Gartner

Newsroom

STAMFORD, Conn., April 8, 2014 View All Press Releases

Best Practices for Secure Use of Windows XP Now That Support Has Ended

Microsoft’s support for Windows XP ends today, April 8, 2014. However, Gartner estimates that one-third of enterprises currently have more than 10 percent of their systems remaining on XP.

In today’s blog post, Neil MacDonald, vice president and Gartner Fellow, says the issue is not whether the continued use of XP entails risk. It does. The issue is whether the continued use of XP represents manageable and tolerable risk to the enterprise. 

Mr. MacDonald said: 

Any system, supported or not, carries risk. For the majority of use cases, XP can continue to be used with the risk managed to a tolerable level, without requiring the enterprise to pay Microsoft for expensive custom support while migrations are completed. While doing nothing is an option, we do not believe that most organizations (or their auditors) will find this level of risk acceptable. 

If XP systems are continued to be used, Gartner recommends that organizations follow the 10 best practices below to reduce the risk of using these systems to a tolerable level. 

  1. Restrict Network Connectivity to the Minimum Possible: Protecting XP systems is easier when other systems can't communicate to them over the network, the primary vector for attacks.
  2. Implement an Application Control Solution and Memory Protection: This can be accomplished using a dedicated solution, a host-based intrusion prevention system (IPS), or Microsoft's Group Policy object (GPO)-based software restriction policies to establish a "lockdown" posture for XP to prevent the execution of arbitrary code.
  3. Remove Administrative Rights: This should be mandatory for all remaining users on Windows XP.
  4. Address the Most Common Attack Vectors — Web Browsing and Email: Remove Web browsing and email software from XP systems, and provide these capabilities from a server-based system that is up to date.
  5. Keep the Rest of the Software Stack Updated Where Possible, Including Office: Vendors of other software solutions and versions running on these XP systems may continue support. This further minimizes the vulnerable surface area that can be attacked.
  6. Use a network or host-based IPS to Shield XP Systems from Attack: Confirm that your IPS vendor will continue to research vulnerabilities and attacks on XP and provide filters and rules to block these attacks where possible.
  7. Monitor Microsoft: Microsoft will not publicly disclose if new vulnerabilities against XP are discovered (unless you have paid for custom support). However, pay particular attention to critical vulnerabilities that affect Windows Server 2003 as these will likely impact XP.
  8. Monitor Community Chat Boards and Threat Intelligence Feeds: Third-party threat intelligence feeds are an independent source of information. Communities of interest are expected to emerge specifically for sharing information related to XP.
  9. Have a Predefined Process Ready If an XP Breach Occurs: Have a plan to isolate XP workstations in the event of an attack that gains a foothold by quarantining these systems from a network perspective until mitigating steps are understood.
  10. Perform a Cost/Benefit Analysis: The cost and resources to implement the steps above might be better spent in accelerating the migration of the remaining XP systems, or it might be simpler to pay Microsoft for custom support.

If organizations do not implement these best practices, they could consider paying Microsoft for custom support if the enterprises’ risk tolerance is low, or if regulations require.

Detailed analysis on each best practice, additional best practices, and a discussion on XP-based embedded systems is available in the report entitled “Best Practices for Secure Use of XP After Support Ends” which can be found on Gartner’s website at http://www.gartner.com/doc/2701420.

Gartner analysts will share additional information on top security trends at the Gartner Security & Risk Management Summits 2014 being held June 23-26 in National Harbor, Maryland and September 9-10 in London.

More information on the National Harbor Summit is available at http://www.gartner.com/technology/summits/na/security/. Members of the media can register by contacting Christy Pettey at christy.pettey@gartner.com. Additional details on the London Summit are available at http://www.gartner.com/technology/summits/emea/security/. Members of the press can register for this Summit by contacting Rob van der Meulen at rob.vandermeulen@gartner.com.

Information from the Summits will be shared on Twitter at http://twitter.com/Gartner_inc using #GartnerSEC.

Contacts
About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. We deliver the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, we are the valuable partner to clients in over 9,000 distinct enterprises worldwide. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 6,400 associates, including more than 1,480 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.

Gartner Insight
Gartner Webinars