This content is part of the Essential Guide: Surveying options after the Windows XP end of support
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Where will XP stalwarts go after the end of Windows XP support?

Despite the end of Microsoft's Windows XP support, many IT shops are sticking with the OS, and there are third-party options for security support.

The end of official Windows XP support is not all bad news. Microsoft plans to provide signature updates for its anti-malware application for another year or so. But support for the operating system itself is going away, and enterprise desktops running it could be at significant risk. Yet budgets, timelines and legacy programs leave some organizations with little choice but to continue to support XP. If that's the case for your environment, you can take a number of steps to help mitigate at least some of the looming threats.

Windows XP malware protection

After April 8, Microsoft will no longer offer service packs, security updates or hotfixes for Windows XP. However, the company will provide updates for its anti-malware apps until July 14, 2015. For enterprise customers, the updates apply to Windows Intune, Forefront Client Security, Forefront Endpoint Protection and System Center Endpoint Protection.

For other desktop users, the updates apply only to Microsoft Security Essentials (MSE). However, MSE must already be installed on the desktop because, come April, it will no longer be available for download.

If you're a fan of Microsoft security products, these updates offer at least some support going forward. But many organizations prefer more robust anti-malware solutions from third-party vendors. Fortunately, a number of these vendors -- including Avast, Sophos, ESET and Trend Micro -- will continue to support Windows XP into the foreseeable future, and as long as they do, you have an important layer of protection.

Given Microsoft's post-April apocalyptic plans, enterprises still supporting XP desktops should also be looking to third-party vendors for firewall protection rather than relying on the built-in firewall. Your security software might already include this feature. If not, look to products such as Outpost Firewall or Comodo Firewall for further protection.

Enterprise desktops might also benefit from running an on-demand antivirus scanner at regular intervals, such as once a week. Or you can run the scanner whenever the primary security software might have missed a potential security problem. Products such as Microsoft Safety Scanner, Dr.Web CureIt or Aviva PC Cleaner can provide that important second opinion when you need it the most.

Software on Windows XP

Supporting and protecting an XP desktop is not only about the operating system. Attackers routinely try to exploit vulnerabilities in client applications. Just because Microsoft's Windows XP support has ended, don't assume that other vendors will be quick to follow suit.

Too many XP machines are still in service to be ignored. But client software, like an OS, can become outdated and increasingly vulnerable. Be sure to keep all software updated, not just client applications, but also drives and plug-ins.

You might consider a program such as Secunia Personal Software Inspector to identify non-Microsoft apps that need security updates or a program such as Device Doctor to check for and replace outdated drivers. With plug-ins, you should uninstall any you don't need.

Another way to support enterprise desktops in the post-XP era is to replace built-in applications with third-party software. For example, you might install alternative media players, email clients, messaging apps or file management systems.

Browsing the Internet on Windows XP

Most desktop exploits happen via a Web browser. For this reason, the most important built-in application you should replace on an XP desktop is Internet Explorer. Because you can't install any version higher than Internet Explorer 8 on XP, you're working with a browser not as secure as later versions or third-party applications.

Luckily, browsers such Google Chrome and Mozilla Firefox will continue to support XP at least until late 2015. Even if you still need to keep IE available to support other apps, don't let users rely on it to connect to the Internet.

Regardless of which browser you choose, consider using security extensions to further protect your Internet connections. For example, NoScript for Firefox makes it possible to run JavaScript, Java and other executable content only from trusted domains. To be safer still, disable Java in the browsers altogether.

Other ways to protect Windows XP

More on the end of Windows XP support

Photo story: Five things to remember as Windows XP support ends

Have a Windows XP end-of-life plan before moving to Windows 7

Don't fear the reaper: Tools can ease the pain of Windows XP migration

The end of Windows XP support could lead to PCI DSS compliance problems

What are the risks to end users with the end of Windows XP?

When supporting XP desktops, you can also turn to other types of tools to protect your environment and limit attack surfaces. For example, exploit mitigation tools such as Malwarebytes Anti-Exploit or Microsoft Enhanced Mitigation Experience Toolkit help prevent malware from exploiting application vulnerabilities.

You can also turn to utilities such as XPY or XP-AntiSpy to disable and tweak built-in features, services or programs. For example, you might use such a utility to disable Automatic Updates or Remote Desktop.

Another desktop security practice to consider is to isolate your applications. For instance, you can use a program such as Sandboxie to place Internet-facing applications within a sandbox, which limits their interaction with the underlying operating system, thus helping to prevent malware from permanently changing the computer.

In addition, you can use products such as Invincea FreeSpace to run risky applications within a secure virtual container, and also to help prevent malware from attacking the OS.

