End of Support is Not the End of Business
Businesses need to be prepared for the end of support of operating systems (OSes), especially if the OS is used enterprise-wide or runs business critical applications, such as Microsoft® Windows XP® and Windows Server® 2003.
As you know, Microsoft ended support for Windows XP on 8 April 2014, and will similarly pull the plugon Windows Server 2003 on 14 July 2015. Without any security patches, Microsoft has cautioned that “PCs running Windows XP after April 8, 2014 should not be considered to be protected”.
However, many organisations stick with their legacy Windows systems, even after support ends. Changing an OS across the entire organisation opens up the risk of downtime for mission critical applications. Migrating to a new OS is also manpower-intensive, and could easily lead to time and cost overruns.
Not surprisingly, companies see very little incentive to replace an unsupported but still functional OS—until there is an overwhelmingly urgent need to do so. In addition, their business may be dependent on old, proprietary applications that cannot run on newer platforms. Yet, it’s crucial for organisations to understand the risks of running an out-of-support OS against the costs and effort of migrating to a new one.
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
1. Protecting and Migrating Legacy
Windows® OSes
Your guide to mitigating the risks of Windows XP®
and Windows Server® 2003 after end of support.
End of Support is Not the End of Business
Businesses need to be prepared for the end of support of operating systems (OSes), especially if the
OS is used enterprise-wide or runs business critical applications, such as Microsoft® Windows XP® and
Windows Server® 2003.
As you know, Microsoft ended support for Windows XP on 8 April 2014, and will similarly pull the plug
on Windows Server 2003 on 14 July 2015. Without any security patches, Microsoft has cautioned that
“PCs running Windows XP after April 8, 2014 should not be considered to be protected”1
.
However, many organisations stick with their legacy Windows systems, even after support ends.
Changing an OS across the entire organisation opens up the risk of downtime for mission critical
applications. Migrating to a new OS is also manpower-intensive, and could easily lead to time and
cost overruns.
Not surprisingly, companies see very little incentive to replace an unsupported but still functional
OS—until there is an overwhelmingly urgent need to do so. In addition, their business may be
dependent on old, proprietary applications that cannot run on newer platforms. Yet, it’s crucial for
organisations to understand the risks of running an out-of-support OS against the costs and effort of
migrating to a new one.
Challenges of Legacy Systems
1) Security threats
We learn from history that new vulnerabilities of an out-of-support OS will be discovered and new
malware will be developed to exploit the vulnerabilities. Without OS security patches, businesses
are exposed to significantly increased risk of security breaches of their unpatched systems. We can
expect an increase in range and number of exploits likely to be successful in their attacks due to the
cumulative effect of “doing nothing” across many separate vulnerabilities. This issue is intensified by
the threat from unknown (zero-day) vulnerabilities.
2) Regulatory compliance
Unpatched OS environment can render organisations liable to violation of industry compliance
regulations, perhaps resulting in hefty fines or penalties.
1
Microsoft, Enterprise Customers: Support for Windows XP has ended, Retrieved from
http://www.microsoft.com/en-us/windows/enterprise/end-of-support.aspx
1
2. 2
Protecting and Migrating Legacy Windows® OSes
3) Reputation damage and remediation cost associated with data breach
An unprotected OS means the organisation is more susceptible to data breaches and loss of critical,
confidential data, which could lead to reputational damage. On top of that, businesses will incur
increased labour resources and other costs to remediate the environment once an attack occurs.
What Options Are There?
The first option is to do nothing. However, it will inevitably expose your organisation to attacks and
risks caused by legacy systems.
The second option is to purchase “custom support” from the software vendor to obtain
ongoing security patches for end-of-support OS and to deploy the patches when they are
available. This option does provide protection from the vulnerabilities that are actually patched,
but it has the following downsides:
• Leaves zero-day vulnerabilities unaddressed, opening systems to attack during instances of
patch unavailability and other windows of exposure
• Offers inadequate protection against security vulnerabilities with a moderate or low severity
rating as patches during the custom support period are usually designed for known critical
vulnerabilities only
• Incurs higher cost due to costly “custom support” and frequent testing and deployment of
patches
• Fails to be a long term solution as “custom support” programmes are specifically designed to
help customers bridge the support gap as they migrate to new OSes
The third option is to protect/harden your legacy systems. In this option the customer deploys
HIPS/HIDS based security agents at the endpoints to harden the operating system and applications,
mitigate vulnerabilities and stop known and unknown threats.
