Managing Windows XP After Extended Support Ends
On Apr. 8, 2014, Windows XP, Office 2003, and several other Microsoft enterprise software products still deployed by many organizations leave Extended support. This means that as of this date, Microsoft will no longer fix any problems found in these products, including security vulnerabilities. The riskiest of these products to continue to run without support is Windows XP. Therefore, customers who have not yet migrated away from Windows XP need to either have custom support contracts in place or take immediate steps to mitigate the risk of running these products past the end of Extended support.
Migration Away from Windows XP Recommended
The easiest way to remediate the risk posed by Windows XP is to migrate away from the OS, but for many, that will not be an option for some time. Migration away from Windows XP should re-emphasize to organizations that software, even if perpetually licensed, is not perpetually supported. All software has an expiration date.
Customers should clearly understand that Microsoft will no longer be providing security updates for newly discovered vulnerabilities in Windows XP. This includes all versions of Internet Explorer (IE) running on XP, which Microsoft considers to be an integral part of the Windows OS, including IE6, IE7, and IE8. Windows XP and available versions of IE continued to receive security hotfixes over the last year of Extended support, indicating that there are likely vulnerabilities yet to be discovered. Therefore, organizations choosing to continue to use Windows XP in production should assume there will be future exploits of the OS and its integrated browser, which could leave systems running Windows XP at significantly higher risk for exploitation than systems running current versions of Windows and IE.
Windows XP Embedded, like Windows Server 2003, has a longer time frame before Extended support concludes, since this version of the OS is typically embedded in devices and supported in conjunction with the manufacturer or OEM that embedded the OS in the device. Such companies would not use Windows as an embeddable OS without the longer support time-frame. (For a timeline of major products with Extended support ending during 2014 and 2015, see the chart "Products Leaving Extended Support in 2014 and 2015".)
Customers who have not completed their migration away from Windows XP should have a custom support contract with Microsoft in place to receive OS security updates, although a custom support agreement likely provides no guarantee that all vulnerabilities will be addressed.
Organizations should examine the roles of remaining Windows XP systems in their infrastructure and, if possible, consider how best to retire them in favor of a version of Windows that is eligible for Microsoft support at an appropriate level to satisfy the risk. Some currently supported versions of Windows are close to the end of Mainstream support, so organizations need to ensure they don't merely exchange one version of Windows at the end of Extended support for another already in Extended support or nearing the end of Mainstream support and thus find themselves in the same position in a few years.
Many organizations have Windows XP systems in place that are running applications that are difficult to move to more recent versions of Windows, due to software compatibility or business compliance requirements, the lack of a suitable replacement, or budgetary limitations. For example, an organization may not have a suitable migration path for the following applications running on Windows XP:
- Dental/medical practice management software
- ATM or point-of-service software
- Manufacturing system software
- Custom line-of-business software.
Depending on the size of their budget and the ISV that sold the application, organizations may have some degree of success pressuring the ISV to update their software to support a newer version of Windows or assist them in migrating to a secure platform.
If an organization has software that requires Windows XP in order to run and cannot find, or will not pay for, a suitable replacement application, it may need to run Windows XP well past the date when Extended support ends.
Continuing with XP Requires Mitigating Risks
Since some organizations (and consumers) will inevitably need to run Windows XP past its expiration date, some measures should be taken to help reduce risks until it can be safely retired and the applications properly migrated.
Tightening the Software Perimeter
Any Windows XP system in production use should have at least Windows XP SP3 applied. Significant security enhancements were included in both SP2 and SP3, and not having them applied risks leaving a large opportunity for exploitation.
Microsoft has stated that signature updates for Microsoft Security Essentials running on Windows XP and downloads of the Microsoft Malicious Software Removal Tool for Windows XP will be discontinued on July 14, 2015. The installer for Security Essentials is not expected to be available for download after Windows XP leaves Extended support, so organizations with a continuing need to run Security Essentials on Windows XP should ensure they archive a copy of the installer. If they plan to use Windows XP systems after July 14, 2015, they should deploy third-party security software that continues to be supported for use with Windows XP.
Since Windows XP does not include support for security features such as Address Space Layout Randomization and enhanced Data Execution Prevention, organizations may want to consider testing and deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 4.0, which can provide a level of OS hardening against some types of exploits. However, EMET takes time to test and deploy, and it does not provide the comprehensive attack surface reduction included in more modern versions of Windows.
IE8, the last version of IE supported for use on Windows XP, also leaves Extended support at the same time, so organizations should also deploy third-party Web browsers, such as Google Chrome, Mozilla Firefox, or the Opera Web browser, which are all supported (for varying time frames) past Apr. 8, 2014. Some internal Web applications may still require IE6 to IE8, so third-party solutions such as those offered by Browsium, an ISV specializing in Web and Java application compatibility software, can help specify which Web sites or applications should specifically open IE and direct all others to specified third-party Web browsers.
