The gold release of Windows 7 is still a few months off, not counting the extra six-to-12 months necessary for any upgrades and standardization. But it's still not too early to be thinking about how you're going to manage your existing Windows XP base and begin focusing on Windows 7 without creating unnecessary security gaps.
It often happens that legacy operating systems (Windows NT, Windows 2000 Server, etc.) do not get the attention they deserve during upgrades and migrations. Inevitably, security suffers. When these holes are found in legacy Windows systems, the response is almost always that the box will soon be taken offline. Unfortunately, soon doesn't cut it when it comes to someone maliciously exploiting the unplugged holes in these undermanaged systems. Even if you and your business are moving forward, your Windows XP systems are still going to be targets for attack -- especially once Microsoft stops supporting it in 2014.
Regardless of the systems' age or how they're being used, employees, contractors, external attackers and malware will continue to be threats to your Windows XP systems. Likewise, the same old Windows vulnerabilities will still be around. If these weaknesses are exploited, it could create serious problems for your business.
So what can you do? For starters, you can't depend on Microsoft to keep XP secure indefinitely. Locking everything down in XP, to the point where no one can get any work done, is not an option either. The key to keeping your Windows XP systems secure is to create a structured set of Windows security standards and security testing practices while you've got the time. The three areas you'll need to focus on are visibility, control and knowing your systems' current status. This means putting reasonable processes in place around these critical, required areas of security:
- Patch management
- Malware protection
- Access controls
- System monitoring
There's no best way to keep your Windows XP systems locked down, but the important thing is to not forget about them. Given the complexities of most networks and the demands of everyday business, this may seem unrealistic. You may even want to let your legacy Windows XP systems fend for themselves until they die off altogether. Keep in mind, however, that out of sight and out of mind doesn't make the security risks go away. With the right tools and the right choices, you can gain and maintain control of your Windows XP systems. Be sure to focus on the following:
- Know what's at risk
- Set good standards and policies
- Educate everyone on what to do/not to do
- Enforce your policies
- Perform in-depth security testing on a consistent basis
- Automate and use technology to your advantage wherever possible
Windows XP may be going away in spirit, but its physical remains will linger on for some time. Don't let Windows XP security management, or a lack thereof, rule your time now or in the future. Get a handle on these possible issues early and it will make a difference for your business.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.
This was first published in August 2009