This option is most suitable in cases when a replacement is not feasible due to cost and control factors,
when patching or migrating is avoided to minimise downtime, or when having applications that are not
compatible with newer OSes.
Benefits of this approach:
• Improves the security posture of your servers by protecting them against known and unknown
(zero-day) malware
• Eliminates emergency patching, and minimises downtime and IT expenses related to patching
through proactive protection that does not require continuous updates
• Reduces security incidents and remediation costs with continuous protection even if the server
is unable to get the latest patches in a timely fashion
3. 3
Protecting and Migrating Legacy Windows® OSes
Option 3 clearly provides the best choice, with better and more consistent host security, lower overall
costs and more control with regards to legacy system replacement.
The following Symantec solutions can help you secure legacy systems effectively, minimise
business disruption and maintain regulatory compliance:
Security Solution Platform OS
Symantec™ Data Center
Security: Server Advanced 6.0
Server Any
Symantec™ Endpoint
Protection
Laptop / Desktop Windows, Mac, Linux
Point of Sale Device Windows
Symantec™ Critical System
Protection Client Edition
Point of Sale Device Non-Windows
ATM / Healthcare / Automotive /
Industrial Control Systems
Any
For more information, please read:
• White paper: Using Symantec Critical System Protection for Patch Mitigation and Securing
Legacy Out-of-Support Platforms
• Product overview: Data Center Security: Server Advanced 6.0 Overview Guide
• Solution brief: Protecting PoS Environments Against Multi-Stage Attacks
• Technical brief: Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of-Sale
Devices
The fourth option is to migrate from legacy systems. This option is most suitable for taking
advantage of the benefits of a new OS and its associated applications, or for minimising the
operational and management costs of IT systems by standardising its hardware and software.
Benefits of this approach:
• Enhances security posture by eliminating the risks and vulnerabilities associated with end-of-
life systems
• Enables better IT investments by freeing up resources from the maintenance of legacy systems
to focus on IT initiatives such as mobility deployments and cloud computing
• Improves business competitiveness by leveraging the productivity benefits of new OSes,
applications, mobile devices, cloud deployments and more
4. 4
Protecting and Migrating Legacy Windows® OSes
Even though a migration can eventually lead to significant productivity, security and control benefits,
it can still be an intimidating task. In the past, migrations involved manually collecting inventory
and configuration data, throwing together solutions from disparate tools, writing and testing scripts
to handle endless contingencies and dependencies, plus a thousand other endless routines that
exhausted time, energy, money, motivation and executive patience.
With any migration, the challenge is to execute it in an efficient, cost-effective, and sustainable
manner, while protecting end-user productivity. Symantec can meet that challenge with migration and
deployment solutions that streamline processes to cut the expense, delay, and disruption of migration,
keeping it in control.
Symantec has migrated more than 300 million desktops and notebooks to Windows 2000®, XP,
Windows Vista®, Windows 7® and Windows 8®.
Symantec™ Client Management Suite 7.5 powered by Altiris™ technology not only automates and
simplifies migration efforts, but also helps manage IT resources long after migration is complete.
Client Management Suite 7.5 consists of the following components:
Component Name Description
Deployment Solution Mass deploys disk images of a reference system, migrates user data and
system configurations to new systems and configures each system based
on standardised criteria
Configuration
Management Database
(CMDB)
Acts as a data warehouse to provide greater insight into existing IT
assets, where they are, how they are connected and how any changes
would impact those relationships
Inventory Solution Gathers inventory data about computers, users, operating systems,
network devices and installed software applications in existing
environments
Patch Management
Solution
Assesses, prioritises and deploys updates for common operating systems
and applications to ensure that managed computers are protected on an
on-going basis
Software Management
Solutions
Distributes software and ensures that the correct software gets installed,
remains installed and runs without interference from other software
Allows users to directly download and install approved software or
request other software via a self-service portal
Endpoint Protection
Integration Component
Provides inventory client systems for common endpoint protection
products, migrates and rolls out Endpoint Protection agents,
troubleshoots agent problems and reports on status and outbreaks