TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
0 likes•755 views
The document provides guidance on managing the risks associated with legacy Windows operating systems, specifically Windows XP and Windows Server 2003, after Microsoft's end of support dates. It outlines the security, compliance, and reputational risks of continuing to use unsupported systems, as well as four options for organizations: doing nothing, purchasing custom support, hardening legacy systems, or migrating to new operating systems. Additionally, it emphasizes the importance of utilizing Symantec’s solutions for effective protection and migration strategies to ensure business continuity and compliance.
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
- 1. Protecting and Migrating Legacy Windows® OSes Your guide to mitigating the risks of Windows XP® and Windows Server® 2003 after end of support. End of Support is Not the End of Business Businesses need to be prepared for the end of support of operating systems (OSes), especially if the OS is used enterprise-wide or runs business critical applications, such as Microsoft® Windows XP® and Windows Server® 2003. As you know, Microsoft ended support for Windows XP on 8 April 2014, and will similarly pull the plug on Windows Server 2003 on 14 July 2015. Without any security patches, Microsoft has cautioned that “PCs running Windows XP after April 8, 2014 should not be considered to be protected”1 . However, many organisations stick with their legacy Windows systems, even after support ends. Changing an OS across the entire organisation opens up the risk of downtime for mission critical applications. Migrating to a new OS is also manpower-intensive, and could easily lead to time and cost overruns. Not surprisingly, companies see very little incentive to replace an unsupported but still functional OS—until there is an overwhelmingly urgent need to do so. In addition, their business may be dependent on old, proprietary applications that cannot run on newer platforms. Yet, it’s crucial for organisations to understand the risks of running an out-of-support OS against the costs and effort of migrating to a new one. Challenges of Legacy Systems 1) Security threats We learn from history that new vulnerabilities of an out-of-support OS will be discovered and new malware will be developed to exploit the vulnerabilities. Without OS security patches, businesses are exposed to significantly increased risk of security breaches of their unpatched systems. We can expect an increase in range and number of exploits likely to be successful in their attacks due to the cumulative effect of “doing nothing” across many separate vulnerabilities. This issue is intensified by the threat from unknown (zero-day) vulnerabilities. 2) Regulatory compliance Unpatched OS environment can render organisations liable to violation of industry compliance regulations, perhaps resulting in hefty fines or penalties. 1 Microsoft, Enterprise Customers: Support for Windows XP has ended, Retrieved from http://www.microsoft.com/en-us/windows/enterprise/end-of-support.aspx 1
- 2. 2 Protecting and Migrating Legacy Windows® OSes 3) Reputation damage and remediation cost associated with data breach An unprotected OS means the organisation is more susceptible to data breaches and loss of critical, confidential data, which could lead to reputational damage. On top of that, businesses will incur increased labour resources and other costs to remediate the environment once an attack occurs. What Options Are There? The first option is to do nothing. However, it will inevitably expose your organisation to attacks and risks caused by legacy systems. The second option is to purchase “custom support” from the software vendor to obtain ongoing security patches for end-of-support OS and to deploy the patches when they are available. This option does provide protection from the vulnerabilities that are actually patched, but it has the following downsides: • Leaves zero-day vulnerabilities unaddressed, opening systems to attack during instances of patch unavailability and other windows of exposure • Offers inadequate protection against security vulnerabilities with a moderate or low severity rating as patches during the custom support period are usually designed for known critical vulnerabilities only • Incurs higher cost due to costly “custom support” and frequent testing and deployment of patches • Fails to be a long term solution as “custom support” programmes are specifically designed to help customers bridge the support gap as they migrate to new OSes The third option is to protect/harden your legacy systems. In this option the customer deploys HIPS/HIDS based security agents at the endpoints to harden the operating system and applications, mitigate vulnerabilities and stop known and unknown threats. This option is most suitable in cases when a replacement is not feasible due to cost and control factors, when patching or migrating is avoided to minimise downtime, or when having applications that are not compatible with newer OSes. Benefits of this approach: • Improves the security posture of your servers by protecting them against known and unknown (zero-day) malware • Eliminates emergency patching, and minimises downtime and IT expenses related to patching through proactive protection that does not require continuous updates • Reduces security incidents and remediation costs with continuous protection even if the server is unable to get the latest patches in a timely fashion
