Is Windows XP still around in your Network a year after Support Ended?

Published: 2015-06-27
Last Updated: 2015-06-27 21:36:05 UTC
by Guy Bruneau (Version: 1)
9 comment(s)

This week Computerworld [1] published a story about the US Navy still paying Microsoft millions to support Windows XP when support ended April 8, 2014 [2] and soon Windows server 2003 will follow suit next month July 14, 2015.

Unless you are paying Microsoft to continue using legacy systems like WinXP, it is obvious that you would need to pay support to get patches and continue protecting you network against vulnerabilities that are no longer publically release to defend against potential compromised. This brings the cycle of modernizing custom applications used to support critical system that have been written on older platform and should have been part of a program to modernize, test and upgrade in time, to save million in support which I think in the end should save money. As an example, the Navy is paying a "[...] contract that could be worth up to $30.8 million and extend into 2017."[1]

Are you still supporting WinXP because of legacy applications and is there a plan to migrate them over Win7/Win8? If not, how are you protecting these clients against exploitation?

[1] http://www.computerworld.com/article/2939435/government-it/us-navy-paid-millions-to-stay-on-windows-xp.html
[2] https://www.microsoft.com/en-in/windows/enterprise/end-of-support.aspx

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

9 comment(s)

Comments

[quote]This week Computerworld [1] published a story about the US Navy still paying Microsoft millions to support Windows XP when support ended April 8, 2014[/quote]

For fact I know many Government contractors, Government installations, Medical and Financial that are running XP, a few of them have the glaring does not pass the WGA warning and we know fail HIPPA regulations. Anthem and breach.. POS breaches.. et all.

Sadly, talking to them is a waste of time, in today's world >90% are clueless with regards to updating OS and could care less, they turn it on and it works. Equate it to the car oil change metaphor. Change it? I have to change it; didn’t it come from with oil?

Software companies selling automated waste management systems with no upgrade clause, people get stuck with old technology but the sale was done and still works. Shall we talk about SCADA and Controls, Grids ect?

Now with Windows 10 coming out will just put another layer of crap on the cake.

From my side of the fence the problem will continue to grow. Few companies are going to upgrade, after all, their new shiny smart phone or pad works, right? Crank out another pretty app! :/ With all the good talent out there that could go back to work, OUTSOURCING is the buzz term, cost goes up, infrastructure costs go up so why do it. Shovel ready, how about RJ45 ready?

Exaggerating? I think not. How old is COBOL? Who just got compromised losing a lot of golden eggs and the Goose that laid them? <mad> Humm?

There, you said Navy, I gave you Medical, other Gov, Controls, SMB’s the list goes on. Unless there is a “kill switch” it will be last PC standing syndrome.
Yes, currently working at a small business with XP. When I arrived, I rated the state of affairs as "terrifying." If you set out to create the most disaster-prone network possible, you would find these guys tough to beat. The only bullet they dodged was that credit-card transactions weren't processed by the computers.

For the moment, I'm using application whitelisting, namely Software Restriction Policy combined with non-Admin user accounts (writeup at mechbgon dot com / srp for those interested). While I'm not a fan of Google Chrome, I set it as the default browser with Click-to-play enabled (if you'll be using Software Restriction Policy, use the .MSI "enterprise" Chrome installer so it doesn't install into the user's profile, which SRP would clash with). I cranked all Internet Explorer security zones to HIGH in case it gets invoked, uninstalled software they didn't need and updated the rest.

Unfortunately I only have the freedom to do this at my branch. The master point-of-sale server is at another location and we dangle by a thread not only in security, but other ways such as using an old desktop PC as the server. I'm glad it's ultimately not my responsibility, but I know they'll still come crying to me when it fails.
IE on XP supports 3DES and RC4 ciphers, but not AES. (There is a hotfix that adds AES support to Windows Server 2003)
When XP EOL in April last year; we disabled 3DES cipher support on all our public facing web servers
We had already disabled RC4 much earlier; so only AES is supported.

IE on XP are unable to connect to our https sites.
That encourages users to either migrate away to a newer OS or use a supported browser such as Chrome or Firefox on XP.

Windows Server 2003 EOL next month. I wonder how many public web servers are still on 2003.
There is no real penalty for running XP in the PCI world. PCI-DSS only prohibits running EOL software if it is Internet-facing (required to be ASV scanned) or if you have not applied all vendor patches.

There also are no real-world regulatory or contractual penalties. One very large card processor fines their customers $25 a month if they have not proved PCI compliance. They call it a "PCI non-compliance fee" rather than a fine. It's a money-maker for them, not a liability.

This is how it works in the real world: First, you need to get compromised. Second, someone outside your organization has to notice AND not go public. The feds are the most likely to notice and they never go public. Third, if you get it cleaned up and no one noticed, it never happened. Fourth, even if you are required to report it, generally the word "material" or "likely" appears in the law and you can always figure out a way to make a judgment call that it was neither likely or material. And if you do get exposed as having been breached, just shrug your shoulders and say "We apologize. We take the security of your data very seriously."

In the olden days this behavior was called "negligence." The phrase used today is "Risk Management".
I checked Mechbgon/srp site...My question is: Can this be done thru an AD GPO or only as a local policy on the system?
Application control via whitelisting.
Logging with continuous monitoring.
Microsoft doesnt list Windows XP (nor Windows XP Embedded nor Windows Embedded POSReady 2009, which is Windows XP SP3 and receives updates till April 2019) in their security bulletins.
They but list the security patches distributed via Windows Update for Windows Embedded POSReady 2009, so the fixed vulnerabilities can be determined this way.

Be aware that there are NO fixes for MS15-050 alias KB3055642, MS15-011 alias KB3000483, MS15-005 alias KB3022777 and MS09-048 alias KB967723 for Windows XP or Windows 2003!
SRPs can be set via AD GPO, as well as written to the registry via *.INF/*.REG
See http://home.arcor.de/skanthak/SAFER.html for the latter, and note all the caveats.
My employer is a Fortune 500 company, and we have chosen to use Bit9's Parity product, which is essentially a highly automated and active application white-list system along with network segregation as possible. We're using it on Windows XP and 2003 currently and expect to use it for any other legacy platforms (think Mac OS X) that we haven't gotten rid of by EOS.

Not too pricey, I believe XP licenses are under $50 per and 2003 are less than $150, your purchase price may vary.

Diary Archives