Is your organization still using Windows 7? Microsoft support is coming to a close in a few short months. If you think end-of-support for legacy systems doesn’t impact your organization, think again.
Microsoft ends all support for Windows 7 on January 14, 2020. This end-of-support means no more Windows 7 patching, bug fixes, or security updates to protect older systems that may include your e-commerce server or point-of-sale (POS) system or financial database with Personally Identifiable Information (PII).
How pervasive is the Microsoft Windows 7 user base? According to Dublin-based StatCounter GS, the global Windows 7 Server Pack 1 (SP1) market share is still 33.6% as of May 2019. Windows 7 will become increasingly vulnerable without security updates. Anecdotal evidence garnered from threats like WannaCry following Windows XP end-of-support says that adversaries will step up attacks on Windows 7 users as these organizations have lower security maturity, making them attractive targets.
Migrating Windows 7 operating systems (OS) requires time and money and with just months remaining until January 2020, you need to come up with a plan. These Windows cycles might especially impact small and medium-sized businesses (SMBs) who have more finite IT teams lacking skill sets to address the changes. While it might be tempting to look for workarounds, this is the end of the line for Windows 7. Non-compliance penalties for HIPAA (Health Insurance Portability and Accountability Act) or PCI DSS (Payment Card Industry Data Security Standard) are likely to far outweigh the risk and expense of migrating and being compliant.
Performance and security are two areas that have evolved considerably over the last three or four years, and your organization may have some unique considerations to assess in order to optimize your limited resources. Recent technical advancements mean that you can improve security and protection all while reducing complexity and cost. Here are some crucial questions that you may be asking as you move ahead, or even wrap up your Windows 7 migration.
1. What is the timing of Windows 7 end-of-support?
Microsoft will discontinue all Windows 7 support on January 14, 2020. Microsoft has been forthcoming about the Windows product lifecycle, so this should not come as a surprise. However, you may have found that day-to-day IT priorities and security firefighting has overtaken migration planning. Allocating resources for migration may be a challenge for organizations such as city and state government, as well as educational institutions. Windows 7 is not the only product facing end-of-support. Here is a list of Microsoft support deadlines to note:
|Windows 7 Server Pack 1
||January 14, 2020
|Windows Server 2008 R2 SP1
||January 14, 2020
|SQL Server 2008 SP4
||July 9, 2019
||October 13, 2020
The time to mobilize is now. Develop a migration plan that encompasses any IT timelines that your vertical industry or organization may follow. For example, allow extra time to freeze ordering and shipping system development 60 days before the retail holiday season or year-end break for educational institutions.
2. What are some implications associated with legacy software and hardware?
Some of the organizational impacts of older systems and hardware include:
- Increased cybersecurity risk
- Decreased productivity for both end users and IT teams
- Higher operating costs
- Reduced compliance and audit effectiveness
Obsolete platforms are at greater risk of malware and viruses that adversaries can exploit to access your data or other businesses in your supply chain and operating network. In the event of a data breach due to unpatched legacy software or hardware, sizable compliance fines or negative publicity may result if the data breach is deemed to be preventable.
3. What are my options for migrating off Windows 7?
Organizations have four possible paths when migrating off legacy operating systems and devices:
- Do nothing or continue delaying – This is not a recommended approach as it could have many negative and costly impacts.
- Purchase Microsoft Extended Security Updates (ESU) – Microsoft customers with a volume license agreement may have the option of purchasing extended support for Windows 7. Microsoft publicized ESU pricing in February 2019 with Year 1 costs in the $50 range per device, doubling in Year 2. While there do not appear to be minimum quantities required, this is still an extra cost that just delays the inevitable migration.
- Use Endpoint Detection and Response (EDR) to protect legacy systems – Advanced endpoint solutions such as managed EventTracker EDR put critical, but obsolete systems into lockdown mode that limits access and actions. PCI DSS supports compensating controls such as EDR that you can document for audit purposes.
- Finish migration to Windows 10 – This is our recommendation as well as Microsoft’s to organizations with Windows 7 devices. Start or complete any pending migrations including any potential hardware upgrades, or move to a virtual desktop infrastructure. Third-party assistance may also prove helpful.
Here’s what Microsoft has to say to businesses running Windows 7.