- 3. 3 Protecting and Migrating Legacy Windows® OSes Option 3 clearly provides the best choice, with better and more consistent host security, lower overall costs and more control with regards to legacy system replacement. The following Symantec solutions can help you secure legacy systems effectively, minimise business disruption and maintain regulatory compliance: Security Solution Platform OS Symantec™ Data Center Security: Server Advanced 6.0 Server Any Symantec™ Endpoint Protection Laptop / Desktop Windows, Mac, Linux Point of Sale Device Windows Symantec™ Critical System Protection Client Edition Point of Sale Device Non-Windows ATM / Healthcare / Automotive / Industrial Control Systems Any For more information, please read: • White paper: Using Symantec Critical System Protection for Patch Mitigation and Securing Legacy Out-of-Support Platforms • Product overview: Data Center Security: Server Advanced 6.0 Overview Guide • Solution brief: Protecting PoS Environments Against Multi-Stage Attacks • Technical brief: Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of-Sale Devices The fourth option is to migrate from legacy systems. This option is most suitable for taking advantage of the benefits of a new OS and its associated applications, or for minimising the operational and management costs of IT systems by standardising its hardware and software. Benefits of this approach: • Enhances security posture by eliminating the risks and vulnerabilities associated with end-of- life systems • Enables better IT investments by freeing up resources from the maintenance of legacy systems to focus on IT initiatives such as mobility deployments and cloud computing • Improves business competitiveness by leveraging the productivity benefits of new OSes, applications, mobile devices, cloud deployments and more
- 4. 4 Protecting and Migrating Legacy Windows® OSes Even though a migration can eventually lead to significant productivity, security and control benefits, it can still be an intimidating task. In the past, migrations involved manually collecting inventory and configuration data, throwing together solutions from disparate tools, writing and testing scripts to handle endless contingencies and dependencies, plus a thousand other endless routines that exhausted time, energy, money, motivation and executive patience. With any migration, the challenge is to execute it in an efficient, cost-effective, and sustainable manner, while protecting end-user productivity. Symantec can meet that challenge with migration and deployment solutions that streamline processes to cut the expense, delay, and disruption of migration, keeping it in control. Symantec has migrated more than 300 million desktops and notebooks to Windows 2000®, XP, Windows Vista®, Windows 7® and Windows 8®. Symantec™ Client Management Suite 7.5 powered by Altiris™ technology not only automates and simplifies migration efforts, but also helps manage IT resources long after migration is complete. Client Management Suite 7.5 consists of the following components: Component Name Description Deployment Solution Mass deploys disk images of a reference system, migrates user data and system configurations to new systems and configures each system based on standardised criteria Configuration Management Database (CMDB) Acts as a data warehouse to provide greater insight into existing IT assets, where they are, how they are connected and how any changes would impact those relationships Inventory Solution Gathers inventory data about computers, users, operating systems, network devices and installed software applications in existing environments Patch Management Solution Assesses, prioritises and deploys updates for common operating systems and applications to ensure that managed computers are protected on an on-going basis Software Management Solutions Distributes software and ensures that the correct software gets installed, remains installed and runs without interference from other software Allows users to directly download and install approved software or request other software via a self-service portal Endpoint Protection Integration Component Provides inventory client systems for common endpoint protection products, migrates and rolls out Endpoint Protection agents, troubleshoots agent problems and reports on status and outbreaks
- 5. 5 Protecting and Migrating Legacy Windows® OSes For more information, please read: • Solution brief: Don’t eXPire – Simplify Your Windows Migration • Product site: Symantec™ Deployment Solution 7.5 powered by Altiris™ technology • Product site: Client Management Suite 7.5 Once the migration has been completed, Symantec security solutions mentioned in the previous section can be used to protect the new operating systems from known and unknown threats. Secure or migrate with Symantec today The challenges of running unsupported legacy systems are not insignificant. But they are not insurmountable either. Just because OS support has ended does not necessarily mean businesses are left vulnerable to security threats or at the mercy of costly end-of-life support. Symantec’s solutions offer simplified, comprehensive and cost-effective protection and migration of Windows XP and Windows Server 2003, even after their end-of-support dates. Business operations continue uninterrupted and industry compliance regulations are still met. Companies also gain control and set the pace of system migration based on their own business needs and schedule. Strong protection and risk management of legacy systems will help extend their lifespans and ultimately prepare organisations to upgrade their systems to stay competitive and secure in today’s fast-paced market. For more information on securing your legacy systems, visit us. Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.