Security after the Windows 7 end of life

An operating system written more than a decade ago is not modern software, and that’s how old Windows 7 is. The end for Windows 7 is nigh.

As is always the case with Microsoft end-of-life deadlines, the end will come on a Patch Tuesday: Jan. 14, 2020. On that day, Microsoft will issue the final security patches and updates to mainstream users of Win7 and all enterprises that are not on any of its enterprise tiers. This amounts to 27 percent of global usage. Given that the total user base of Windows PCs is estimated to be between 1.3 billion and 1.5 billion worldwide, an estimated 350 million to 400 million PCs may be affected.

Enterprise users can still pay top dollar for an Extended Security Update (ESU) program until 2023, but this will become increasingly expensive year by year (more on that below). In this article, we’ll guide you through what it takes to stay secure if you’re running a Windows 7 environment both short term (a few weeks or months) and—heaven forbid, and only if you have no alternative—beyond that.

No. 1: Make sure you really need to stay on Windows 7

If you’re still on Windows 7 because of some difficulty migrating, there still may be help for you: Microsoft offers a little-known service called FastTrack, giving companies dedicated migration support. If you’re eligible, the Desktop App Assure (DAA) team will help you fix compatibility issues with your own line-of-business apps, third-party apps, or even Office macros.

According to Microsoft, only a few hundred out of the 400,000 apps it checked were actually incompatible with Windows 10, so chances are that call to Microsoft’s DAA program could fix your upgrade woes. Of course, if a piece of hardware is preventing you from making the jump to Windows 10, this service won’t be of much use.

No. 2: Hop on Windows 7 Extended Security Update as soon as possible

Can’t upgrade yet? If you have the budget to spare, sign up for the Windows 7 ESU program immediately. As part of the Pro, E3, E5, and Windows Virtual Desktop (WVD) enterprise tiers, you’ll be supplied with security updates until 2023. Depending on your tier, you’re looking at a minimum of $25 for the first year per device going all the way up to $200 for the third year. The notable exception is WVD, for which fixes are free for three years (more on that below).

Tier Year 1 Year 2 Year 3
Windows Pro $50 $100 $200
Windows E3 $25 $50 $100
Windows E5 Free $50 $100
Windows Virtual Desktop Free Free Free

This will keep you covered and should give you plenty of time to fix any line-of-business application or hardware compatibility issues you have. While costly, it’s also the most hassle-free solution, as you can just keep on keeping on … for a while!

 

No. 3: Convert your Windows 7 PCs to virtual machines and move to the cloud

Microsoft Azure is another way out of the upcoming Windows 7 doom, but it’s probably the most laborious. Using the Azure Virtual Desktop (VD) service, you can move your physical (or virtual) Windows 7 machines to the cloud and let your staff connect remotely to the virtual instances while you’re transitioning to Windows 10. If the Azure VD pricing is within your budget, it’s worth considering. You’ll be getting all Windows 7 security updates for free for three years on top and your VMs will stay secured in the cloud while your physical PCs can be migrated to Windows 10. If you’re lucky and only one of your client applications is incompatible, you don’t even need to migrate your entire workforce to a virtual machine cluster in the cloud—only a few instances for your workers to run. As with solution No. 1, if the problem is hardware, such as a program that requires a dongle, a VM running in the cloud is no solution. At any rate, you’d need to convert your local desktops to VMs (Hyper-V) and run through some hoops to get them uploaded to the cloud:

  • Direct upload of VHDs: Once your clients are packaged and converted into virtual hard disks, you can manually upload them to Azure. Depending on your size, your admins need to think about automating the process, and you need to take bandwidth into consideration (just think of what uploading a few dozen 100 GB VHDs will do to your corporate network connection).
  • Microsoft Migration Accelerator: If your infrastructure is running on Windows 7 Hyper-Vs already, MMA can help you seamlessly move to the cloud with minimum downtime.

No. 4: The long-term plan: Here’s what to expect when you can’t upgrade

Can’t upgrade in the near future? Then it’s time to face facts: Staying on Windows 7 for more than a few months will give you quite a few woes—and potentially a company disaster.

