As a Security Professional I do get “should we upgrade from a non-supported Operating System (O/S) or not” question(s) a lot. To be more specific the questions are
-Should we upgrade from Windows XP to Windows 7 / 8.1, or ?
– Do we really need to upgrade from Windows Server 2003 to Windows Server 2012 R2?
Yes, I know Windows XP or Windows Server 2012 “was” great, productive and many of you are very eXPerienced on how to use and manage it. And yes, I do also know that “it’s still working as new” and it does do what you need mostly based on old era.
And after all, not supported O/S does not mean your XP’s and 2003’s will stop working but it does mean there will be no patch for your OS vulnerabilities.
If you are following the Cybersecurity news, you are already aware that many Hackers are already targeted “outdated O/S’s “. They know that Microsoft is not supporting Windows XP, or will not support Windows Server 2003 after July 2015. In other words, Cybercriminals knows that Microsoft will not release any patches or security updates to your Windows 2003 Servers anymore. They will wait and attack you in a time where you left alone. New threads addressed this O/S’s will become a highly critical security risk and a compliance nightmare. Is this just Microsoft who will not support the outdated O/S ? What about Microsoft Partners, Hardware vendors and others? As most of the Microsoft partners works based on a scheduled product lifecycle, most probably they will also leave you in the wild alone. You might not even get a printer driver for your newly purchased printer as most of the vendors will even stop to make drivers for non-supported OS.
Windows XP and Windows Server 2003 were awesome OS’s. The most supported OS in the history, by far the most used O/S but based on the Microsoft Security Intelligence Report (SIR) , security experts clearly shows us Windows 7, Windows 8 and now Windows 10 has much greater in build protection rates.
So what are the mitigation strategies? Based on Australian Government your top 4 mitigation strategy should be like this (http://www.asd.gov.au/publications/csocprotect/top_4_mitigations.htm)
- Application Whitelisting
- Patching systems
- Restricting administrative privileges
- Creating Defense in Depth strategy
1- Application Whitelisting
For your application whitelisting, you can use Microsoft App Locker as starter. (http://technet.microsoft.com/en-us/windows/applocker.aspx) Which will help you to specify exactly what is allowed to run in your desktops, including applications and installation programs. To be able to use AppLocker you need minimum Windows 7 computer…
2- Patching Systems,
To be able patch your system, it has to be supported by the vendor. In case of Windows XP, or very soon Windows Server 2003 this is not going to be possible; so again the only mitigation way is again to upgrade your O/S’s.
If you are really not sure how you can manage your Patch environment, I would suggest you to use Windows Software Update Services (WSUS) for Microsoft updates and / or Secunia Personal Software Inspector for your Microsoft and third part patches. If you are an enterprise user Microsoft System Center or Secunia CSI is the way to go. Which can check your Patch status of all your desktops and applications. To be able to get healthy status in Microsoft WSUS or in Secunia PSI / CSI you need to have all your O/S and applications patched, and the only way to this is be up to date with your Windows .
3- Restricting administrative privileges
Good news, with this mitigation strategy you might look safe under Windows XP. But again don’t get happy that soon, Windows XP does not support the latest Microsoft Internet Explorer (IE), which means attackers can use some known flows in an unsupported IE to gain access in to your systems without admin access. If you are using a supported O/S you will have the peace in your minds that Microsoft will take care of the attack as soon as possible. If you are still using Windows XP/ Server 2003 again you are left alone…
4- Creating Defense in Depth strategy
Defense in depth is a military strategy that aims to delay the advance of the opponent by maintaining multiple, layered lines of defense rather than just one strong defensive line.
In terms of network security, defense in depth is the security strategy wherein network defenses are layered so that a breach in one layer only leads the attacker to the next layer of defensive countermeasures. Layering network defenses helps to prevent direct attacks against critical systems and data, increases the likelihood of the attacker being detected, and gives the defender more time to realign defenses to where they are really needed in the event of an actual, ongoing attack.
This strategy has layers such as Data, Application, Host, Internal Network, Perimeter, Physical and Policies, Procedure awareness. I am sure you can see what I can see, such as “Host, application” which requires you to be up to date.
Neither your Antivirus or Third Party Firewall can give you the “security Patches” that Microsoft release regularly, by not upgrading to the modern O/S you will not just miss out on the latest protection mechanisms like AppLocker, SecureBoot , or Free tools such as Microsoft Surface Attack Analyser you also not follow the Government standards of stopping bad guys, such as Top mitigations methods.
Yes, your outdated O/S’s will help you to produce data, but it can’t help you to save, manage and share your data securely.
My Cybersecurity Book– Attack and Defense Strategies :