One other approach that could be useful when securing desktops and laptops is to use a monitoring service that identifies potential vulnerabilities. For example, StormShield ExtendedXP combines host intrusion prevention system technology with a specialized monitoring service to provide proactive protection against exploitations. The service warns customers of newly identified flaws and recommends measures that they might take to mitigate risk.

The end of the line for Windows XP support

In addition to turning to third-party vendors for Windows XP support after April 8, administrators should implement protections common to any system. For instance, whenever possible, user accounts should be assigned the least privileges necessary.

Desktops should also be backed up regularly, and users should not be permitted to connect external USB storage devices to their systems, if at all possible. In addition, users should be reminded not to click unknown links or open questionable attachments.

Of course, the ideal scenario is to isolate your Windows XP machines as much as possible, such as putting them into labs and taking them offline. Better still, you could switch to Linux or another operating system. But in many cases, such solutions are no more feasible than upgrading to Windows 7 or Windows 8.1.

Despite the measures you take, XP support from third-party vendors will eventually dry up, and the hardware running XP will become sorely outdated, if it's not already there. Any solutions you implement at this point are at best temporary. But isn't that the nature of most technology?

Dig Deeper on Microsoft Windows XP Pro

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization plan to continue using Windows XP past April 2014?
Yes. I am a registered structural engineer, and I have a number of sophisticated software programs that use Windows XP. I am quite concerned what will happen after MS no longer supports XP.
Can you advise me?
Yes. We still have several machines to be replaced. We only upgrade when we replace the machine.

I am SAD to see XP I like it also costly for most banks with ATM machines In other words "just keep it"

Yes, I plan to continue with windows XP. I have many engineering software programs that run on XP. These are older programs, and I do not think they are amenable to Windows 7 or Windows 8. Perhaps you can advise me.
Rhett Davis, PE
Rhett Davis & Associates, PC
Yes, and if we start to use another product it WONT be a Microsoft one.
Yes - but gradually phased out
Yes, I have been a Microsoft OEM and VAR Since 1992 in South Africa.
Providing support across all machines and Microsoft Operating System from
Windows ME through Windows XP and also WIndows 8 and above.
Also, as a Cognitive Apprenticeship Trainer in IT Support.
My company will always provide support for the legacy Windows Systems.
It is not as difficult situation.
I have been in IT for over 40 years from Mainframe, Midframe and PC's.
Also when providing Machine recycling you need to use the correct operating system to get the best performance.
Robert Launer

Integration Specialist, OEM, VAR
Systems Development
CASK-AID International
Great article, but I was a bit disappointed that you left out VDI. By putting XP behind the firewall, the enterprise can immediately take advantage of the inherent security benefits. Here is some more info for those interested.

Pesky "h" got me. Here is the link:
They will continue their current workflow until they can't anymore. People don't care about their OS. They care about their apps working well enough so that they can do their jobs efficiently. When it's time, they'll buy a new PC with Win 7or8. They aren't interested in an OS upgrade because MS says they had better do it...
Extend the Life of your PC with our Deep Freeze Software
Where will XP users go after April 2014?
In order of "ease of execution", here's where we'll go:
1) Offline, use a Win 7 computer for online stuff.
2) Stay online, use 3rd party apps for security, as iffy as that sounds.
3) Migrate to Win 7, but only if absolutely necessary. Because how can you trust anything MS or Dell or any IT geek says? Without knowing whether anything will be compatible with anything? Without warranties, without guarantees, without ever being responsible for what they promise? Without any kind of reasonable customer service? Really? Really!
4) Go to Linux, without knowing whether anything will be compatible with anything, except it's cheaper.
Uhm, and of course, this applies here as well: Without warranties, without guarantees, without ever being responsible for what they promise? Without any kind of reasonable customer service? Really? Really!

So does that answer your questions?
I wish Microsoft keep keep keep  XP who cares if they continue to work with customers  partners
You'll still be able to use Windows Update to download all existing security patches. Make a custom XP disc with  SP3 and all updates 
Chrome support for XP to continue after Microsoft the decision is that some people will find the transition away from XP a difficult process, and that allowing them to ensure their browsers are kept free of vulnerabilities will ease that transition
Yes, I have been a Microsoft OEM and VAR Since 1992 in South Africa. Providing support across all machines and MIcrosoft Operating System from Windows 2000 through Windows XP.
Also, as a Congitive Apprenticeship Trainer in IT Support. My company will always provide support for the legacy Windows Systems. It is not as difficult situation. I have been in IT for over 40 years from Mainframe, Midframe and PC's. Aso provide a Machine recycling. Example: Have IBM G40 Laptop running as full file and cloud server for over 5 years with full backup and redunancy