. That would be for developers most of the time
  • There is a need to use USB storage devices
  • Receiving files from external sources (Office file from clients)
  • Untrusted parties are accessing the computers

Unfortunately, this may match a lot of computers.

Virtual Machines

If you are stuck with XP for specific software that would not run on anything else than Windows XP. You can consider running it in a Virtual Machine, eventually with no network access. It will be perfectly safe to use!

Conclusion

It is quite unlikely that a terrible flaw in the OS itself compromises all XP machine. However it is more likely that there will be an increase in the research of flaws via software running on top of XP.

The XPocalyse may or may not happen but anyhow it’s a good occasion to review all the best practices!

 

Posted in , | Tagged: , , ,

Leave a Reply