By Rene Kolga
Microsoft’s End of Extended Support date for Windows 7 and Windows Server 2008/R2 was January 14, and that seems to be creating a global panic. But don’t let the alarmist news headlines or Microsoft’s apparent attempt to discourage you from participating in its own Extended Security Updates (ESU) program scare you into spending money when you don’t have to.
Yes, the fact Microsoft will no longer issue new product updates and security patches creates serious security issues for companies using Windows Server 2008 and the millions of PCs worldwide running Windows 7. Microsoft’s FAQ document warns that failure to upgrade to its newer products, “may cause security and compliance issues, and expose customers’ applications and business to serious security risks.”
That sounds bad. And if you scroll through your news reader feed, you get the impression armageddon is upon us:
- “Your PC is in danger if you use Windows 7” (CNN)
- “Government Intelligence Agency Warns Not To Use Windows 7 For Banking Or Email” (Forbes)
- “Windows 7 End of Life: everything you need to know about the death of Windows 7” (TechRadar)
- “Dealers warned over threat to customer data as Windows 7 support is withdrawn” (CarDealer)
Warnings, Danger and Death – oh my! What should you do now? How much money do you need to spend to avoid disaster?
You may be trying to come up with budget dollars to upgrade, or opt-into Microsoft’s optional ESU program, even though Microsoft doesn’t exactly make a strong case for it:
“The Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical and/or Important security updates for a maximum of three years after the product’s End of Extended Support date.”
And the cost is not insignificant: 75% (annually) of the Enterprise Agreement or Server & Cloud Enrollment license prices of the latest version of Windows Server. Coverage will be available in three consecutive 12-month increments, but you must pay up-front for the first year (even if you sign up for the service in the middle of the year). If you decide to wait a year, you’ll still have to pay for 2020 and 2021.
Take a breath. Put your credit card away.
Take advantage of the loophole
Microsoft is pushing its customers to migrate on-premises IT systems and workflows to its Azure cloud computing platform. If you send your Windows Server 2008 (and SQL Server 2008) workloads into Azure, you will receive ongoing ESU updates for free.
A similar option is available for Windows 7 customers who are not prepared to upgrade to Windows 10. Leveraging the Azure-based Windows Virtual Desktop will ensure they continue to receive support, including free ESU.
Of course, it is in your organization’s best interest to run the latest and greatest operating systems. The 2017 WannaCry ransomware attack was a devastating reminder of the need to stay current with all vendor-issued security patches. Microsoft had issued a patch (MS17-010) weeks before WannaCry struck that would have prevented it from spreading and causing so much damage.
Just tell me what to do!
If you still need to keep Windows 7 and/or Server 2008 on-prem, you can protect your environments even without ESU. But understand that will require more than updating your antivirus product.
Here are a number of options you should consider in addition to an AV:
- Implement compensating controls:
- Network isolation – If you have to keep those systems around, put them on a separate network and limit their exposure to the Internet and your LAN as much as possible. Also consider blocking USB ports.
- Application isolation/micro-virtualization – These techniques come under different names, including secure containerization and browser isolation. The idea is to isolate at least the most targeted applications, such as web-browser and email client, in a kind of sandbox. Even if the application is compromised, the infection won’t be able to move laterally to other components of the system and beyond.
- OS hardening/lockdown – Uninstalling or at least disabling non-essential applications and services has always been a best practice for servers. However, when running an unsupported version of the operating system this ability to harden and further lockdown the OS is essential. You can leverage DISA STIGs or CIS benchmarks as your North Star.
- Balance the negative with the positive:
- Application Control/whitelisting – Advanced adversaries employ highly evasive techniques without reusing known malicious attributes that antivirus and traditional endpoint detection & response (EDR) tools rely upon. Whitelisting tools focus on ensuring the “good” (vs. chasing the “bad”) and do not rely on signatures or prior knowledge of attacks to stop them.
- OS Behavior Whitelisting – Next generation of whitelisting tools leverages the pre-built and finite list of legitimate operating system behaviors, instead of applications. This allows for detection of fileless malware and zero-days exploits targeting typically whitelisted applications.
Don’t let all the media’s hand-wringing compel you in making a hasty decision. Evaluate your options. At Nyotron we are happy to provide you with details around our OS Behavior Whitelisting approach and how it can help secure your Windows 7, Server 2008 and other systems. Schedule a chat with us here.