Windows XP Retirement: 10 Essential Security Tips

Upgrade Or Rip And Replace Your Windows XP Systems

On April 8, 2014, Windows XP SP3 and Office 2003 will be retired by Microsoft, and the software giant is urging businesses to migrate to a more modern version of its operating system.

The good news is that most firms have already migrated endpoint systems. A survey of IT professionals conducted by Austin, Texas-based Spiceworks in December found that 76 percent of IT professionals run Windows XP on some devices. Most firms, however, have successfully migrated to Windows 7 with 96 percent of those surveyed indicating that endpoint systems run the newer operating system. Another 42 percent said they manage PCs running Windows 8 or 8.1.

The bad news is that it could take more than two years for some firms to migrate off of Windows XP. If your company still has critical systems running Windows XP, here's what you need to know from a security perspective.

Check Embedded Systems

Solution providers that work with embedded systems, such as ATM machines and point-of-sale terminals, should be checking in with longtime clients and upgrading systems. Gilson Marcos, a master technician at BostonPOS, a firm that specializes in point-of-sale software, said his company has long been upgrading merchants based on their service level agreements. The potential exists for smaller merchants to unknowingly continue using outdated and poorly maintained equipment, Marcos said. The good news is that most banks and payment processors monitor their customer base to address problems, he said.

Microsoft Security Essentials

Microsoft said it would continue to support Microsoft Security Essentials (MSE), its antivirus software on Windows XP systems, through July 14, 2015. Enterprise users will get updates for System Center Endpoint Protection, Forefront Client Security and Endpoint Protection, and Windows Intune running on XP, Microsoft said.

The retiring operating system also will be supported by a variety of other freely available antivirus programs. Avast, Avira, AVG, Bitdefender and Comodo indicate that they will continue to push down updates to their suites on Windows XP systems. The programs will help defend against attacks targeting the browser, its components and other applications, but it's unlikely that the antivirus will detect attacks that target vulnerabilities in the operating system.

Malicious Software Removal Tool

Microsoft will continue to support the Malicious Software Removal Tool as part of its extension of MSE through 2015. The antimalware utility checks Windows XP systems for infections and can help administrators remove malware.

Microsoft is constantly adding detection and removal capabilities for Trojans, including back doors and other nefarious programs that can be tricky to manually remove. The tool also supports the detection of older, Windows-based worms that are still frequently seen in broad attacks.

Key Security Features Lacking In Windows XP

Windows XP supports Data Execution Prevention, a feature that attempts to prevent exploits from executing in memory, but attackers are increasingly bypassing the feature alone.

The Enhanced Mitigation Experience Toolkit still will be supported past the April end-of-life. It can turn on additional security features that aren't supported natively in Microsoft applications running on Windows XP. Microsoft introduced other security features, beginning with Windows Vista, and carried them forward with Windows 7 and Windows 8 systems. Address Space Layout Randomization makes it difficult to carry out memory-based attacks. Another feature called structured Exception Handler Overwrite Protection also makes it more difficult for an attacker to execute code using common techniques.

Enhanced Mitigation Experience Toolkit

For organizations that can't shed Windows XP due to a business-critical application, a tool is available to make attacking Windows XP significantly difficult for an external hacker. The Enhanced Mitigation Experience Toolkit can be enabled to help prevent memory corruption vulnerabilities from executing on the system. The tool may be too complicated to deploy and maintain on dozens of PCs, but on fewer systems, it would be manageable, say solution providers.

Windows XP Activation Still Possible

For holders of Windows XP licenses who haven't yet registered the license with the vendor, Microsoft will continue to maintain its activation server for Windows XP after the April 8 retire date. The company also will have previous patches and security updates available to newly activated Windows XP systems.

The auto license validation feature can be helpful to some valid license holders who want to wipe and reimage their machines with a fresh install. While the activation servers remain active, all phone and technical assistance will end.

No New Patches

Once it ends support on April 8, Microsoft theoretically will not be issuing any patches for the operating system, leaving the potential for open vulnerabilities. The only time an exception might be made is if a quickly spreading attack had the potential to cause serious problems, say security experts.

Officially, don't count on any new security updates. New security updates, nonsecurity hotfixes, free or paid assisted support options, or online technical content updates will come to an end, said Tim Rains, director of product management in Microsoft's Trustworthy Computing group. "Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP essentially will have a "zero day" vulnerability forever," Rains said.

Custom Support Available But Costly

Solution providers told CRN that custom third-party support would be available to enterprises that need it, but it will be costly, they said. Most firms will find it easier to upgrade custom applications to run on newer systems, said John Oetinger, of Missoula, Mont.-based solution provider Corporate Technology Group. In a recent interview, Oetinger told CRN that less than 40 percent of his clients are still running Windows XP. Most companies are long into the upgrade process, he said.

Microsoft also provides some of its largest customers with a custom support policy for retired operating systems. Critical patches for Windows XP would be produced for custom support holders.

Isolating Windows XP From Internet Still Risky

Microsoft recently sent a memo to partners urging them to tell clients that segmenting off Windows XP systems from the Internet would not completely reduce the risk of attacks. The platform can be targeted by an attacker in a multistaged hack. If the isolated PC is still connected to systems internally, it can be used as a stepping stone to pivot to more sensitive areas of a corporate network, say security experts.

Use Windows XP In Virtual Environment

Windows XP can run in a virtual environment on a Windows 7 PC, enabling the client to get the added benefit of using a more modern operating system. This may be an option for some firms that have custom software that won't run properly on Windows 7 or above.

IT administrators also can add whitelisting software to prevent code from executing on Windows XP systems, say some experts. Modern whitelisting sold by Bit9 and other vendors provides active monitoring over applications and systems, and can support physical or virtual workstations and servers. End users will be impacted by authorizing only mission-critical applications on XP systems, but the environment will be locked down to the point where executing code will be more difficult to carry out.