Guidance for Securing Critical, Non-Upgradable Window XP Installations

Background

On April 8, 2014, Microsoft will officially end support for Windows XP. After that date, Microsoft will not release any security, reliability, or compatibility updates or patches for Windows XP, nor will they provide support to solve issues with this twelve-year-old operating system. As of February 2014, approximately 30% of all Windows computers worldwide continued to run Windows XP. Because no further security patches will be developed, these computers will be substantially more vulnerable to security risks and prone to malicious attacks. With such a massive installed base and no future security patches, effective Windows XP exploits will almost certainly come quickly. Since the risk of vulnerability is so high, Windows XP should not remain in use at Penn after the discontinuation of support on April 8th, 2014. It is vitally important that Windows XP users not leave themselves in such a tenuous position to help protect both the University’s data and the members of its community.

Options for Non-Upgradeable Windows XP Systems

There is a limited number of circumstances in which Windows XP systems cannot be upgraded, such as research equipment that requires Windows XP to operate. These critical, non-upgradable systems should be secured using one or more of the following methods:

1. Disconnect, and do not reconnect, the computer from the network
Windows XP systems disconnected from the network will not be vulnerable to network-based exploits.  However, the following precautions should still be taken to protect these systems from non-network based threats:

• • Ensure that all available Window XP patches are applied before disconnecting from network (Note: this may require multiple runs of Windows Update/Microsoft Update)
  • Disable auto-run. This prevents malware from being automatically run from USB keys, etc.
  • Install the current version of SEP and configure it to automatically scan removable media (Note: SEP virus definitions will need to be manually updated)
  • Remove administrative rights from day-to-day user accounts (Note: if possible. Some programs may require an administrator account to run)
  • Use the Group Policy tool to implement software restriction policies that only allow executables to be run from the Program Files directory, so malware cannot be installed from non-admin user accounts
  • Implement automated daily backup to facilitate system restores to a clean state should the machine be compromised
  • LSPs may also wish to protect core operating system and configuration files through solutions such as Faronic’s Deep Freeze.

2. Secure the computer on the network if and when network connectivity is required.
In addition to the precautions listed above, further preventative measures should be implemented in situations where network connectivity is required:

• Systems should be protected by a vLAN and/or firewall. A vLAN should be considered in situations where a two or more systems must to be networked together but there is no need for either system to connect to other systems on the network at-large. If there is a need for computers outside of the vLAN to communicate with the computers inside the vLAN, a firewall can be used to manage incoming and outgoing access. Through the use of vLANs you can improve security by segmenting traffic between trusted servers (e.g., file servers and domain controllers), public servers (e.g., web servers), and workstations. The firewall acts as a gateway to vLANs, examining incoming and outgoing traffic to see if it meets a certain criteria defined by the firewall policy. Criteria commonly used to allow or block traffic include: IP addresses/ranges, application ports, protocols.
• Use local Windows IPSEC policies to enforce relevant network isolation. Successful implementation of IPSEC policies can significantly minimize the risk of unauthorized access to computers. The granularity of IPSEC filters makes it a good method of controlling access in lieu of or in addition to built in firewalls. For more information, please see ISC Information Security's IPSEC for Windows: Packet Filtering.
• ISC Information Security's SafeDNS service should be used to protect networked Windows XP systems from being infected by computers known to host malware. SafeDNS prevents access to about 50,000 hosts that are known to be hosting malicious software; the list of hosts is updated daily.
• The Group Policy tool in Windows XP should used to implement software restriction policies to prevent unnecessary and likely-targeted software (e.g. Internet Explorer, all web browsers, etc) from running.  
• When possible, networked Windows XP systems should be managed by Active Directory and Group Policy which can be used to implement software restrictions and other precautions to minimize risk.

With the above precautions, systems that cannot be upgraded past Windows XP can be reasonably secured to a point, but be aware that these are last-resort measures that should not take the place of upgrading on machines that can be upgraded. The compromise vectors in XP will only increase in number after April 8th and will do so very quickly, so options should be monitored for replacing or upgrading currently non-upgradable systems and implemented as soon as feasible if they become available.

Resources

• For vLAN ordering information or to request a consultation, please contact ISC Client Care.
• Firewall consulting and maintenance sevice is also available through ISC Client Care.
• Microsoft: Description of Software Restriction Policies in Windows XP
• Symantec: Microsoft End of Support for Windows XP and what it means for SEP
• Symantec: Manually Download SEP Virus Definitions
• ISC Security: IPSEC for Windows - Packet Filtering
• ISC Security: SafeDNS service