With less than a month left before support for Windows XP ends, there are many that are in the midst of migrations, some just getting clued-in to the revelation, those that still don't know what end of life actually means or that it exists, and apparently, even more who are running pirated copies of the old OS who can't upgrade without purchasing new equipment with a newer OS supplied. Whatever the case, there's specific things that can be done during the month of March to ensure computers running Windows XP aren't taken over immediately by malware after the April 8, 2014 deadline.
Here's a list of the top 7 actions you should plan to take over the next few weeks.
1. Windows Updates
Make sure to deploy each and every patch that Microsoft provides for March 2014, and also every single one that the company releases during Windows XP's very last Patch Tuesday ever on April 8, 2014. If you make sure that Windows XP is as up-to-date as possible it could give you enough time to finish those migrations without the worry of being hacked shortly after the cutoff date.
2. Isolate Computers
If you will be maintaining Windows XP computers after the deadline, consider isolating them to their own network or subnet. If security issues do arise, you can just cut the lone network off from the rest of the company and from the Internet, ensuring that any security problems can be quarantined instantly.
3. Remove Application Access
Not only does Windows XP still run an extremely outdated and unsecure version of Internet Explorer, but the other applications that run on the old OS could be just as unsecure. Remove all unneeded apps and disable Internet Explorer. Replace Internet Explorer with Google Chrome, which is promised to continue supporting Windows XP until April 2015.
4. Remove Admin Rights
Giving admin rights to standard users is a no-no, but has also been a long political battle within many companies. The majority of exploits for Windows XP will come from malware that assumes the rights of the logged-on user. If the user has administrator rights to the computer, so does the malware. Using GPO, scripts, or some other method with which you are most comfortable, spend the next few weeks getting support from management to eliminate this security hole before the April deadline.
5. Educate End-Users
We all know that end-users will click on anything. For some reason, the simple action of the mouse cursor turning from an arrow to a hand over clickable text causes most end-users to go insane. And, they are also none too wise in determining what a valid sender and attachment is in email, no matter how many times their PC has to be rebuilt from scratch because of it. Spend some time this month educating (or reeducating, as the case may be) to stop clicking on questionable things. And, emphasize that remembering this all-important lesson has now become even more critical since they are running an unsupported operating system.
6. Invest in Security Information
As an IT person, if you feel even the slightest level of being uncomfortable with today's security, seek out some online classes to brush up. Locate some writers you trust and subscribe to their blogs or articles through newsletters or RSS feeds, and keep tabs on the latest security news. April 8, 2014 may be the deadline for Windows XP, but that doesn’t mean all communication about Windows XP will stop. In fact, it may become even more newsworthy should a Windows XP-targeted malware outbreak happen (which is highly likely).
7. Invest in Security Apps
As time moves on, so will third party app vendors that support Windows XP. You'll notice a steady decline in available applications and that includes security applications. In January, Microsoft stated that they'll continue to provide antimalware signature updates for their Security Essentials product until July 14, 2015. However, just recently, they also made notice that the latest version of Security Essentials (version 4.5) will come with a permanent warning about using an unsupported operating system. And, after April 8, 2014, Microsoft will stop providing downloads for Security Essentials. So, make sure to grab the latest Security Essentials release and store it somewhere on your company network, in the event you need to install it again.
Also, identify any other security applications that might be useful for the languishing Windows XP computers in your company. Here's a couple suggestions:
Secunia PSI: It's been reported that 86% of computer vulnerabilities are actually a result of the applications that run on the operating system, not the operating system itself. Secunia PSI is a free security solution that identifies vulnerabilities in third party applications like Adobe, Firefox, iTunes, and others, and then makes the updates available to install.
Malwarebytes: Malwarebytes is an antimalware solution that can be run in real-time and also perform scans to detect and eliminate known threats. I've used Malwarebytes for a long time to much success. The product has done wonders where others have failed. Malwarebytes is offered in free, Pro, and mobile versions.
Process Explorer: Part of the popular Sysinternals IT Pro utilities, created by Mark Russinovich and owned by Microsoft, Process Explorer recently added VirusTotal integration. Using Process Explorer with VirusTotal allows you to view running Windows processes and then have them attributed to known viruses, worms, Trojans, and all manner of malware.
While these represent some actions you can take to help minimize exposure to your organization, the ultimate goal is to move completely away from Windows XP. I know many of you are working on that and should have the situation under completely control by summer. For everyone else, keep working through this prescribed actions over and again. You'll get there eventually. And, when you do, you'll sleep much better at night - I promise.