Stuck with Windows XP? 10 Things You Can Do to Stay Secure
June 04, 2014
On April 8, 2014, Microsoft ended support for Windows XP. The fact that there are millions of PCs using Windows XP - 30% of the market as of right now - creates big challenges not only for the home user but for enterprises that use XP as an everyday tool to conduct business.
This means that corporate environments will continue to house machines with Windows XP, and they will have to take extra measures to ensure the security of their network and the continuity of their business. If you’re one of those that are unable to decommission Windows XP, here are 10 things you can do to maintain your secure environment.
Isolate Windows XP Machines
Creating a separate VLAN (network) for these machines would be a good place to start. Windows XP clients will not be able to directly communicate with any other devices in the network except themselves and the router. By doing this, you would be able to contain rather quickly any attacks that exploit vulnerabilities in the operating system.
Allow Minimum Access through Firewalls
By putting a firewall in front of these machines, you can control what goes out and what goes into that network. This allows Windows XP users to do their day-to-day jobs but also minimizes the exposure to other areas of the network.
Set Up an IPS to Minimize Attacks
By setting up an intrusion prevention system (IPS) in front of these machines - you can set this up as part of a next generation firewall like Palo Alto - you can minimize the vulnerabilities that exist on or may be found for Windows XP and mitigate the lack of software security updates from Microsoft. This will also shed some light as to what are the existing threats currently being exploited and allow the enterprise to be more proactive against attacks.
Use a URL Filtering Solution
By using a URL filtering solution like Websense or Bluecoat, you can reduce the exposure of these machines to malicious websites and other web-based attacks.
Have a Good Endpoint Security Solution
Having a solid antivirus is always good practice for any Windows-based computer but even more so on Windows XP systems. Vendors will continue to update their software, and it will add another line of defense against current and unknown threats. Some endpoint solutions allow you to whitelist certain applications, ensuring that only approved applications will run on these PCs and reducing the possibilities of malicious code being executed.
Install an HIPS Solution
Having host intrusion prevention system (HIPS) software installed on each XP client will create another layer of security for these PCs. This will also help in the event of any malicious attack that may go past the firewall or the network IPS. For example, should any of the XP machines on the network become compromised and try to attack other PCs on the network, the HIPS would help mitigate the threat.
Limited User Accounts
Having limited user accounts is always a best practice but with Windows XP is even more important. This prevents users from installing software and running unauthorized processes and also prevents malware to execute itself in the event that it gets installed on the PC.
Install a Different Web Browser
Firefox and Chrome have been proven more secure than IE, and not only that, they will continue to be updated by Mozilla and Google.
Disable Java on the Browser
In recent years, Java has been proven to be a very vulnerable software platform. Most of the attacks on Java happen when it is running on the browser. Disabling this, as long as it does not interfere with users doing their job, is a good practice.
Send Logs to a SIEM
Windows XP machines should be configured to send event logs (Windows Security Events) to a SIEM. This will centralize logging for this environment and will alert the IT security team of any suspicious events.
Need-to-Know / Least Privilege
Making sure that these PCs do not have more access than they should and that users do not have excessive privileges to network resources will reduce the possibilities of malicious code entering the network or vulnerabilities to be exploited.
The best way to address the end of Windows XP support would be to upgrade all of these machines to a newer and supported operating system like Windows 7 or Windows 8. If this is not feasible due to lack of resources, time or legacy software, these 10 things are a good start to minimizing risks and keeping your environment as secure as possible.