The Windows XP support end date is April 9, 2014, which is fast approaching. You've no doubt heard about this deadline before, but now is the time for final actions.
Unfortunately, by now, the easiest migrations have already been conducted. Many stragglers have either already migrated to Windows 7 or Windows 8 or are in the process of doing so. What remains are the harder cases, such as customers resistant to change (most likely small and medium-sized businesses).
Other organizations may have clung to Microsoft's old operating system because they have specialized hardware controlled by a Windows XP machine that can't be upgraded or replaced. Some larger customers probably already have agreements with Microsoft for further support after the official deadline.
So, for these more difficult implementations, here are some steps for your last-minute plan for the Windows XP end of support.
Find out the end-of-life plans for your antivirus and anti-malware products, and make sure they will still be effective. For standard end-user desktops that do not have special requirements, you should be using a third-party anti-malware product. Most of these products have support beyond the Windows XP end of life.
Even Microsoft has relented, saying its free Security Essentials product will have virus-definition updates until July 2015, even after security patches cease being released. Verify these dates, install the latest releases of these products, and switch products if one provides lengthier or more comprehensive XP support than the one you are currently using does. This is not an area in which cost should be the primary driver -- effectiveness is what counts here, or you might as well not bother at all.
More on the Windows XP support end
Best practices for migrating from Windows XP to Windows 7 or 8
Windows XP migration tools lighten IT's burden
Before you migrate to Windows 7, plan for XP's end
Microsoft seeks to aid migrations with Project XP
Review Windows XP end of support options
Third-party tools may ease the pain of Windows XP migration
What are the risks to users from the Windows XP end of life?
Develop network segregation techniques to keep XP machines isolated. The biggest risk isn't the National Security Agency, despite the recent allegations from Edward Snowden that it can penetrate the air gap that exists between computers that are disconnected from all networks. The most significant vector for attacks after the XP end of life will still be through the Internet -- specifically, users clicking dangerous links or attachments and surfing to nefarious websites.
One effective, if blunt, method of mitigating the risk from attacks through this vector is to segment XP machines onto a different network that has access only to the file shares necessary for line-of-business applications, not the Wild West of the Internet.
You might need to do some network restructuring and ensure that Windows XP desktops and laptops can still access a very limited set of files to keep their applications functioning, but it is an effective way to guard against a big risk.
For XP machines running on embedded systems or controlling expensive hardware, unplug them from the network if possible. If you have a lathe or Computer Numeric Control, or CNC, machine controlled by a dedicated Windows XP host, disconnect it from the network.
If all that XP device does is control a machine, don't store data on it, don't use it to browse the Web, and unjoin it from your domain if it was joined. Simply use it as a dumb hardware interface controller. There is no legitimate reason for the vast majority of these machines to have access to the Internet.
If Internet access is required, use a kiosk program or Deep Freeze to lock down the desktop as much as possible. Use network sniffers and your firewall logs to determine exactly what Internet access is required for the machinery to function, and blacklist everything else. But if at all possible, just disconnect the network cable and sleep better at night.
Look at virtual desktop infrastructure for those Windows XP machines you just cannot get rid of. Controlling user actions on XP machines is absolutely critical, but another factor is limiting the access to those machines as much as you can. Host XP virtual machines in a central server, where you can control which applications can be accessed and updated and where you have a "good" image from which you can restore a VM in the event it does get infected.
Even three- or four-year-old servers can host Windows XP VMs without too much trouble, so new servers are not required, especially if you simply need more time to migrate from Windows XP and if the OS is not a permanent member of your technology portfolio.
This was first published in February 2014