The end of official Windows XP support is not all bad news. Microsoft plans to provide signature updates for its anti-malware application for another year or so. But support for the operating system itself is going away, and enterprise desktops running it could be at significant risk. Yet budgets, timelines and legacy programs leave some organizations with little choice but to continue to support XP. If that's the case for your environment, you can take a number of steps to help mitigate at least some of the looming threats.
Windows XP malware protection
After April 8, Microsoft will no longer offer service packs, security updates or hotfixes for Windows XP. However, the company will provide updates for its anti-malware apps until July 14, 2015. For enterprise customers, the updates apply to Windows Intune, Forefront Client Security, Forefront Endpoint Protection and System Center Endpoint Protection.
For other desktop users, the updates apply only to Microsoft Security Essentials (MSE). However, MSE must already be installed on the desktop because, come April, it will no longer be available for download.
If you're a fan of Microsoft security products, these updates offer at least some support going forward. But many organizations prefer more robust anti-malware solutions from third-party vendors. Fortunately, a number of these vendors -- including Avast, Sophos, ESET and Trend Micro -- will continue to support Windows XP into the foreseeable future, and as long as they do, you have an important layer of protection.
Given Microsoft's post-April apocalyptic plans, enterprises still supporting XP desktops should also be looking to third-party vendors for firewall protection rather than relying on the built-in firewall. Your security software might already include this feature. If not, look to products such as Outpost Firewall or Comodo Firewall for further protection.
Enterprise desktops might also benefit from running an on-demand antivirus scanner at regular intervals, such as once a week. Or you can run the scanner whenever the primary security software might have missed a potential security problem. Products such as Microsoft Safety Scanner, Dr.Web CureIt or Aviva PC Cleaner can provide that important second opinion when you need it the most.
Software on Windows XP
Supporting and protecting an XP desktop is not only about the operating system. Attackers routinely try to exploit vulnerabilities in client applications. Just because Microsoft's Windows XP support has ended, don't assume that other vendors will be quick to follow suit.
Too many XP machines are still in service to be ignored. But client software, like an OS, can become outdated and increasingly vulnerable. Be sure to keep all software updated, not just client applications, but also drives and plug-ins.
You might consider a program such as Secunia Personal Software Inspector to identify non-Microsoft apps that need security updates or a program such as Device Doctor to check for and replace outdated drivers. With plug-ins, you should uninstall any you don't need.
Another way to support enterprise desktops in the post-XP era is to replace built-in applications with third-party software. For example, you might install alternative media players, email clients, messaging apps or file management systems.
Browsing the Internet on Windows XP
Most desktop exploits happen via a Web browser. For this reason, the most important built-in application you should replace on an XP desktop is Internet Explorer. Because you can't install any version higher than Internet Explorer 8 on XP, you're working with a browser not as secure as later versions or third-party applications.
Luckily, browsers such Google Chrome and Mozilla Firefox will continue to support XP at least until late 2015. Even if you still need to keep IE available to support other apps, don't let users rely on it to connect to the Internet.
Other ways to protect Windows XP
More on the end of Windows XP support
Photo story: Five things to remember as Windows XP support ends
Have a Windows XP end-of-life plan before moving to Windows 7
Don't fear the reaper: Tools can ease the pain of Windows XP migration
The end of Windows XP support could lead to PCI DSS compliance problems
What are the risks to end users with the end of Windows XP?
When supporting XP desktops, you can also turn to other types of tools to protect your environment and limit attack surfaces. For example, exploit mitigation tools such as Malwarebytes Anti-Exploit or Microsoft Enhanced Mitigation Experience Toolkit help prevent malware from exploiting application vulnerabilities.
You can also turn to utilities such as XPY or XP-AntiSpy to disable and tweak built-in features, services or programs. For example, you might use such a utility to disable Automatic Updates or Remote Desktop.
Another desktop security practice to consider is to isolate your applications. For instance, you can use a program such as Sandboxie to place Internet-facing applications within a sandbox, which limits their interaction with the underlying operating system, thus helping to prevent malware from permanently changing the computer.
In addition, you can use products such as Invincea FreeSpace to run risky applications within a secure virtual container, and also to help prevent malware from attacking the OS.
One other approach that could be useful when securing desktops and laptops is to use a monitoring service that identifies potential vulnerabilities. For example, StormShield ExtendedXP combines host intrusion prevention system technology with a specialized monitoring service to provide proactive protection against exploitations. The service warns customers of newly identified flaws and recommends measures that they might take to mitigate risk.
The end of the line for Windows XP support
In addition to turning to third-party vendors for Windows XP support after April 8, administrators should implement protections common to any system. For instance, whenever possible, user accounts should be assigned the least privileges necessary.
Desktops should also be backed up regularly, and users should not be permitted to connect external USB storage devices to their systems, if at all possible. In addition, users should be reminded not to click unknown links or open questionable attachments.
Of course, the ideal scenario is to isolate your Windows XP machines as much as possible, such as putting them into labs and taking them offline. Better still, you could switch to Linux or another operating system. But in many cases, such solutions are no more feasible than upgrading to Windows 7 or Windows 8.1.
Despite the measures you take, XP support from third-party vendors will eventually dry up, and the hardware running XP will become sorely outdated, if it's not already there. Any solutions you implement at this point are at best temporary. But isn't that the nature of most technology?