About five years ago everyone who worked in IT was talking and thinking about how to deal with the impending end-of-life for the massively popular Windows XP operating system. At that time, I was part of countless meetings, email chains, and phone calls that discussed what the best method was for keeping XP on networks past the official end of support from Microsoft. At the time, most of us in IT had not dealt with anything like that: a heavily used and well-liked operating system being officially deprecated by its manufacturer. This lack of experience led many (if not all) organizations at that time to make decisions that have since proven to be poorly thought out.
When Microsoft initially announced the deprecation of Windows XP (among other operating systems), they also offered organizations the option to purchase “extended support” for the operating system which included patches for issues past the official end-of-life. This led many to choose to pay for extended support, rather than getting rid of or upgrade all the old systems, with plans to get those XP or Server 2003 systems out of their networks in the next six months to a year.
Best Laid Plans…
As we all know and see daily, even the best-laid plans are changed frequently. A large portion of those systems that were deprecated more than five years ago are still online despite plans to replace them. We need to take a look at our collective mistakes from the past and consider making more sound decisions, as another OS is being deprecated soon.
We are fast approaching the second of these major end-of-life events on other incredibly popular operating systems from Microsoft. Windows 7 and Server 2008 are among a few Microsoft products for which support and patching ends on January 14, 2020. As it stands there is a little over six months before these devices are no longer supported, which gives everyone some time to get rid of them and hopefully not fold under the pressure to keep them for “just a little while” past the official end of support.
Learning from Our Past Mistakes
As we saw already with Windows XP, not planning to get rid of the latest OSes to be deprecated is a good way to keep vulnerable systems on your network for years. The news of the impending change has sparked many phone calls and emails from customers and colleagues alike asking me to justify or validate their plans to keep Windows 7 and 2k8 online past end-of-support. I have been presented with many plans that include paying Microsoft for extended support while these systems are scheduled to be taken offline in 2020.
While we cannot stop you from doing this, history has shown that extending the support for an old operating system is like kicking the can down the road a bit. However, in this case, the “can” becomes more entrenched and difficult to pick up as time goes by. This is just one of many reasons to not keep old operating systems on your network. To see the reality of this, take a look at how many XP or Server 2003 systems are still on your network. When were those slated to be replaced? How many of these systems process or store sensitive data?
The worries don’t stop with having old operating systems protecting sensitive data. Older operating systems don’t have modern security controls. Patches and updates are the manufacturers’ attempts to make modern security work on old systems. These patches often leave the systems slower and only slightly less vulnerable than if they had been left unpatched. The only real way to secure an old OS is to remove it completely from the network.
Old Systems New Hacks
Finally, this end-of-life business is a boon for the attackers and criminals of the world. There is a high likelihood that attackers and malicious nation-states across the globe have been stockpiling zero-day vulnerabilities and exploit code waiting for official support to end before they start using it. Therefore, we expect to see a surge of successful attacks against Windows 7 and Server 2008 based systems at the beginning of 2020.
So, before you accept the fate of keeping old systems on your network, make sure you have considered all of the options and the impact keeping these systems could have on your business. Before you accept that any of these soon-to-be outdated systems must remain in your network beyond 2019, make sure everyone fully understands the risk and business impact of these choices. It is pretty safe to say that if there is any way to get these systems offline prior to January 14, 2020, then you will be a step ahead of your peers and the attackers.