This guidance is intended to help organisations that are unable to fully migrate away from Windows XP prior to its ‘end of support’ date by providing short-term mitigation advice.

When a product is no longer supported by its developer, there are limits on the mitigations that will be effective in protecting against new threats that will emerge. Over time new vulnerabilities will be discovered and be exploitable by relatively low skilled attackers. No combination of the mitigations described within this guidance will fully mitigate the risk posed by a vulnerable operating system remaining in active service. The focus of this advice is on Windows XP, however the principles apply to any software which is approaching the end of its support period.

1. Migrate away from obsolete software

It is strongly recommended that all organisations using Windows XP, Office 2003, Windows Server 2003, Exchange 2003 and Sharepoint 2003 should upgrade to supported software before their respective ‘end of support’ dates. After these dates there will be no security patches published for these products.

No new deployments of these obsolete technologies should be commissioned. Upgrades of Windows XP and Office 2003 should be prioritised and completed before 8th April 2014 and upgrades of Windows Server 2003 R2 should be completed before July 2015.

The upgrade of high risk end user devices should be prioritised. These include devices used for corporate remote access, as they will be subject to greater physical threat and be more susceptible to network-borne attacks. Devices that can access more sensitive information or services, including personal data, should also be prioritised.

Where it proves impossible to complete the migration before the end of the support period, additional mitigations will be needed to help reduce the risk of compromise and to minimise the harm should compromise of an end user device occur. These are discussed below.

2. Short-term mitigations

Weaknesses that are found in unsupported products will remain unpatched and will be exploitable by relatively low skilled attackers. There are two types of mitigations that can be used to reduce the risk:

  • Reduce the scope for compromise by preventing the devices from accessing untrusted content - effectively making it hard for malicious content to reach the device and exploit it.

  • Reduce the impact of compromise by preventing access to sensitive data or services from vulnerable devices – so even if the devices are compromised, the damage will be minimised.

An effective mitigations plan will likely require a combination of these approaches.

3. Mitigations to reduce the scope for compromise

Exploits based on malicious data can only be successful if the data can actually reach an unpatched end user device. If untrusted data is prevented from reaching a device, then the risk from malicious content is reduced.

Routes by which malicious data could reach Windows XP and Office 2003 include email, web browsing, file shares and removable media. It is recommended that these routes be reduced for vulnerable devices.

Data and files sourced from the Internet should be treated as untrusted even if originating from a known third party. Data retrieved from enterprise storage services should also be treated as untrusted if its source was external.

3.1 Mitigation: Prevent access to untrusted services

Implement technical controls to prevent access to external untrusted services from vulnerable devices. This should include preventing access to external email and preventing the device from browsing the internet via a native web browser (indirect access e.g. via a thin client is possible). These controls will not be effective if they are not technically enforced.

By preventing access via email and the web browser to untrusted content and services, two of the most likely attack vectors are removed.

3.2 Mitigation: Reduce use of untrusted services

As it may not be possible to fully prevent access to all external untrusted services without adversely affecting business functions, it is possible to slightly reduce the risk of compromise by ensuring that access to content, particularly active content or media, is done by a manual action. This intentional action can reduce the risk of “drive by download” attacks,

With regard to Office 2003 no longer being supported after 8th April 2014, an effective, albeit restrictive, control is to prevent the file types that Office 2003 can open being transferred through gateways. Any internet email gateways and proxies should filter these file types if the organisation still uses Office 2003 after this date.

The Windows registry could be edited so that vulnerable Office components and Media Players are not registered as the default applications for the relevant file types. This ensures that files can only be opened by a user intentionally initiating the action from within the product. Removing the registry key settings identified by the following PowerShell script will achieve this:

Get-ChildItem HKLM:\Software\Classes -Recurse -ErrorAction SilentlyContinue | foreach {
   if($_ -match "\\shell\\[a-zA-Z0-9]*\\command$")
   {
    $path = $_
    #Search for filetypes associated with Windows Media Player
    if($path.GetValue('') -match "wmplayer.exe")
    {
        Write-Host -ForegroundColor Green $path
    }
    #Search for filetypes associated with Office 2003
    if($path.GetValue('') -match "Microsoft Office\\Office11")
    {
        Write-Host -ForegroundColor Green $path
    }
   }
}

Note that appropriate testing should be carried out before implementing this across the estate. If third party products handle some files in the list that are produced by the PowerShell script above, then those file extensions could be removed from the list to ensure that only file types still associated with those products are disabled.

There is no mitigation for exposing an unpatched web browser to malicious web content, beyond blocking access to it entirely. However the risk can be lowered by blocking access to rich web content, scripting and by using of a gateway that scans all incoming content for malicious content.

3.3 Mitigation: Prevent access to removable media

Access to removable media should be prevented as it can be used to transport untrusted content. It is also important to also consider devices such as smartphones and tablets – which can be used to transfer media, but also, if compromised, can launch attacks against devices they are connected to. Access to removable media and any connected devices can be controlled through numerous third party products and also through some BIOS configuration pages.

