8th April – Open Season On XP Users? Defence Is Your Only Option Now

Ray Bryant, CEO of vulnerability testing solutions vendor Idappcom, shares his Top Ten Tips to help avoid XP Armageddon.

Despite over 24 months advanced notice from Microsoft and countless industry watchers issuing dire warnings over the past two years there is strong evidence to suggest that significant numbers of XP users will not have completed the migration to supported versions of the Windows OS by the time the last update is released on 8^th April, i.e. in less than 1 months’ time. Some estimates suggest that at around 29% of desktops are still running XP, some suggest even higher.

There are lots of sound reasons, technical and cost related, why many businesses and government departments have delayed moving their core applications onto a safe(r) platform but the stark fact is that by not doing so they have put their organisations at risk, some argue irresponsibly, and it has now gone beyond the tipping-point into damage limitation territory with implications that run deep into the organisation including the ability to meet their regulatory compliance responsibilities.

For businesses that rely on card payment transactions and store card-holder data, non-compliance with the PCI DSS requirements can result in serious financial penalties if the card date environment (CDE) is breached. The PCI themselves has highlighted the XP EOL problem and has issued reminders to merchants that systems within the CDE must have the latest security patches installed.

For UK public sector bodies, failure to meet the latest PSN standards means they will be disconnected from the Government’s Intranet and that delivery of fundamental public services could be affected, including processing DWP payments. PSN is being managed and rigorously enforced by the Cabinet Office with software patch management a core requirement so IT managers working in the public sector cannot afford to ignore the looming deadline.

Most analysts and security professionals are predicting that the 8^th April will mark the start of an open-season on XP users with hackers unpicking the next supported Windows update to reverse-engineer the vulnerabilities it is designed to mitigate. The result could be a blood-bath to rival an August 12^th Grouse shoot unless urgent action is taken.

So the question for IT managers who have not completed, or maybe not even have started, the migration process is what steps, if any, can be taken to protect themselves during the transition period? Fortunately it is not a totally hopeless situation and there are some practical measures that can be put in place to ensure that yours is not one of the organisations that will be caught in the hacker’s cross-hairs.

Here are my top-ten tips to help minimise the immediate risks.

1) Test, Test and Test again

Anyone involved in network and data security will not need reminding of the importance of having a robust security shield, including intrusion detection/prevention and firewall systems, as their first line of defence. They will also know that these are not “fit and forget” solutions and need to be regularly monitored, tested and the rules constantly updated to mitigate against the latest threat vectors otherwise you may as well switch them off. Indeed many of the compliance standards include mandated penetration testing as a core requirement.

Usually testing once a quarter is regarded as being enough but with the threat risk for XP users set to Code Red it is advisable to make this part of a scheduled monthly or even weekly routine at least during the critical transition phase. Clearly this has implications for over-stretched IT resources and realistically for most organisations such a policy can only really be implemented using one of the automated penetration testing tools that are now more widely available.

There have been some significant advances in the functionality of such tools in recent years and it is now possible to test multiple IPS and Firewalls in a live network environment against the most up to date vulnerability signatures using traffic record and replay techniques, and provide the latest rules on a virtually real-time basis. These low-cost systems can be quickly retro-fitted into most network environments so this would be a relatively easy first step towards getting ahead of the hackers, not just those targeting XP systems but the whole network security.

2) Spring Clean

Whether you are a just a home user, an SME or large enterprise there are a number of routine maintenance jobs you can and should do that will help to reduce the risk of a successful hack attack, while you are deciding if and when to upgrade, these are just a few suggestions

– If at all possible, do a clean install of Win XP and any application that is really needed
– Run every update available to all software installed
– Buy a really good router, with good HARDWARE firewall.
– Make sure any existing router/firewall has latest firmware.
– Use a browser other than IE.
– Create a user (if you don’t already) that has no admin rights. Sign on as that user for day to day use and only as the admin when you need admin rights to do upgrades etc.
– Keep checking and running MS updates until they stop.

Many of these tasks should be, but rarely are, part of the normal routine for any IT team and whilst this can stretch the resources for organisations particularly those with large, complex networks the result will not only help protect legacy XP systems but will raise the level of security across the whole infrastructure.

In addition, for the medium size business sector where the risks of an attack are higher it is also advisable to go a few steps further, including

– Audit all desktop software to see how applications are being used
– Rationalise applications based on business usage
– Identify applications that can be migrated to Windows 7 without modification
– For those that cannot be modified, consider virtualisation or use Browsium for IE6 applications

3) Develop network segregation techniques to keep XP machines isolated.

The most significant vector for attacks after the XP end of life will still be through the Internet — specifically, users clicking dangerous links or attachments and surfing to nefarious websites.

