How to carry on safely with Windows XP Ten best practices to manage the risks associated with Windows XP now that Microsoft has ended support On April 8, Microsoft officially ended support for Windows XP, meaning no more bug fixes or patches. But according to Gartner, one third of enterprises still run more than 10% of their systems on the venerable operating system. Security researchers have warned that this comes with massive risk now that support has ended, and recommend upgrading to a newer operating system. However, Neil MacDonald, vice president and Gartner Fellow, recently wrote that it is possible to use XP while achieving manageable and tolerable risk levels. Any system, supported or not, carries risk. For the majority of use cases, XP can continue to be used with the risk managed to a tolerable level, without requiring the enterprise to pay Microsoft for expensive custom support while migrations are completed, he said. While doing nothing is an option, we do not believe that most organisations (or their auditors) will find this level of risk acceptable. What follows is a set of best practices for the continued use of Windows XP. 1. Restrict network connectivity to the minimum possible: Protecting XP systems is easier when other systems cant communicate to them over the network, the primary vector for attacks. 2. Implement an application control solution and memory protection: This can be accomplished using a dedicated solution, a host-based intrusion prevention system (IPS), or Microsofts Group Policy object (GPO)-based software restriction policies to establish a lockdown posture for XP to prevent the execution of arbitrary code. 3. Remove administrative rights: This should be mandatory for all remaining users on Windows XP. 4. Address the most common attack vectors — web browsing and e-mail: Remove web browsing and e-mail software from XP systems, and provide these capabilities from a server-based system that is up to date. 5. Keep the rest of the software stack updated where possible, including Office: Vendors of other software solutions and versions running on these XP systems may continue support. This further minimises the vulnerable surface area that can be attacked. 6. Use a network or host-based IPS to shield XP Systems from attack: Confirm that your IPS vendor will continue to research vulnerabilities and attacks on XP and provide filters and rules to block these attacks where possible. 7. Monitor Microsoft: Microsoft will not publicly disclose if new vulnerabilities against XP are discovered (unless you have paid for custom support). However, pay particular attention to critical vulnerabilities that affect Windows Server 2003 as these will likely impact XP. 8. Monitor community chat boards and threat intelligence feeds: Third-party threat intelligence feeds are an independent source of information. Communities of interest are expected to emerge specifically for sharing information related to XP. 9. Have a predefined process ready if an XP breach occurs: Have a plan to isolate XP workstations in the event of an attack that gains a foothold by quarantining these systems from a network perspective until mitigating steps are understood. 10. Perform a cost/benefit analysis: The cost and resources to implement the steps above might be better spent in accelerating the migration of the remaining XP systems, or it might be simpler to pay Microsoft for custom support. Source - Gartner
Posted on: Fri, 25 Apr 2014 19:09:18 +0000
Trending Topics
Recently Viewed Topics
© 2015