In this part of our Windows XP end of life series, I’ll discuss how you can continue to protect your XP systems from network and malware threats after support ends on April 8, 2014.

There will be situations where continuing to run Windows XP on the endpoint is actually the necessary solution. I’ve supported organizations running all sorts of old operating systems, from DOS to Windows 95 to Windows 2000. Why would they do that? The computers were attached to a piece of equipment—an expensive piece of equipment—that had software that wasn’t supported on a newer operating system.

It’s kind of hard to argue the financial logic of replacing a piece of equipment that costs as much as a house or a nice car. Unless that equipment is broken (and unfixable) or it no longer meets the needs of the organization, you’re probably stuck with it and the computer attached to it, unless the vendor can provide software that works with Windows 7 or higher.

Regardless of the reason, there will be many XP machines out there simply because they need to run a legacy app. The biggest concern will be securing them from post-April 8th threats.

Run it in a virtual machine

If you have absolutely no choice, can you run this application inside of a virtual machine (VM)? Windows 8+ Pro and Enterprise include Client Hyper-V at no extra cost. If you’re still running Windows 7, VMware Workstation or Oracle Virtual Box could possibly fit the bill, depending on your needs (especially if you need to attach to a hardware port). If you can avoid running XP on physical hardware, you have many more options for isolating the OS.

Restrict network access

Computers still running Windows XP after the end of life date need to have their network access severely restricted. In a perfect world, you could unplug them completely and disable the NIC on the BIOS, but that probably won’t be an option for most people.

These computers should not be allowed to access networks outside your corporate LAN, and they definitely should not be allowed to access the Internet. You may even want to consider segmenting these boxes on a separate VLAN that is firewalled off [at the network level, and not at the client level] from other client systems running supported operating systems. At the very least, lock down the local firewall to restrict all but essential incoming traffic; if you’re running a third-party firewall, restrict the outgoing traffic too.

Don’t forget, the Group Policy settings for Windows XP are in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. You should also set the “Windows Firewall: Allow local port exceptions” option to “Disabled in Domain & Standard Profile” to prevent end users from modifying the local firewall rules on their XP systems.

Windows Firewall

Windows Firewall

Run a supported antivirus software

This one is probably a no-brainer, but have you actually checked with your antivirus vendor to see when its support for XP is ending? Many antivirus vendors are going to continue supporting Windows XP after the Microsoft support deadline. (As of the writing of this article, Symantec is still supporting an earlier version of its Endpoint Protection on Windows 2000!)

Depending on the support that your current AV vendor is offering, you may even need to consider purchasing a separate product just for your XP boxes. Microsoft received a lot of attention for announcing extended support for AV/antimalware definitions for Windows XP, but many other antivirus vendors already have planned support that extends much longer that Microsoft’s planned support.

Allowing a box to update AV/antimalware definitions is probably the one potential exception to my recommendation to not allow XP boxes to access the Internet. However, if you have the ability to run a local repository (usually through some form of management server) for those definitions, I would do it.

Antivirus support for Windows XP by vendor

VendorProductSupport untilReference
F-SecureClient SecurityJune 25, 2016Support for Windows XP End-of-Life dates
KasperskyEndpoint SecurityUnclear*Product support for Windows workstations
McAfee/Intel SecurityVirusScanDecember 31, 2015Support for Windows XP
MicrosoftSystem Center Endpoint ProtectionJuly 14, 2015Support for Windows XP
SophosEndpoint Security and ControlNot before
September 30, 2015
Retirement calendar
SymantecEndpoint ProtectionJuly 5, 2018Windows XP announcement
End-of-Life dates
Trend MicroOfficeScanJune 2016Support for Windows XP

*Kaspersky has stated that support for Windows XP in its consumer products will continue after April 8. Its Product Lifecycle support page only lists the Enterprise product, Endpoint Security 10, as “supported” without an EoL.

In the next part of our Windows XP series, I will explain how you can further improve security on your Windows XP machines by leveraging Software Restriction Policies.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account