One effective, if blunt, method of mitigating the risk from attacks through this vector is to segment XP machines onto a different network that has access only to the file shares necessary for line-of-business applications, not the Internet.

You might need to do some network restructuring and ensure that Windows XP desktops and laptops can still access a very limited set of files to keep their applications functioning, but it is an effective way to guard against a big risk.

4) Unplug XP machines from the network if they are running legacy software that is used on embedded systems or controlling expensive hardware

If all that the XP device does is control a machine, don’t store data on it, don’t use it to browse the Web, and disconnect it from your domain if it was joined. There is no legitimate reason for most of these machines to have access to the Internet.

If Internet access is required, use a kiosk program or Deep Freeze to lock down the desktop as much as possible. Install dedicated firewalls and establish exactly what Internet access is required for the machinery to function, and blacklist everything else.

5) Application “Virtualization”

One of the options open to the IT department is to run XP in a sandboxed environment, such as by using Citrix or VMware.

Controlling user actions on XP machines is absolutely critical, but another factor is limiting the access to those machines as much as you can. Host XP virtual machines in a central server, where you can control which applications can be accessed and updated and where you have a “good” image from which you can restore a VM in the event it does get infected.

Even three- or four-year-old servers can host Windows XP VMs without too much trouble, so new servers are not required, especially if you simply need more time to migrate from Windows XP and if the OS is not a permanent member of your technology portfolio.

6) Be aware the big bad wolf; Licensing restrictions

Microsoft states it does not support the use of Microsoft Application Virtualisation (App-V) or similar third-party application virtualisation products to virtualise IE6 as an “application” enabling multiple versions of Internet Explorer on a single operating system.

In addition, the terms under which Windows and IE6 are licensed do not permit IE6 “application” virtualisation. Microsoft supports and licenses IE6 only for use as part of the Windows operating system, not as a standalone application. If users follow the wording, then Microsoft effectively forbids companies from using application virtualisation to run IE6 applications – even though these applications can run in a virtual environment.

To remain compliant with the Microsoft end user licence agreement (EULA), the only option open to businesses, which have a requirement to continue running IE6 applications is to virtualise the whole OS. But, on its TechNet site, Microsoft stipulates that users can only run Windows Server 2003 to virtualise IE6. “This means you cannot take advantage of the Terminal Services RemoteApp capabilities in the Windows Server 2008 R2 operating system. It also means that in July 2015, when Windows Server 2003 support ends, the IT department will need to rethink its XP strategy.

7) Microsoft Support

It may at first seem unfair but larger organisations, and consultancies, will still be able to get XP support after April 2014. However the charges are such that it does seem that Microsoft is not encouraging this route.

There will be a charge of $200 per PC per year and that fee goes up to $400 in the second year and doubles every year after. For companies forced to take this route, that support charge over time will grow large enough to appear as a discrete line on the balance sheet – and this is not a viable option, even in the short to medium term. Microsoft is making sure that for most organisations this support option is not, ultimately, viable

8) Browsium

Consider Browsium’s UniBrows compatibility product to keep IE6 applications running in Windows 7. Browsium allows you to move to Windows 7 without going to a far bigger project to go into virtualisation.

The software runs on the PC client and determines whether an application requires the IE6 browser engine. From a user perspective, the application runs in an IE8/9 tab, but renders using the 32-bit IE6 engine rather than IE8/9. UniBrows loads relevant IE6 ActiveX controls, such as specific versions of Adobe Flash or the Java Runtime Engine.

Browsium has been chosen by large organisations such as AVIS and the UK’s tax authority (HMCR) so you would be in good company.

9) Upgrade Anti-X software products

It may seem obvious but make sure that your anti-virus and anti-malware products are up to date and effective. For standard end-user desktops that do not have special requirements, you should be using a third-party anti-malware product. Most of these products have support beyond the Windows XP end of life.

Even Microsoft has relented, saying its free Security Essentials product will have virus-definition updates until July 2015, even after security patches cease being released. Verify these dates, install the latest releases of these products, and switch products if one provides lengthier or more comprehensive XP support than the one you are currently using does. This is not an area in which cost should be the primary driver — effectiveness is what counts here, or you might as well not bother at all.

10) AppSense Application Manager

For enterprises that cannot migrate before April 2014, it is too late now in any case, there is also AppSense Application Manager, which works with physical and virtualised versions of XP. It locks down the current supported XP environment and will not allow any further executables or applications to be run, without the system administrator first approving them. The idea is that a user environment is kept more or less as it was before the end of support, so further patches would not be necessary. This technology can work hand-in-hand with endpoint security systems, such as antivirus packages.