8 Ways To Mitigate Windows XP Security Risks

Mitigating Windows XP Risks

With Microsoft ending support for its 12-year-old Windows XP operating system last month, this is a potential problem for organisations because of the surprisingly high number of XP machines out there. Gartner estimates that 20% of business endpoints still run XP and one-third of enterprises have more than 10% of their systems running XP. The use of XP in the healthcare and utilities sectors is even higher.

Without security updates from Microsoft, companies using XP will be largely unprotected from malware and cyber attacks the next time an XP vulnerability is discovered. Over the years, Microsoft has issued over 700 updates to XP with 60% of those rated “critical.” Microsoft’s own research has shown that Windows XP is five times more susceptible to malware and cyber attacks than Windows 8.

Given that track record, there’s a high probability that more vulnerabilities will be discovered and that could cause a big headache for companies still using XP. Moreover, there is concern that malware developers could reverse engineer future patches for newer versions of Windows and use them to target equivalent vulnerabilities in XP.

Given the risks involved with XP, what exactly is holding organisations back from migrating to newer operating systems? After all, after several extensions, Microsoft announced the end of support date for XP back in April 2012. Reasons vary from budgetary concerns to underestimated migration timelines to lack of internal expertise and manpower.

But by far, the issue of legacy applications seems to bubble to the top. Lots of organisations use applications that can only run on XP because they are incompatible with later versions of Windows. Others are unwilling to upgrade because drivers aren’t available for expensive pieces of equipment they use, such as medical devices and other equipment.

Regardless of reason, the fact is that many organisations are still struggling to complete Windows XP migration projects. With XP use so widespread, there’s also a chance that migration projects miss several machines. Some companies aren’t even sure of which machines are running XP and which aren’t.

Hence, it is important to take security measures for XP systems that haven’t been upgraded yet. In the eight recommendations shown below, we provide specific best practices for securing your XP systems and describe how an automated network access and security control platform can help you reduce the risk of using XP in your environment.

1. Inventory Endpoints On Your Network

You can’t solve a problem unless you have the right information to base your decisions on. How many XP desktops and laptops are truly on your network? Even if an organisation has been actively upgrading XP systems there’s a chance that some machines were missed, especially transient endpoints that show up on the network infrequently. Very few organisations have a real-time inventory of connected devices.

Endpoint management systems such as SCCM can help identify some XP systems, but the possibility of missing or broken management agents means you have an incomplete picture. Additionally, agent-based management systems can’t provide visibility into guests or employees who may use a personal XP device (BYOD).

Agentless next-generation network access control (NAC) solutions can provide real-time visibility of endpoints connected to your network, including all XP systems, as well as information about where they are and who is logged in.

2. Evaluate Your Legacy Application Footprint

Some organisations can’t upgrade their XP systems because they have legacy applications that aren’t compatible with newer operating systems. However, most organisations don’t know how many of their XP systems are actually using these applications.

Without visibility into installed and running applications there is no way to classify which XP systems can and cannot be upgraded. This can hold back XP migration indefinitely and cause “XP bloat”. An automated network access and security control platform can inventory all applications and processes running on connected systems to help identify the subset of XP systems that are running essential legacy applications.

This enables all other XP systems that are not using these legacy applications to be scheduled for upgrade without any business impact.

3. Block Or Restrict Network Access

Once the limited number of business critical XP systems have been identified and classified, all other XP endpoints that connect to the network, including personal devices, can be blocked by next-generation NAC solutions. These can restrict the few business critical XP systems to separate VLANs, either quarantining them completely from the rest of the internal network or giving them controlled access to specific resources only.

4. Discontinue Use Of IE & Office 2003

Windows XP only supports up to Internet Explorer 8, making the security features of later versions unavailable. Consequently, alternative browsers such as Firefox or Chrome should be used, which provide continued support for XP.

Along with Windows XP, Office 2003 has also reached end of support. This increases the risk of exploits embedded in Office documents using Office 2003 to infect XP systems. An automated network access and security control platform can continuously monitor your remaining XP systems to identify those that are running Internet Explorer and/or Office 2003 and mitigate these risks.

5. Keep Software Up To Date

Most endpoint protection vendors continue to support and actively research attacks on Windows XP. Additionally, programs such as Java, PDF readers and other commonly used applications continue to offer updated versions. Keeping all third-party software up-to-date lowers your exposure to exploits targeting vulnerabilities in these applications.

6. Lock Down Apps, Services & Ports

In most circumstances, XP systems that are running legacy applications don’t need the entire software stack enabled. Removing unused third-party software and disabling unnecessary services such as remote access, remote registry, simple file sharing, telnet etc. can help reduce the attack surface. Restricting the use of USB ports and CD/DVD drives helps prevent the introduction of arbitrary executable code on XP systems. Ensuring only specific ports that are needed by legacy applications are open to and from the XP systems further protects the XP environment.

7. Be Prepared With A Plan For Future XP Exploits

The continued use of Windows XP, even for a limited number of systems running legacy applications, entails elevated risk. If and when an exploit targeting an XP vulnerability is spreading in the wild you must be prepared to manage this risk. Having a predefined plan and process is key.

Next-generation NAC solutions can play a key role in isolating XP systems by quarantining them until other mitigating steps can be taken. Virtual firewalls, for example, can help block the exploit code from propagating to the XP systems while allowing the legacy applications access to specific resources on the internal network.

8. Create A Migration Strategy

While the risk associated with the continued use of Windows XP can be managed to an acceptable level, migrating from XP as quickly as possible is necessary to maintain a secure endpoint environment. As a stepping stone, XP can be run in a virtual environment.

While this does not remove the underlying vulnerabilities, by restricting each VM to a specific application, restricting network connectivity of these VMs, and resetting VM sessions back to a known-good state on each access, the ability for an attack to cause damage is limited. Over time, as support for third-party software and security applications diminishes, the only option will be to sunset or replace legacy applications that run on XP and upgrade to newer operating systems.

Jack Marsal

Jack Marsal, Director of Marketing at ForeScout, has 20 years of marketing experience in IT security and enterprise infrastructure. Prior to joining ForeScout in 2009, he was Director of Marketing for McAfee where he introduced a new marketing strategy to broaden the portfolio of security products, helping to generate over $300 million in annual revenue. Previously, Jack held senior marketing positions at Trend Micro, Lotus Development, and CenterBeam. Jack holds an MBA from Freeman School of Business and a Bachelor degree in Engineering from Tulane University.