Institutions have known for quite some time that standard support for Windows 7 will be eliminated on January 14, 2020. Most institutions had plans in place to meet the support deadline, but some are now finding that they will not meet the deadline.
In many cases, the problem has been a lack of support of Windows 10 by critical software vendors who have dragged their feet. Others are finding that the upgrades or system replacements are just taking longer than anticipated. Whatever the reason, these institutions now must determine what they can do to mitigate the risks of running an outdated operating system.
There are really two major risks involved in running an unsupported operating system. The first risk is that a previously undiscovered vulnerability exists on the system and the vulnerability is used in an attack. The second risk is that the institution cannot update other critical software because software providers no longer support the outdated operating system.
There are a number of ways that these risks can be mitigated, and institutions are encouraged to research and implement as many of these as possible:
- Purchase extended support from Microsoft: Microsoft offers Extended Security Updates (ESU) for purchase for Windows 7 Professional and Windows 7 Enterprise editions. This support will buy some time for institutions that will not meet the standard support deadline by providing patches for critical vulnerabilities past the deadline. ESU will be available for the next three years but will be more expensive each year.
(More information can be found from Microsoft here: FAQ about Extended Security Updates for Windows 7)
- Segregate Windows 7 Systems: If the number of remaining Windows 7 systems is small and focused on a specific business function, consider moving these systems into their own network segment to lessen the potential footprint a successful attack could target.
- Turn workstations into terminals: If your institution has a Virtual Desktop Infrastructure (VDI) in place (such as Citrix or VMware), consider removing all unnecessary software from the workstations so that employees need to use VDI to perform their work. Besides reducing the risk of running software on a vulnerable operating system, this can also provide a way to upgrade software that no longer supports Windows 7.
- Take Internet access away: Since most vulnerabilities require Internet access to be exploited, risk can be largely mitigated if you can remove (or at least severely limit) Internet access from Windows 7 workstations.
- Have a well-documented plan: If you are still running Windows 7 after January 14th, you need to have a well-documented plan in place to mitigate risks and ultimately eliminate Windows 7, and you must stick to that plan. You can expect any auditor or examiner to scrutinize this plan and for their findings to reflect their comfort level that you can execute the plan.
If your institution needs help identifying Windows 7 risks and mitigation techniques, please reach out to us at support@bedelsecurity.com and find out how we can help!