3.4 Mitigation: Convert Windows XP devices to thin clients

Convert any Windows XP machines to “dumb” thin client devices and use them only as an access mechanism to get access to trusted internal services, such as a VDI environment. By using them as a thin client it is possible to avoid the need for the device to directly process untrusted content, for example, web browsing can be performed via a VDI environment which is running a patched modern browser, and business productivity applications are accessed in a similar way. This allows the remote session to run supported, patched software, even if the Windows XP device used to access services cannot. The remote system should be configured to prevent transfer of data back to the Windows XP device using features such as clipboard sharing and file transfers.

This mitigation can be strengthened by ensuring the Windows XP devices are in a separate Active Directory forest to the VDI images and other enterprise services.

3.5 Mitigation: Remove network access for remote workers

When the device is connected to untrusted networks via its wired or wireless network interfaces, it is directly exposed to external network-borne attacks. The only technical mitigation available would be to disable/remove all network access from the device, effectively making them stand-alone devices. Other potential mitigations described above, such as the thin client model, would not address the risk from network-based attacks, as the core operating system itself is directly exposed through its network interfaces.

An alternative mitigation which would protect the network interfaces of the device, would be to use an external hardware device for the end user device to connect through. This could take the form of a firewall/VPN device configured to block all incoming traffic and to tunnel the Windows XP device’s traffic back to the enterprise through the VPN.

3.6 Mitigation: Remove remote access from Windows XP devices

Some remote access solutions include end user device posture checks on incoming connections. It may be possible for those posture checks to enforce that no Windows XP devices can be used to remotely access corporate systems. This will reduce the risk of the enterprise network being exposed to a compromised unpatched device. This control would only help protect the enterprise network from attack as it does not protect any data stored or cached on a Windows XP device.

Where organisations expose some of their internal services to unmanaged end user devices (BYOD) this control is also likely to be useful to ensure that users do not remotely access organisational information from devices known to be vulnerable.

3.7 Mitigation: Custom Support Agreement

The Custom Support Agreement is a paid for service available to customers who have a Microsoft Premier Support agreement. Under such an agreement Microsoft will supply security both Critical and Important updates, Important Updates are available at an additional fee. The types of updates that will be available via the CSA will be similar to those that would be available to a product in ‘extended support’. Once a product goes into extended support there is no guarantee that all future security vulnerabilities will be addressed and so it should not be seen as a long term alternative to full migration to a modern supported operating system.

4. Mitigations to reduce the impact of compromise

An unpatched end user device that is directly exposed to malicious content is likely to result in successful compromise. By controlling access to enterprise services hosting sensitive data and improving the ability to detect attacks, the impact of compromise can be reduced.

4.1 Mitigation: Remove access to services

The level of access given to Windows XP devices into an enterprise environment should be restricted to only those functions which are absolutely critical. Implementation of this mitigation will require network separation and zoning controls to be used.

4.2 Mitigation: Treat Windows XP devices as unmanaged

Where Windows XP devices continue to be used within an organisation, it is strongly recommended that they be treated as less trusted devices and given constrained access as a result. CESG Architectural Pattern 7 provides guidance on designing a suitable network architecture to provide this type of separation.

4.3 Mitigation: Network zoning

By zoning the network it is possible to reduce the ability for malware to spread laterally through an enterprise. The traffic flows between zones should be well-defined, providing the ability to block and prevent unauthorised communications, such as those made by malware trying to reach its command and control systems.

It must be assumed that successful attacks against obsolete or unpatched operating systems are likely to be able to subvert the controls provided by any software firewall in that operating system.

Appropriate internet gateway mitigations, such as using an authenticated outbound proxy, will help ensure that internet-bound traffic flows are authorised. Also by using website reputation filtering it is possible to reduce the likelihood users can reach malicious sites.

4.4 Mitigation: Protective monitoring capability improvement

For the times in which the enterprise environment is at higher risk (e.g. when running obsolete software) it is especially important to ensure an effective and proactive protective monitoring capability is in place. Many organisations often have the ability to record security events but do not proactively alert or take action based upon those events.

4.5 Mitigation: Anti-malware products

Products such as antivirus and network-based intrusion detection systems will continue to be beneficial in detecting malicious code. Their effectiveness may be reduced as the products may not be updated when running on an unsupported operating system and signatures may not be tuned to detect attacks targeted at Windows XP.

4.6 Mitigation: Incident response

Timely response to security critical events becomes increasingly important if obsolete and vulnerable software is present within the enterprise environment. Actions to contain and eradicate the compromise should be swift to try and reduce any compromise spreading.

All incidents should be recorded and reported to the appropriate CERT.

5. Additional Considerations

5.1 Third party connections

If third party organisations use their own devices within or to connect in to your environment (for example, suppliers that manage services within your enterprise environment) it is important to understand whether they are running obsolete and vulnerable software which could pose a risk to your systems - and to take action to address such risks.