4. Could Windows 7 end-of-support impact my compliance posture?
In a nutshell: yes. Running Windows 7 after January 14, 2020 could violate security and privacy safeguards such as PCI DSS and HIPAA for organizations of all sizes. Criteria 6.2 of PCI DSS requires the installation and maintenance of current security patches on POS devices; patches for Windows 7 will stop after the end-of-support date. HIPAA similarly requires the ability to apply patches to devices that handle PHI (Protected Health Information) and Windows 7 devices would not be compliant after the looming January date.
If migration is not an option or there are unforeseen delays, compensating controls may be used to address compliance and audit requirements. These compliance-related compensating controls involve identifying, examining, and mitigating risks along with documenting and maintaining security levels over time. Notify your PCI QSA (Qualified Security Assessor) of any compensating controls or document them in your organization’s self-assessment reports.
The optimal approach is to successfully migrate to Windows 10 with plenty of time built in for contingencies. Always consult a PCI DSS or HIPAA expert for compliance recommendations about your specific entity and protected data.
5. How can I protect my Windows 7 infrastructure in the short term?
Here are some practical tips for robust security controls to help you think like a hacker when it comes to protecting your Windows 7 infrastructure as you prepare for migration:
- Update your risk assessment or Incident Response (IR) plan as a precaution
- Inventory and document your operating systems, applications, and hardware (look for even older Windows Vista and XP that have passed their end-of-support dates while you’re at it)
- Monitor internal users and external actions for suspicious behavior – especially during seasonal busy times that attackers can exploit
- Limit privileged access and implement network segmentation that can reduce the “blast radius” of any incidents or breaches
- Review your account lockout policy to limit anomalous logins and brute force attacks
- Ensure that backups are conducted regularly to protect data and applications
- Deploy 24/7 monitoring such as Security Information and Event Management (SIEM) for comprehensive visibility of your infrastructure
Note that Microsoft customers with Windows 7 support contracts will continue to receive any updates, patches, and bug fixes that Microsoft provides through January 14, 2020.
6. What are some migration steps as I move to Windows 10?
There are three primary steps to consider in your migration to Windows 10.
- The first step involves planning for the technical aspects as well as people and process-related issues. Create a migration plan and get buy-in from your management team. Remember to communicate migration timing to users along with any downtime they can expect.
- Once planning is complete, the second step is implementing your migration plan. Remember to assess whether you need new workstations along with an upgraded operating system. You will need a new golden image for these workstations and while it’s not “one size fits all,” minimizing the number of workstation images can reduce future support costs.
- Once the migration is complete, an important, but often-overlooked step is testing. You will want to verify the applications in the new infrastructure and operating system environment, as well as reassess your security posture.
Don’t wait until the last minute when new workstations may be in short supply along with vacationing IT staff and users who may hinder migration. Engage outside help to leverage experts who have done this consistently to avoid surprises if your organization doesn’t have a lot of migration experience.
7. What technology solutions are available to support my endpoints?
Endpoint technology has seen significant advancements since Windows 7’s introduction in 2009. EDR capabilities are one of the newer layered defense tools in the endpoint battle that block known malware and unknown, or Zero-day attacks, to protect organizations from costly data breaches. Anomaly detection to maximize endpoint security is a crucial step to prevent, detect, respond to, and predict threats. EDR also supports threat hunting by pinpointing attacks in progress and isolating impacted endpoints or servers, while minimizing false positives that waste your valuable time. EventTracker EDR is a 24/7 managed service that closes security gaps created by legacy systems with a defense-in-depth strategy that bolsters endpoint security to contain threats early and reduce dwell time across all stages of the threat chain.
A move to Windows 10 provides numerous benefits such as increased performance, usability, and operating efficiencies. Hardware today is optimized for Windows 10, and legacy OS users face security risks, rising operating costs, lost productivity, and an inability to capitalize on hardware and software improvements. While migrating requires time and money, the benefits outweigh the disadvantages that could include compliance fines, data breaches, and damaged brand reputation.
As you eliminate Windows 7, keep security top of mind as you assess the strategic choices available to you today. EDR can be another compensating control to place legacy equipment like Microsoft Windows 7 in lockdown mode. Advanced cybersecurity threats have increased in severity and volume, and your security solutions must likewise protect your sensitive data and customer trust. Security risks increase as the looming end-of-support date of January 14, 2020 approaches.
Are you facing a Windows 7 migration? Watch our webcast on Windows 7 Migration: A Cybersecurity Reboot to learn more about your options for protecting your employees and customers, sensitive data, and infrastructure.