Free Newsletter
Register for our Free Newsletters
Associations, Services and Universities
Automotive Industry
Design & Manufacturing Services
Education, Training and Professional Services
Electrical Components
Electronic Components
Fastening and Joining
Laboratory Equipment
Machine Building & Automation
Maintenance, Repair and Overhaul (MRO)
Materials & Processes
Materials Processing and Machine Tools
Mechanical Components
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Securing legacy XP machines

ForeScout Technologies : 15 October, 2014  (Technical Article)
Forescout has published a guide which details specific best practices for securing XP systems and describe how ForeScout CounterACT, an automated network access and security control platform, can help reduce the risk of continuing to use XP. There is also a quick video to help identify risks on the network.
Securing legacy XP machines
As planned, Microsoft ended support for its 12 year old Windows XP operating system on April 8, 2014. This means that XP customers will no longer receive security updates or tech support from Microsoft. As a Windows component, all versions of Internet Explorer for XP also became unsupported.
This is a potential problem for companies because of the surprisingly high number of XP machines out there, not least in the manufacturing arena - Gartner estimates that 20% of business endpoints still run XP and one-third of enterprises have more than 10% of their systems running XP. The use of XP in the healthcare and utilities sectors is even higher. Without security updates from Microsoft, companies using XP will be largely unprotected from malware and cyber attacks the next time an XP vulnerability is discovered.
Over the years, Microsoft has issued over 700 updates to XP with 60% of those rated “critical.” Microsoft’s own research has shown that Windows XP is five times more susceptible to malware and cyber attacks than Windows 8. Given that track record, there’s a high probability that more vulnerabilities will be discovered and that could cause a big headache for companies still using XP.
Moreover, there is concern that malware developers could reverse engineer future patches for newer versions of Windows and use them to target equivalent vulnerabilities in XP. So given the risks involved with continued use of XP, what exactly is holding organizations back from migrating to newer operating systems? Reasons vary from budgetary concerns to underestimated migration timelines to lack of internal expertise and manpower.
But by far, the issue of legacy applications seems to bubble to the top. Lots of organizations use applications that can only run on XP because they are incompatible with later versions of Windows. Others are unwilling to upgrade because drivers aren’t available for expensive pieces of equipment they use, such as medical devices and other equipment. Regardless of reason, the fact is that many organizations are still struggling to complete Windows XP migration projects. 
With XP use so widespread, there’s also a chance that migration projects miss several machines. Some companies aren’t even sure of which machines are running XP and which aren’t. Hence, it is important to take security measures for XP systems that haven’t been upgraded yet.
Inventory endpoints 
How many XP desktops and laptops are truly on the network? Even if an organization has been actively upgrading XP systems there’s a chance that some machines were missed, especially transient endpoints that show up on the network infrequently. Very few organizations have a real-time inventory of connected devices.
Endpoint management systems such as SCCM can help identify some XP systems, but the possibility of missing or broken management agents means an incomplete picture.
Additionally, agent-based management systems can’t provide visibility into guests or employees who may use a personal XP device (BYOD).
Agentless next-generation NAC solutions like ForeScout CounterACT can provide real-time visibility of endpoints connected to your network, including all XP systems, as well as information about where they are and who is logged in.
Legacy application footprint 
Some organizations can’t upgrade all their XP systems because they have legacy applications that aren’t compatible with newer operating systems. However, most organizations don’t know how many of their XP systems are actually using these legacy applications. Without visibility into installed and running applications there is no way to classify which XP systems can and cannot be upgraded. This can hold back XP migration indefinitely and cause “XP bloat”.
ForeScout CounterACT can produce an inventory all applications and processes running on connected systems to help identify the subset of XP systems that are running essential legacy applications. This enables all other XP systems that are not using these legacy applications to be scheduled for upgrade without any business impact.
Block or restrict network access 
Once the limited number of business critical XP systems have been identified and classified, all other XP endpoints that connect to the network, including personal devices, can be blocked by next-generation NAC like ForeScout CounterACT. This can restrict the few business critical XP systems to separate VLANs, either quarantining them completely from the rest of the internal network or giving them controlled access to specific resources only.
Unless required by these legacy applications, XP systems shouldn’t be allowed access to the internet. This allows select XP systems to stay functional while working towards suitable replacements that run on newer operating systems. Protecting these remaining XP systems is also easier when other systems can’t communicate with them over the network or the internet, the primary vector for most attacks.
It is important to discontinue use of Internet Explorer and Office 2003 on XP machines: Windows XP only supports up to Internet Explorer 8, making the security features of later versions unavailable. Consequently, alternative browsers such as Firefox or Chrome should be used, which provide continued support for XP.
Along with Windows XP, Office 2003 has also reached end of support. This increases the risk of exploits embedded in Office documents using Office 2003 to infect XP systems.
ForeScout CounterACT can continuously monitor remaining XP systems to identify those that are running Internet Explorer and/or Office 2003 and mitigate these risks. Based on company policy, CounterACT can automatically remove/upgrade Office 2003, quarantine the XP system until Office 2003 is removed or alert the administrator/help desk to schedule removal. CounterACT can also ensure an alternate browser is selected as the “default browser” and is running with high security settings.
Most endpoint protection vendors continue to support and actively research attacks on Windows XP. Additionally, programs such as Java, PDF readers and other commonly used applications continue to offer updated versions. Keeping all third-party software up-to-date lowers exposure to exploits targeting vulnerabilities in these applications.
ForeScout CounterACT can continuously monitor all endpoints to ensure the latest versions of software are installed. CounterACT can also remediate any deficiencies by updating out-of-date software and can install, update, configure and restart any missing or broken security agents such as anti-virus, firewall, anti-malware and data loss protection. As a best practice, CounterACT can ensure that signature files for endpoint protection products are updated more frequently on XP systems (at least once per day).
Limit and lock down applications, services and ports on XP machines 
In most circumstances, XP systems that are running legacy applications do not need the entire software stack enabled. Removing unused third-party software and disabling unnecessary services such as remote access, remote registry, simple file sharing, telnet etc., can help reduce the attack surface.
Restricting the use of USB ports and CD/DVD drives helps prevent the introduction of arbitrary executable code on XP systems. Ensuring only specific ports that are needed by legacy applications are open to and from the XP systems further protects the XP environment.
ForeScout CounterACT allows users to monitor and enforce strict security policies to limit applications, services, ports and external devices to the minimum subset that is deemed necessary, and lock down the endpoint configuration settings in accordance with the prevailing security standards.
Right: Infection rates for various Windows versions in Q4 20121
Plan for future XP exploits 
The continued use of Windows XP, even for a limited number of systems running legacy applications, entails elevated risk. If and when an exploit targeting an XP vulnerability is spreading in the wild, users must be prepared to manage this risk.
Having a predefined plan and process is key. Next-generation NAC can play a key role in isolating XP systems by quarantining them until other mitigating steps can be taken. CounterACT’s virtual firewall capability can help block the exploit code from propagating to the XP systems while allowing the legacy applications access to specific resources on the internal network.
Migration strategy 
While the risk associated with the continued use of Windows XP can be managed to an acceptable level, migrating from XP as quickly as possible is necessary to maintain a secure endpoint environment. As a stepping stone, XP can be run in a virtual environment.
While this does not remove the underlying vulnerabilities, by restricting each VM to a specific application, restricting network connectivity of these VMs, and resetting VM sessions back to a known good state on each access, the ability for an attack to cause damage is limited.
Over time, as support for third-party software and security applications diminishes, the only option is to replace legacy applications that run on XP and upgrade them to newer operating systems. 
Infection rates for various Windows versions in Q4 20121


Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo