- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
There will be situations where continuing to run Windows XP on the endpoint is actually the necessary solution. I’ve supported organizations running all sorts of old operating systems, from DOS to Windows 95 to Windows 2000. Why would they do that? The computers were attached to a piece of equipment—an expensive piece of equipment—that had software that wasn’t supported on a newer operating system.
It’s kind of hard to argue the financial logic of replacing a piece of equipment that costs as much as a house or a nice car. Unless that equipment is broken (and unfixable) or it no longer meets the needs of the organization, you’re probably stuck with it and the computer attached to it, unless the vendor can provide software that works with Windows 7 or higher.
Regardless of the reason, there will be many XP machines out there simply because they need to run a legacy app. The biggest concern will be securing them from post-April 8th threats.
Run it in a virtual machine
If you have absolutely no choice, can you run this application inside of a virtual machine (VM)? Windows 8+ Pro and Enterprise include Client Hyper-V at no extra cost. If you’re still running Windows 7, VMware Workstation or Oracle Virtual Box could possibly fit the bill, depending on your needs (especially if you need to attach to a hardware port). If you can avoid running XP on physical hardware, you have many more options for isolating the OS.
Restrict network access
Computers still running Windows XP after the end of life date need to have their network access severely restricted. In a perfect world, you could unplug them completely and disable the NIC on the BIOS, but that probably won’t be an option for most people.
These computers should not be allowed to access networks outside your corporate LAN, and they definitely should not be allowed to access the Internet. You may even want to consider segmenting these boxes on a separate VLAN that is firewalled off [at the network level, and not at the client level] from other client systems running supported operating systems. At the very least, lock down the local firewall to restrict all but essential incoming traffic; if you’re running a third-party firewall, restrict the outgoing traffic too.
Don’t forget, the Group Policy settings for Windows XP are in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. You should also set the “Windows Firewall: Allow local port exceptions” option to “Disabled in Domain & Standard Profile” to prevent end users from modifying the local firewall rules on their XP systems.
Run a supported antivirus software
This one is probably a no-brainer, but have you actually checked with your antivirus vendor to see when its support for XP is ending? Many antivirus vendors are going to continue supporting Windows XP after the Microsoft support deadline. (As of the writing of this article, Symantec is still supporting an earlier version of its Endpoint Protection on Windows 2000!)
Depending on the support that your current AV vendor is offering, you may even need to consider purchasing a separate product just for your XP boxes. Microsoft received a lot of attention for announcing extended support for AV/antimalware definitions for Windows XP, but many other antivirus vendors already have planned support that extends much longer that Microsoft’s planned support.
Allowing a box to update AV/antimalware definitions is probably the one potential exception to my recommendation to not allow XP boxes to access the Internet. However, if you have the ability to run a local repository (usually through some form of management server) for those definitions, I would do it.
Antivirus support for Windows XP by vendor
|F-Secure||Client Security||June 25, 2016||Support for Windows XP End-of-Life dates|
|Kaspersky||Endpoint Security||Unclear*||Product support for Windows workstations|
|McAfee/Intel Security||VirusScan||December 31, 2015||Support for Windows XP|
|Microsoft||System Center Endpoint Protection||July 14, 2015||Support for Windows XP|
|Sophos||Endpoint Security and Control||Not before|
September 30, 2015
|Symantec||Endpoint Protection||July 5, 2018||Windows XP announcement|
|Trend Micro||OfficeScan||June 2016||Support for Windows XP|
*Kaspersky has stated that support for Windows XP in its consumer products will continue after April 8. Its Product Lifecycle support page only lists the Enterprise product, Endpoint Security 10, as “supported” without an EoL.
In the next part of our Windows XP series, I will explain how you can further improve security on your Windows XP machines by leveraging Software Restriction Policies.