Let’s start with the smaller headaches first. Hardware and software vendors will pull the plug on Windows 7 support slowly over time. To get a sense of what you can expect in the future, it’s best to look at the past. For instance, NVIDIA stopped developing Windows XP drivers in 2016, two years after XP’s official end of life. Intel HD Graphics chips, on the other hand, received their final driver version (build 5437) even before Windows XP support ended in February 2013. To put things in perspective, the current driver (November 2019) is on build 7372. In other words, Intel has compiled thousands of builds between then and now with hundreds of bugs and security issues fixed (and new ones created). Once the same fate happens upon Windows 7, you’ll be stranded on buggy and potentially vulnerable drivers forever.

Knowing that vulnerabilities still exist and that there will be no patches, malicious actors will pay special attention to writing exploits for your system configuration. And it’s worse than that: The bug vendors’ fix in supported versions will be a guide to likely vulnerabilities in your system that will remain unpatched.

On the application side, it’s also hit or miss: While some applications will continue to support Windows 7 far beyond its end-of-life date, others are likely to drop support as soon as possible to save money on QA-ing and building their products on Windows 7.

A simple example is the popular remote management tool TeamViewer, which still “kind of” works under Windows XP but, according to many users on their official forums, frequently crashes or won’t even run. Older versions that still fully support Windows XP won’t even work anymore and require a forced upgrade to stay up and running.

Just expect programs installed on your clients—anything from file archivers to PDF readers—to stop working or to become an attack vector.

Browsers are probably the biggest long-term problems. Aside from having a strong enterprise-grade anti-malware solution, you better start looking for alternatives to the top non-Microsoft options: Google Chrome and Mozilla Firefox. Google, for instance, supported Windows XP for two more years until it pulled the plug and left all XP users open to new vulnerabilities. Once that happens, you’re not just dealing with an unpatched and vulnerable operating system but a browser as well.

However, there’s no guarantee that Google or Mozilla will help you out at all after Jan. 14, 2020. Mozilla’s statement of support for Windows 7 is vague and noncommittal enough that you can’t assume anything from it. Google has made no official statement, but in March 2019, in a blog discussing a security update, Clement Lecigne of Google’s Threat Analysis Group said, “As mitigation advice for this vulnerability, users should consider upgrading to Windows 10 if they are still running an older version of Windows.”

In fact, if there is no need for a browser on the system, it’s better that one not be available, at least not easily. This will make it much harder for users to get into trouble. It is probably worthwhile to keep a browser on the system because they are so often used in support and other legitimate functions. One option is to install it in a special local user account, only for use on that account.

No. 5: Lock down Windows 7 if you have no choice

To sum it up, your infrastructure’s security will start to decay on Jan. 14, 2020, leaving you, in some measure, defenseless. At that point, you should consider the following:

  1. Pull the plug. Disconnect all Windows 7 clients from the Internet. If your workforce is fine not using the web, that’s your ticket out of trouble.
  2. Close all nonessential ports on your firewall. Unless there is a legitimate business reason, block all executables and services from accessing the web or being accessed. Take note that many built-in Windows features and services access the web, mostly without your knowledge. These include web access to the Help & Support Center, online links in Event Viewer, Windows Photo Gallery online printing services, and more.
  3. Lock down user accounts. Make sure your user accounts don’t have administrative privileges. You need to have an administrator account on the system, but change the administrator account name and make sure the Guest account is disabled (it is, by default).
  4. Lock down your hardware. Disable all nonessential drivers (e.g., sound, Bluetooth, and webcams), and most important, disable USB ports. If you can’t do so physically, open Regedit and go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor. Double-click on Start and enter 4. This will turn off all access to USB ports in Windows.
  5. Disable programs. To further reduce the attack surface, uninstall any programs that are not vital to your operation. The Windows Programs and Features applet in Control Panel also has an option on the left side to “Turn Windows features on and off.” Forgotten Windows features have been attack vectors in the past, so disable any you won’t need.
  6. Put your Windows 7 machine in “kiosk” mode. If feasible, use a product like SteadierStateReboot Restore RxMicrosoft Deployment Toolkit 2010, or Deep Freeze to let Windows 7 “forget” any changes made after a reboot.

Once you’re over the mountain, don’t expect another such huge migration project: Microsoft’s Windows 10 iterations are comparatively incremental and don’t pose such a technological difference anymore—at least for now.

Out-of-date products: Lessons for leaders

  • Pay attention to end-of-life statements by vendors to be prepared for them.
  • When new generations of software come out, test your important applications on them so you have time to address any problems.
  • Older software tends to be more vulnerable to attack, so focus security attention on it.

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.

For more information contact United Imaging Technology Services today