A SearchMidmarketSecurity.com reader writes to our resident security expert Tom Chmielarski, "Microsoft announced that it will stop support for machines running Windows XP SP2. If we're a business
that still runs SP2, what steps should we take to stay secure?"
If you happen to use 64-bit Windows XP, you'll still be supported. If you're using 32-bit Windows, there is the obvious option of going through with a Windows XP SP2 upgrade to SP3. Because of product compatibility or vendor support issues, however, that arrangement isn't always a viable one.
Assuming you are asking this because you don't have an "easy out" to this predicament, there are a few available options to improve your security. The ones that make the most sense depend on your environment, your primary security risks, operational constraints, and acceptable cost and effort expenditures.
User activity is a primary entry point for security threats so anything you can do to lower that risk is certainly advantageous. Removing administrative privileges from users is a major security improvement that is frequently overlooked. By removing the administrative access, a user's actions are much less likely to compromise a system.
Restricting the network traffic that can reach your unsupported systems using network- and host-based firewalls is also advantageous. You can prevent access to un-needed services to reduce the attack surface of each system. Windows XP has a built-in firewall as do many antivirus products. Many of those products have additional host protection features such as attack detection, system configuration change detection, and application-specific network access control. Application control features of endpoint security products, which prevent applications from accessing the network without explicit approval, is an excellent way to reduce risk assuming your users are able to make the decision to allow or deny traffic correctly.
An additional means to improve the security of your unsupported systems is to restrict software via whitelists, which allow known "good' executables, or blacklists, which stop known "bad" executables. Restricting the software that is run can prevent some malware from executing, but may require a substantial amount of administration effort if your installed applications vary widely. Windows XP has a built-in facility, Software Restriction Policies, to accommodate this approach. Third-party products, such as the whitelisting products from Bit9 Inc., can also be used to enforce application restrictions.
Third-party security products, such as McAfee Inc.'s Solidcore technology or Cisco's Security Agent (CSA), can substantially lock down a system to a semi-trusted state and prevent modifications and exploitation as long as the environment is fairly static.
Configuration management applications, including EMC Corp.'s Configuresoft or technology from BigFix Inc., can also be used to ensure your systems have a reasonably secure configuration and conform to your expected configuration, assuming you have one.
These controls apply to any system that needs improved security, not just unsupported XP systems, and can reduce your exposure from an unsupported OS. Ultimately the determination of what is the "most effective" depends on your environment, risks and compensating controls.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.
This was first published in July 2010