I would like you to sit back, close your eyes and think about the year 2001. Think about how you used technology back then, how you used the Internet. Now, let’s take it a little bit further back in history and think of the year 2000. Just after we realized that the Year-2000-Problem was handled very well by the industry. How you used technology, how you used the Internet, the speed of your Internet connection (I think for me it was ISDN-Dial-Up).
This was the time Windows XP was designed. Windows XP was launched in 2001 and – judging by its success – it was a really great piece of technology. It just runs, rock-solid. Well, it was attacked by a few worms like Blaster, Sasser, which led to the development of Service Pack 1, which made us stop development for a few months to look for security vulnerabilities. Over all the years of improvement and learning, this finally led into Windows 7.
If you are still on Windows XP, you probably should re-think your strategy today as the Operating System you are using was not designed to survive in today’s threat landscape. Let me give you 10 reasons why you should definitely move off Windows XP as soon as possible:
- First and foremost, Windows XP will go out of support April 8th, 2014. From then onwards, there will be no more security updates for Windows XP. Even though it is still two years down the road, larger organizations typically need some time to migrate and I am convinced that you need to start now!
- Changes in development processes like the introduction of the Security Development Lifecycle (SDL) over the last 10 years within Microsoft significantly reduced the number of vulnerabilities, the likelihood for getting infected by malware and the attack vectors. This can easily be seen when you look at the data from our Security Intelligence Report:
- Most probably you are still using Internet Explorer 6, when you are running Windows XP. As the browser is your window to the Internet and the most attacked application you run, running a browser which is three versions behind the latest one is definitely not something you should do for different reasons. One is the point I made above. Development processes have come a long way in the industry to incorporate security into the product from a code level and you would want to leverage this. Additionally, there is a lot of technology built into a modern browser to protect you from current attacks like the Smartscreen filter. So, move off IE6 to Internet Explorer 9 (for Windows Vista and later) or at least Internet Explorer 8 if you stay on Windows XP (which you should not J). To show you the impact, here is a graph published by NSSLabs on how far the browser can protect you from socially engineered malware:
- The Security Development Lifecycle is not only about reducing security vulnerabilities at a code level but it is about adding additional protection as well, if there is a vulnerability in the code. It is about Defense in Depth as well – or mainly. As a result we introduced technology like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) into the platform, which makes it much harder to exploit a vulnerability in the code.
- Ever tried to run Windows XP without being local Administrator? Yes, you will tell me know that you run it in the enterprise like that. What about changing the time zone when you travel with your notebook? Or adding your home printer? Or, or, or? I have to admit that I tried it more than once and gave up. User Access Control helps greatly. It is a huge improvement and makes the non-admin use of the OS much simpler. Even if you would decide to run as a local admin, you work with the user token until you need admin privileges.
- On Windows XP you might be using some third-party disk encryption tool, something which comes for free on Windows 7 – even for USB sticks. It is called Bitlocker and Bitlocker To Go.
- Talking of Bitlocker: One of the points which are often forgotten when talking about the OS is that one of the key attack vectors is during the boot process. We have seen successful attacks on Windows XP during the boot processes with rootkits. If you switch on Bitlocker on Windows 7 (and Vista) you get a fairly sound boot protection. If you use a 64-bit version with kernel protection, the risk of getting infected during the boot process is actually fairly low.
- Managing Software Restriction Policies in Windows XP was a very hard – close to impossible – task. AppLocker on Windows 7 has improved this greatly.
- There are quite some changes on the IP layer: We support IPv6 and there are a lot of improvements in the Windows Firewall.
- The last point: Windows XP is just not cool anymore. Windows 7 is just much nicer, cooler to use and just much, much more fun
Besides all the security improvements, which make most sense if they are used in a combination like Bitlocker on Windows 64-bit and Applocker it has to be said that managing such a Windows 7 environment has proved to be much, much more efficient than Windows XP.
I guess you did not have time to finish reading the post? Started your migration project immediately? Great, go ahead!
Roger