January 15, 2020 is going to be an important day in the tech industry. Not because of some new product or the coming singularity, but because of the end of life for Windows 7 and all Server 2008 and 2008 R2 derivatives.
Windows 7 and derivatives will have received just over a decade of support by end of life and were essential for ending the era of Windows XP. Windows 10 has left security professionals and power users, both of which lead the way for OS adoption, scratching their heads as the OS gets more and more locked down. The majority of adoptions have also ended after the open upgrade period ended and the fiasco it was for some users.
What’s the Rub?
Just over 30% of Windows machines are running Windows 7. The number has been moving, but ultimately there will be some holdouts down the line. People will primarily hold out either out of convenience or out of apathy.
Some environments in the corporate world will hold out due to the cost of licensing, the cost of software, the cost of hardware, or a mix of all of these factors. There will be those who don’t upgrade due to workflows which don’t really have a modern upgrade path. Each of these devices is effectively a bomb on the network waiting to take out the entire site.
These machines also don’t hit their compliance checkboxes anymore. The only thing I want to do with HIPAA and friends is remain compliant and off their radars.
Solving the Problem
If you’re in charge of IT or have these machines around, plan to upgrade or get rid of these machines where possible. If a client uses Windows, purchasing new workstations or upgrading older ones is usually a pretty easy sell to clients at the end of life for any given Windows version. Most of these machines have some serious miles on them by this point. It’s an excuse for a new computer for clients running older computers, and a clean start for newer ones.
Servers can be a bit harder to sell, but they are far more impactful from a security standpoint. Upgrade the servers, change them out, or swap OSes in order to avoid these issues entirely. There are other options, but they’re less than ideal.
If You Can’t Upgrade
I get it, I’ve been there too. You have a client who refuses to upgrade because the software is tied to the OS and it’s too much to upgrade (cost or effort for migrating), or maybe they just don’t want to and it’s either upgrade or keep the business. There are plenty of reasons to hold off upgrading if you haven’t factored it into the business plan, and even some good reasons if you have.
You can mitigate these issues by either trying to come as close as possible to air gapping the environment, or virtualization if you need an older OS. Ideally you combine these techniques for more efficiency.
Partial Air Gapping
A machine which can’t be seen or accessed, can’t be hacked. Air gapping is the practice of schisming a machine or network entirely away from the internet via an “air gap”. In controlled environments, you have a networked machines for certain work (reference, IM, email, etc.) and an air gapped machine on an intranet for confidential work. Data is never to cross this air gap. If you find something on one which you need on the other, you either go through an approval process or have to move it by hand (so retyping it from paper or a screen).
For most production environments, this isn’t an acceptable way to access machines, but the general principle stands. Limit the access to machines which cannot be upgraded. The fewer ways it can reach the network at large or the internet, the fewer ways it can be reached and breached.
For machines which require a domain, consider creating a separate domain specifically for accessing older OS machines. Password sanitization and controlled access means that this machine is only useful for the data it contains, and whatever it can communicate with. Don’t be afraid to go further and VLAN these off with a separate jump box or even further to limit their impact on the site.
Virtualization
Virtualization can be a life saver at the end of a given Windows support cycle. For workstations, the VM should be off unless it’s needed which limits when it is available. By doing a P2V migration of a given setup, you also put it behind a (hopefully) newer OS’s firewall and security to a degree.
Most business users running a VM have little issue with being shown to hit “pause” between uses of a legacy software VM even if they won’t ever shut down or reboot their own computers. Some businesses are even okay with servers being like this too, as long as they have someone they can show how to launch it. The less available the OS is, the harder it is to access. An offline computer is a secure computer.
Virtualization also takes ailing hardware out of the equation. Older equipment which is reaching the end of its sane lifespan can be repurposed or disposed of by being virtualized. Unsupported firmware, resource limitations, and ailing hardware are all sources of a mix of both security issues as well as stability issues.
Implementing a Plan
There are still a few months to go until the cutoff as of writing. The sooner you move the better. If you are managing a company’s IT, you want to start preparing for the move yesterday. The next best time is now. The move is much easier when done gradually and in a controlled fashion before the mad scramble at the end.
A given environment will be composed of a mix of machines which need upgrades, don’t need upgrades, and which cannot be moved. Using a mix of upgrade policies, P2V virtualization, and air-gapping will still leave a few machines behind which really don’t have much of a use. These can typically be repurposed or sold off.
Repurposing Machines
Even though the ship may have sailed on using Windows on a machine, that doesn’t mean that it is destined for the trash heap. A Linux distribution or something like one of the BSD’s can be used as the primary OS on these machines. Ubuntu, or even better Lubuntu, works great on older hardware. A computer may not be a buy it for life purchase, but that doesn’t mean it’s necessarily stuck with a fixed lifespan from the OS it shipped with.
An old laptop can become a backup laptop or a convenient workstation with a new OS. An old desktop or PC can become a home media server or even a fully functional file server with just a little work. There is a bit of a learning curve, but it can be a great way to get new skills or to declutter your workflow.
Going Forward
Windows 7 and Server 2008 are going to be entirely without support soon, but that doesn’t mean you have to lose security. By either migrating these agents to a newer OS, working around the limitations, or even just changing to a FOSS OS, you can prevent issues with security. Windows 7 may be at its end, but that doesn’t mean your computer is.
Image by Omar González from Pixabay