Why a new decade should be the end of the line for old operating systems
Slightly more than five years ago, one of the most popular operating systems in history was retired, and this major end-of-life event still has a major impact on IT and information security.
There were countless discussions on the best way to keep XP on networks past the official EOL from Microsoft. However, there were far too few discussions about actively removing XP.
Most of IT had not previously dealt with anything like this: a manufacturer officially deprecating a popular operating system. This lack of experience led many (if not all) organizations to make decisions that have since had a lasting, negative effect.
One of the biggest mistakes was made because of a false sense of security provided by “extended support.” This concept left most organizations feeling confident keeping the OS online well past its expiration date.
When Microsoft initially announced the deprecation of Windows XP (among other operating systems), they also offered organizations the option to purchase “extended support” for the operating system, which included patches for issues past the official end-of-life. While this extended support seemed like a good idea on the surface, it led to the extensive number of XP systems we still see on networks today.
As we all know and see daily, no plan survives contact with real life (or the enemy). Many systems that were deprecated more than five years ago are still online today despite “best laid” plans to replace them.
Organizations need to take a look at their collective mistakes from the past and consider making more sound decisions, as another OS has recently been deprecated.
As of January 14, some other popular operating systems from Microsoft, such as Windows 7 and Server 2008, are among a few products that no longer provide support and patching.
As previously seen with Windows XP, keeping operating systems that are deprecated is not a good idea regardless of the reasoning behind it—nor is keeping vulnerable systems on a network for any period of time, let alone years.
When the EOL of XP was announced, it sparked countless phone calls and emails from customers and colleagues alike asking for justification for their plans to keep Windows 7 and 2008 online past end-of-support. I was presented with many plans that included paying Microsoft for extended support while these systems were scheduled to be taken offline within a year.
History has shown that extending the support for an old operating system is just “kicking the can” down the road a bit. Unfortunately in this case, as time goes by, the “can” becomes more entrenched and difficult to pick up. This is just one of many reasons to get old operating systems off your network.
To see the reality of this, take a look at how many XP or Server 2003 systems are still on your network. When were those slated to be replaced? How many of these systems process or store sensitive data?
Concerns don’t stop with having old operating systems protecting sensitive data. Older operating systems don’t have modern security controls. Patches and updates are the manufacturers’ attempts to make modern security work on old systems, and those attempts often leave the systems slower and only slightly less vulnerable than if they had been left unpatched. The only real way to secure an old OS is to remove it completely from the network.
Malicious attackers and criminals around the world know this end-of-life is a boon for them. It is likely that attackers and malicious nation-states have been stockpiling zero-day vulnerabilities and exploiting code, waiting for official support to end before they start using it. Expect to see a major surge in successful attacks against Windows 7- and Server 2008-based systems beginning immediately and lasting until all those old deprecated systems have finally been taken offline.
Rather than simply accepting the risky fate of keeping old systems on your network, ensure you’ve considered all of the options and don’t forget the critical importance of business impact analysis, as this will make the risk clear. Before you accept the notion of having any of these soon-to-be outdated systems in your network, make sure everyone fully understands the risk and business impact of these choices.
It is safe to say that if there is any way to get these systems offline immediately, then you will be a step ahead of your peers—and attackers.