Windows 7 is Dead - How to Protect End-of-Life Software
Today, January 14, 2020, is the end-of-life (EOL) for Microsoft Windows 7 (https://www.microsoft.com/en-us/microsoft-365/windows/end-of-windows-7-support). From this point forward, Microsoft no longer provides guaranteed support of Windows 7, including technical support, patching, and other feature updates. You should discontinue using the EOL version and/or update to a supported version if possible. This applies for all EOL software and not just operating systems, but it is most important not to use unsupported operating systems. That’s just asking for trouble.
But what do you do if you can’t get rid of the EOL software? What if you must continue to use it? This is the reality for millions of users. Most instances of EOL software being continued to be used is because of ignorance or neglect. Millions of people have no idea that their software product has become EOL. The software is being used on some system they use but no one has told them that the software has become EOL and they aren’t aware of it, like we are. Others might be aware that the software has become EOL but they don’t care to do anything about it. They don’t understand the ramifications or they are just willing to take the risk. Other times it’s running on a system that no one has touched in years. It’s not on anyone’s inventory
But there are users who are quite aware and worried about the issue, but can’t do anything about it for one reason or another. I’ve worked with many companies over the decades that had to knowingly support EOL software…sometimes for decades. If you’re one of those IT people who has to support old software, you’re not alone. But this fact doesn’t also mean that you don’t do anything. As soon as a critical security vulnerability comes out and there is no patching coming, it means you have a serious problem. Heck, if I’m an attacker and I can reach your EOL software to attack it, I just wait for the bug announcement to come, reverse engineering the patch, and exploit your software. Bada bing, bada boom.
So, What Can You Do to Protect EOL Software?
Here is what you can do in decreasing order of protection:
· Discontinue using or replace with a supported version
· Make it stand-alone, unplug from any network
· Pay someone to provide custom critical support and patches
· Isolate to just required connections
· Harden against attack
· Use enhanced prevention controls
· Use enhanced monitoring to detect attacks or compromises
I’ll cover some of these recommendations in briefly below.
Pay for Custom Patch Support
A lot of people don’t know it, but you can often pay the vendor (e.g. Microsoft) or a partner to provide custom support and patches after a product goes EOL. EOL often just means that the patches aren’t done by default and aren’t free anymore. It can be very expensive, easily in the order of several hundreds of thousands to several millions of dollars a year. But if you want to make sure EOL software gets patched against any critical vulnerabilities and it is used in a high-risk way, this may be your best option. The vendor may not provide support, but many times there is another company that will. They either have the source code and permission of the original vendor to support and patch or they can modify the system it is on in a way to stop malicious breaches.
Isolate, Isolate, Isolate
The next best thing is to isolate the software and hardware the software is on from malicious attack. At the very least this means don’t let any badness from the Internet able to reach it. At best, you want to severely limit who and what can connect to the EOL asset, to the bare essential connections. You want to isolate using the best, fastest ways, including: routers, firewalls, VLANs, etc. Limit not only connections, but what ports are allowed and what actions can be performed. Hackers can’t hack what they can’t touch.
Prevention and Early Warning
You want to significantly increase the protective defensive controls on the involved asset by doing a harden security configuration, installing great endpoint protection (if it is available for EOL software), and enabling strict auditing. You want to use as many technical controls as you have in your environment to prevent malicious attacks. And you want early warning of any possible attacks or successful exploits.
In the long run, you need to replace EOL software (and hardware). It usually isn’t worth the risk. But in the cases where it is worth the risk or isn’t an option to discontinue, there are things you can do to significantly lower the risk. The only thing you shouldn’t do is ignore it and do nothing.