Securing End-of-Life Windows Platforms
We witnessed it with Windows XP and 2003 in 2014, and as the merry-go-round continues, Windows 7 and 2008 will reach EOL in January 2020.
When support ends, cyber adversaries will target these platforms. As with Windows XP, there is buzz in the security media that attackers are already storing their zero-day attacks and getting malware ready. Attackers will target Windows 7 betting that organizations have unpatched vulnerabilities they can take advantage of.
What does end of life mean?
In three simple statements it means:
- No technical support
- No software updates
- No security updates
To avoid security risks, Microsoft recommends customers upgrade to Windows 10 and Server 2016.
“I need to keep Windows 7 / Server 2008. What can I do?”
If you are using Windows 7 Professional or Enterprise or a server 2008 platform, you can purchase extended support from Microsoft through January 2023. This will get you security updates, but at a cost of between $25 & $50 per device in year 1, doubling each year until 2023.
There is no substitute for patching
The reality is there is no substitute for patching operating systems. It’s listed in the Australia Cyber Security Centre (ACSC) top 4 cyber threat mitigation strategies for a reason. No cyber security professional would recommend not extending support and those key security patches. However, for some organizations it’s just not financially viable.
Alternatives or additions to extended support
Due to the significant risk and focus for attackers that an out-of-support platform brings, many will look to bolster the security around these devices.
Delivering a defense-in-depth set of controls to these devices will allow an organization to increase the security posture of these devices and reduce the risk they pose to the wider enterprise.
Ivanti is in a unique position to assist our customers with this, delivering the remaining three of the ACSC top 4 controls from the ‘Security Controls’ platform.
Ivanti® Application Control provides a simple-to-deploy, low-management-overhead approach to application whitelisting, enabling organizations to ensure that only IT-approved software and content is ever allowed to run, thus thwarting file-based attacks and many attacks that are file-less originated.
This is achieved using Trusted Ownership—a unique approach to application whitelisting employed only by Ivanti. The basic premise is that the Microsoft NTFS owner of a file is checked at run time. If the file was placed on the disk by a trusted user then the file can execute, otherwise it’s blocked by default. This means any software delivered as part of the SOE/Gold build or delivered by SCCM / Ivanti Endpoint Manager can run by default, with no lists to manage.
This approach provides such a low cost of ownership that customers with fewer than 2,500 managed endpoints tell us they can manage it with a quarter of an FTE. (References available upon request.)
Third-party application patching
All endpoints have third-party applications installed—some as middleware, some as applications within their own right. Many of these applications contain most of the vulnerabilities identified in software. Reports show that’s up to 86%.
Ivanti’s patching is market leading and mature, and it features the largest catalog of more than 100 vendors whose patches you can simply click and deploy from our agentless patch platform. Deploy patches regardless of whether machines are in the network or outside. Automate the deployment and reporting of critical patches within the ACSC-specified guidelines of 48 hours.
Removing administrator privileges
There are many reasons why users have administrator privileges. For many organizations, end-of-support platforms have likely been whittled down to only those machines that are stuck there. Ensuring that users only have the minimum privileges they need on these devices—and no more—is key.
Using Application Control, IT can elevate individual applications, control panel applets, or services as required. By leaving the logged-on session running as a standard user, the lowest level of privileges is available to the exploit in the event the machine is compromised.
How Ivanti helped a customer succeed
Over the years, Ivanti has assisted many customers who find themselves in the difficult position of needing to manage out-of-support platforms. For example, one customer in the ANZ region was a large government department with a highly sensitive application that ran on Windows XP only.
There was no way to migrate the application off XP prior to the end of support, and the customer wasn’t able to invest in the extended support. Using Ivanti Application Control, they were able to roll out whitelisting to the devices in days, on their own, and secure the devices, with confidence that users couldn’t run any software other than the solitary line-of-business application left on the platform.
After this project, the customer saw so much value and simplicity in the solution that they rolled it out to the supported production fleet to improve their security and ACSC compliance.