Identify Software That Can Be Jettisoned
In the early part of its life, attackers predominantly attacked vulnerabilities in Windows XP itself. As the OS became more resistant to attack, vulnerabilities in other ubiquitous software packages (such as Adobe Acrobat Reader) became persistently targeted as the entry point to exploit Windows by enabling the download of shellcode (small pieces of code used to exploit a vulnerability and perform a larger exploit over time). After Apr. 8, these packages will become larger opportunities to coax exploits down to Windows XP systems that will themselves be more vulnerable.
The following should all be considered for removal from Windows XP systems if they are no longer needed for applications on the system:
- Java Runtime Engines, which run client-side Java code on the system; a PC may have multiple versions installed at different patch levels that were typically installed by third-party applications
- Adobe Acrobat Reader, which displays Adobe Acrobat documents
- Adobe Flash Player/Adobe AIR, which runs Adobe Flash content in the Web browser or on the desktop, respectively
- Any ActiveX controls no longer needed for IE.
All of the above items tend to have significant vulnerabilities and usually connect to the Web to perform their roles. As a result, removing them could potentially reduce the attack surface available for exploitation on Windows XP systems.
Constrain the Network and Local Perimeter
In addition to software, organizations should consider how to constrain access to the Windows XP system itself, depending on whether users are logging on locally, over Remote Desktop, or with file shares. The following recommendations should help to limit the security risks of continuing to use Windows XP systems:
Personal systems. In addition to devices owned internally by the organization, some organizations may also want to audit or limit personally owned Windows XP systems used by employees to access the internal network, as the systems may present a security risk.
File shares. All network file shares available from the client that are no longer needed should be removed, and only network ports that are absolutely required to be open should remain open. All others should be blocked using a third-party firewall that is supported after Windows XP leaves Extended support (Windows Firewall will no longer receive updates).
Passwords and limited access. All users logging on to Windows XP systems should have strong password requirements enforced, have limited access to risky applications such as e-mail clients and Web browsers, and be educated on the risks of using this system.
Policy controls. Windows Group Policy or third-party software should be used to lock down access to unnecessary applications, and physical access controls might be warranted on some systems to limit the use of USB or optical storage media, which can offer an opportunity to exploit the system.
Isolation. To further isolate the system from risks, it may be worthwhile to consider limiting the systems that Windows XP can access, either through limited access to Domain Name Servers (either using a specific host's file or a specific server), limiting the applications that can access the Internet from Windows XP, or disconnecting the system from the Internet if at all possible. Conversely, using a virtual local area network (VLAN) or third-party networking software to limit communications to Windows XP systems could also help reduce the risk of leaving Windows XP systems on the network that cannot be retired or removed. For example, Unisys Stealth software enables configuration of which systems can see one another, without requiring configuration of a VLAN.
Virtualized access. Some organizations might consider migrating to Windows XP running in a virtual desktop infrastructure (VDI), particularly if they are looking to isolate the Windows XP system on the network and limit the users and methods for connecting to the system. Such a solution is not likely to ease the process of migration any more than it would to a newer client OS version, but it could reduce risk by running the system in a more isolated environment until it can be migrated.
Windows XP Mode is a free download for computers running Windows 7 Professional, Enterprise, or Ultimate editions that allows the computer to run an included copy of Windows XP in a virtual machine. However, Windows XP Mode does not address the risk of continuing to run Windows XP, since it cannot isolate Windows XP virtual machines at the network layer or limit the software available to the OS, so it should not be considered a safe way to mitigate the risks of continuing to run Windows XP. Windows XP Mode also exits Extended support on Apr. 8, 2014, and Windows 8 does not include the Windows XP Mode feature or any mechanism to license Windows XP for use as a virtual machine running on Windows 8.
Organizations that plan to use a VDI for ongoing access to the Windows XP system should understand how to license a VDI and access to it, as it can be complex to properly license compliance of a VDI.
Availability and Resources
The Windows lifecycle fact sheet is available from windows.microsoft.com/en-US/windows/products/lifecycle.
Microsoft Support Lifecycle Policy FAQ is available from support.microsoft.com/gp/lifepolicy.
Details on the Windows XP Embedded support lifecycle are available from blogs.msdn.com/b/windows-embedded/archive/2011/02/17/support-lifecycle-transitions-for-windows-xp-embedded.aspx.
Information about the Enhanced Mitigation Experience Toolkit (EMET) is available from blogs.technet.com/b/security/archive/2013/06/17/now-available-enhanced-mitigation-experience-toolkit-emet-version-4-0.aspx.
For information about products out of Extended support no longer receiving updates, see "Security Fixes Not Assured" on page 8 of the Oct. 2009 Update.
For information about Custom Support Agreements, see "Legacy Software Support Continues" on page 37 of the Nov. 2006 Update.