Does your organization have a significant number of endpoints still running Windows XP? Don’t worry, you’re not alone: Forrester's Forrsights Hardware Survey, Q3 2013 shows that the average organization still has 20% of their employee endpoints running XP. Considering that most organizations spend 18 to 32 months when migrating to newer versions of Windows, many organizations will likely find themselves scrambling to batten down the hatches before Microsoft’s April 8, 2014 end-of-life deadline.
 
After this date, Microsoft will stop releasing security patches for the 13-year-old operating system, a terrifying situation for organizations still relying on XP. What can you do as an organization if you still have a substantial XP presence within your environment? You can:
 
  • Migrate to Windows 7 or 8 posthaste. Microsoft has come a long way in preventing certain classes of attacks, such as bootkit and rootkit attacks. In fact, Microsoft has told us that Windows XP is 21 times more likely to get infected with malware than Windows 8.1. To help our clients understand the pros and cons of Windows 8.1 security, I recently published a guide on this very topic.
  • Buy some extra time. For those that can afford it, Microsoft will offer “custom support” in the form of XP security patches past the April 8 deadline. I’ve spoken with a number of organizations that determined that it would be cheaper to pay this premium than to migrate away from XP. Of course, this is just prolonging the inevitable; custom support will not be available forever.
  • Isolate tricky XP-dependent applications through virtualization. Applications that must run on Microsoft XP can be virtualized and hosted internally with all of the traditional safeguards. Also, for those servers running XP that cannot be easily upgraded to Microsoft’s Server 2008/2012, Server 2003 can be used in its place as a temporary solution and will likely cause fewer application dependency problems.
  • Do nothing. Is your data really that valuable to hackers? HIPAA and PCI regulations only matter if you get caught. Might be time to also think about updating your résumé.
After Microsoft puts XP to rest, expect many of the AV vendors to slowly stop putting effort into protecting these systems. Most third-party application vendors will likely stop releasing security patches for their software as well, leading to a perfect storm for hackers. Technologies that do not rely on blacklists, such as whitelisting, privilege management, and process isolation/sandboxing, will continue to offer a level of protection, but as more and more vulnerabilities are left unpatched on the OS, these solutions will not be tenable over the long term.
 
My question to all of you is: What are your plans for migrating away from XP? Are you planning on getting rid of all traces of XP before the April deadline, or are you deciding to invest in additional technologies, software, or services to weather the storm and buy some time?
 
Chris Sherman
@ChrisShermanFR