It won’t have escaped your attention that Windows XP has reached its sell-by date as far as Microsoft is concerned. In fact, my colleague Aryeh Goretsky included links to a whole load of ESET’s XP-related resources in his blog article Goodbye Windows XP!
But what if you’re not yet in a position to move on? Aryeh has already made several useful suggestions in his article 5 Tips for protecting Windows XP machines after April 8, 2014.
In general, of course, best practice is to upgrade from XP if at all possible as soon as possible – or even switch to a completely different operating system, though for people who have only used Windows, that’s liable to be a major disruption and a steep learning curve – but I can understand that there are systems around for which it may not really be feasible. For example, there are machines that possibly can’t be upgraded to a specification on which a later operating system will run realistically (kiosk machines, netbooks, cash machines).
There is also hardware such as laboratory equipment that may be handicapped by proprietary software that may only run on older operating system versions, with no upgrade available (or so expensive that it’s economically more viable to pay for custom support while it’s available). I would guess that custom support is probably more economically feasible for those governments (like the UK and the Netherlands) and very large enterprises with large quantities of legacy machines than for small enterprises. And in any case, custom support is supposed to be a short term measure, requiring the customer to implement a migration plan and declare a project completion date.
Much of the reportage about the end of XP support has focused on the need to upgrade the operating system and, if necessary, the hardware, rather than considering what happens if migrating isn’t currently an option. However, Gavin Clarke’s article for The Register on Windows XP is finally DEAD, right? Er, not quite. Here's what to do if you're stuck with it and Gartner’s best practice guide for the secure use of XP are exceptions.
Both articles make some good points.
- Editing the Registry so that Office and media components don’t execute programs by default
- Control access to removable media and devices like smart phones that can be used for storage and transfer of files (including malware).
- Implement application control and memory protection, using (for instance) a host-based or network intrusion prevention system. Not a guarantee of complete protection, but then nothing is. Certainly a useful layer of protection, and I always advocate multi-layering.
- Keep applications updated and patched. Limit what applications (and types of applications) that are permitted.
- Remove Web browsing and email software from XP systems and provide those services from a patched and updated server. (Wow, that’s old school. Reminds me of the days when my work email and web experience meant logging into a VMS or Unix server. But a thin client model, while potentially slower, may offer a certain amount of potential mitigation. It should, however, on no account be relied upon absolutely.)
- Monitor Windows updates and community resources that might provide a guide to issues that might also apply to XP. Of course, what action you’re able to take in such a case might be very limited. Even in a corporate context, I suspect that people and sites still saddled with XP machines are less likely to be expending resources on this kind of environmental scanning.
A point being missed by many outside the AV industry, however, is that there are plenty of attacks that don’t rely on system exploits, and the other countermeasures discussed by Gartner won’t necessarily protect against them. Nor, of course, will anti-virus, but up-to-date AV/security software still offers a useful layer of defence. And while Microsoft is removing availability of Microsoft Essentials for XP and won’t support existing installations after July 2015, most AV vendors will continue to support it. ESET, for example, will support it till April 2017 and possibly later. However, it’s not safe to assume that antivirus is a substitute for all the regular patches and updates that Microsoft provides for supported operating systems.
One of Gartner’s suggestions is that network connectivity should be cut back as far as possible, to mitigate network-borne attacks. This sounds a bit like Marcus Ranum’s Ultimately Secure DEEP PACKET INSPECTION AND APPLICATION SECURITY SYSTEM: a pair of cable cutters. Ranum’s point could be summarized as saying that connectivity is risk: however, the way that most systems are used nowadays really requires network connectivity. It’s true, of course, that the network is the primary attack vector, and you can get around the need for the network by using USB devices or optical media, the 21st century version of sneakernet (walking from one PC to another with a floppy disk). But looking at the added inconvenience, it could be more efficient economically to upgrade, even if means a hardware upgrade. There are less drastic solutions, of course: you could give XP machines internet access via the enterprise perimeter and the protection that offers (or should), while keeping them isolated from other machines on the network. That doesn’t guarantee they won’t be successfully attacked, but it does lower the risk to other machines.
Another suggestion is to remove administrative rights, which Gartner suggests should be mandatory for all remaining users on XP. All remaining users? You really need one privileged account for fixing problems and changing configurations, installing or updating software and so on. But then, no-one should be using a fully-privileged account for routine computing work, which I guess was meant to be the point.
Another Gartner suggestion is to have a plan to quarantine XP systems in the event of an attack. You certainly need to be able to get systems off the network, and time spent on planning is rarely wasted, though the recommendation invites the question, how will you recognize a successful attack, or at any rate recognize it any more promptly than before? And shouldn’t you already have a means of isolating any or all systems in the event of a breach? A critical XP exploitation is just one attack scenario, and not necessarily the likeliest. It’s likely that XP-specific attack research will decline as XP’s market share declines, especially in terms of attacks that target the large enterprises that can’t afford to support XP indefinitely.
Also, this is all easier to say than do if you’re considering systems that can’t be disconnected or shut down without disruption and even damage, as may happen in some SCADA environments. Of course, SCADA systems that follow best practice by isolating critical machines from the network wherever possible are already less susceptible to attack.
David Harley
ESET Senior Research Fellow