As the date for the end of Microsoft’s operating system support looms, what are the options available to CIOs using applications that run on nothing else?
In April 2012, Microsoft announced that its support for the Windows XP operating system would end two years later, on April 8, 2014.
This means that, although the company will still host all patches and service packs for XP, it will offer no new technical support of any kind.
And with that date now approaching fast, the question arises about what companies should do to keep a secure Windows-based environment running, if their installed base (or any significant proportion of it) remains on XP.
Hands-on advice from a practitioner
Workspace practice manager at consultancy Company85, Jon Littlefair, has practical experience of the fieldwork already carried out in this area. He says that, whenever his team has been faced with a project where legacy applications have been unsupported on Windows 7 or above – and redevelopment of the application to a supported platform is not possible or economically viable – they have looked to either virtualise the application in App-V or ThinApp, or provided the customer with a segregated environment running XP virtual machines that users can access remotely.
"These virtual desktop infrastructure environments can be locked down and security risks mitigated. In most cases, the doubling of costs annually for XP support are viewed as so prohibitive, our clients explore all other avenues as a preferred route," says Littlefair.
"We’re currently engaged with a high street bank to help them with a solution for over 5,000 cashpoints. So far, the embedded version of XP seems to be the de facto standard for ATMs and there is no appetite to re-engineer the application for Windows 7 or 8. The priority is to provide a host intrusion detection and prevention system that renders the ATM completely locked-down at the host level. Although not originally designed to mitigate Windows 7 or 8 upgrades, Symantec Critical System Protection is proving spot on for this."
Should firms look at somehow securing XP through their own software engineering?
Should they outsource the entire support function to one of the big IT services firms, such as Capgemini or Accenture? If they start to migrate to Windows 7 or Windows 8 now – and this process takes 18 months or so – how should CIOs secure XP in the meantime?
Are there routes via hosted virtualisation to lock down XP at the back end and provide a secure user front end? Or should we all just pay Microsoft the $200 per desktop per year for ongoing additional support?
Return on investment does not happen overnight
Microsoft has laid down some pretty substantial arguments to validate the return on investment (ROI) that results from a move to Windows 7 (if not Windows 8 or 8.1) from XP, but gaining and reaping that ROI comes at a cost.
The trouble is there are thousands of installed applications, across hundreds of thousands of desktops running XP, that can not be migrated due to incompatibility. The UK Ministry of Defence is thought to be running as many as 400,000 Windows PCs. With even a conservatively estimate of half of these running on XP, the task ahead remains considerable.
Could heavyweight enterprise resource planning (ERP) suppliers hold the answer? Would it be possible to lock down a virtual machine base running XP and virtualise the functionality needed through a web-facing front end?
Garry Owen is senior product marketing manager for user computing at VMware. He says there are many ways of handling the end of XP for most organisations.
"Most commercial applications running under Windows XP either run unchanged under later versions of Windows or are available in newer versions that do - customers simply need to upgrade. For those mission-critical applications that this won’t work for, or for in-house developed applications, then the vast majority of these can be virtualised," he says.
"For the very few – and I stress, very few – applications remaining that can’t be upgraded or virtualised in this way, there are only two choices: retire them and migrate the functionality to a new supported application, or continue to run Windows XP to serve the legacy application. The latter is unlikely to be a practical proposition for any but the most deep-pocketed organisations and, even then, there are huge compliancy risks," adds Owen.
More article on surviving XP end of support
Microsoft’s exponential XP support charge
Owen warns that simply outsourcing the complete XP support function to an IT services company is unlikely to prove a viable solution, because of Microsoft’s extended special support fees, which will inevitably get passed on to the customer.
The $200 per PC per year fee goes up to $400 in the second year and doubles every year after. For companies forced to take this route, that support charge over time will grow large enough to appear as a discrete line on the balance sheet – and this is not a viable option, even in the short to medium term.
"The fundamental realisation for the vast majority of organisations is that, ultimately, it’s not a viable option to stay with Windows XP so, one way or another, they have to move away as soon as possible," says Owen.
"For those legacy applications without newer supported versions, they can be virtualised – with tools such as VMware ThinApp – to produce an encapsulated version of the app that will run securely on a new operating system."
This advice applies to native applications and applications that only run in a non-supported or non-functional browser on Windows 7 (such as Internet Explorer 6). While Microsoft’s position on its support for applications virtualised in this way is ambiguous, the general industry interpretation is that it will not provide support.
"VMware’s position is clear," says Owen. "Ordinarily, we support any ThinApp virtualised application if it is supported natively on the target operating system. In addition, even though Internet Explorer 6 (IE6) cannot natively be installed on Windows 7, VMware fully supports ThinApp virtualised IE6 (plus any legacy applications packaged together with IE6)."
In addition to the efficient migration of applications to the new target operating system master image, VMware says it can help with the deployment activity using tools such as Horizon Mirage complementing and enhancing existing PC lifecycle management frameworks – although it should be noted that Microsoft only allows virtualised IE6 applications if the IT department in question runs Microsoft Terminal Services software, or chooses to run Windows XP in a virtual machine locally.
For its part, Microsoft plainly states on its products lifecycle pages that every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it is no longer supported or sold.
According to the official Windows blog: "Readying a company’s applications and data for moving from Windows XP can take a substantial amount of planning and time. Businesses that have yet to start the process need to first rationalise their app portfolios, set up an agile testing process, then get apps ready for migration. We recommend that customers start this effort immediately, if the process has not already begun."
For enterprises that can not migrate before April 2014, there is also AppSense Application Manager, which works with physical and virtualised versions of XP. It locks down the current supported XP environment and will not allow any further executables or applications to be run, without the system administrator first approving them. The idea is that a user environment is kept more or less as it was before the end of support, so further patches would not be necessary. This technology can work hand-in-hand with endpoint security systems, such as antivirus packages.
Trying to rush a migration through before April is unlikely to benefit an organisation
Simon Townsend, AppSense
"Through our work with a large number of UK and European organisations, in completing migrations from XP, we have encountered several instances where a move simply is not an option just yet," says Simon Townsend, chief technologist for Europe at AppSense.
"We have also recognised that migration is not an option for everyone and the most effective tactic for some is to lock down the legacy XP environment until migration becomes a more viable option."
Townsend warns that migrations are no simple undertaking and are often time-consuming, complex and require extensive planning to execute properly. "Trying to rush a migration through before April is unlikely to benefit an organisation. They may be best advised to research alternatives that can act as a bridging solution until they fully define a migration strategy," he says.
Damn the torpedoes – Windows XP full speed ahead!
To paraphrase the 19th century American naval rear admiral David Farragut, staying on with Windows XP is akin to issuing orders to damn the security torpedoes and plough on full speed ahead.
According to Clive Longbottom, service director and founder of IT analyst house Quocirca: "The choices are: carry on as is with XP and self-support (full speed and damn the torpedoes); pay for extended support (full speed and pay for what may be comparatively weak anti-torpedo protection); migrate from apps that are holding you back and upgrade to Windows 7 (this will slow your speed, but at least there are fewer torpedoes); or upgrade and virtualise or make old apps run under Windows 7 (turbo speed and avoid the torpedoes)."
Military analogies naturally give way to forthright opinions and Longbottom concludes that the choice to not migrate hard and fast off XP is not a difficult decision to make. When technical and personal opinions inside and outside of the Microsoft camp converge, you can be fairly sure what action you should be taking: XP is over, it is time to go forward.
This was first published in January 2014