How to handle IT security as XP goes into Extended Support

Microsoft has ended mainstream support for all flavours of Windows XP, including Windows XP Professional and Windows XP Professional x64 Edition.

Microsoft has ended mainstream support for all flavours of Windows XP, including Windows XP Professional and Windows XP Professional x64 Edition.

Extended support will be available until 8 April, 2014, but the burden will be on IT managers to ensure their Windows XP estates are secure.

Although Microsoft is moving XP into the Extended Support of its lifecycle, it will continue to develop hot fixes, as and when they are required.

Stuart Okin, managing director of Comsec Consulting, and a former security expert at Microsoft, says that getting telephone support from Microsoft will be the main issue after mainstream support ends.

"This will affect clients, [but] only when there is a major outbreak of malware and they are not sure where to turn to. In essence nothing changes. Patch your systems; make sure you have malware protection, as well as other controls, such as firewalls. For businesses, make sure you security test all the way through the development lifecycle."

Gary Collins, chief information officer at Intercept IT, a specialist in cloud computing, pointed out that even with the arrival of Vista, Microsoft was retrospectively patching holes in Windows XP as it found problems with the new operating system (OS). This meant recoding parts of the XP operating system and releasing hot fixes.

He says many organisations have been reluctant to move to Windows Vista, and Windows 7 is not yet available. As a result, securing Windows XP will remain a focal issue.

"A high proportion of our clients have not upgraded to Vista, which they see as resource-hungry, so it is unfortunate timing for Microsoft that XP support is ending, and Windows 7 will not be out until early 2010."

The onus will be on users to ensure they keep XP up-to-date, as is the case with older operating systems, says Collins.

"A couple of clients of ours are large banks that still have Windows NT 3.51 and NT 4 on their servers. They put protection around the outside, using intrusion detection systems and intrusion prevention. But they also ensure those networks are not exposed."

Collins advises organisations to ensure they have adequate firewall, anti-virus, and intrusion detection systems. But he added that there are also many experienced Microsoft partners that will continue to offer support services for Windows XP.

This was echoed by Microsoft, which says that along with its strategic partners, it will offer custom support relationships, at a price, that go beyond the Extended Support phase.

Stay up-to-date

Martin O'Neal, at security consultant Corsaire, says Windows XP users should run the most recent version of the operating system.

"The basic recommendation for maintaining a supportable platform is to make sure you move to the latest service pack in the next few weeks," he says.

Graham Cluley, senior technology consultant at Sophos, warns that the end of support for Windows XP - which he says is the world's most widely used OS - will mean organisations need to plan OS migrations.

"The biggest challenge for businesses is the looming requirement to specify another OS, particularly for new installs. Enterprise software developers will begin dropping XP support and IT managers should be thinking about the best alternative operating system."

"Given the poor uptake of Vista, the continued popularity of Apple, the growth of Linux and the simple fact that Linux is free, it looks like the OS market is going to become more competitive."

"XP will not be the leading OS forever and businesses need to be prioritising security in any talks about how to deal with its demise," he says.

Overall, the experts agreed that good security practices should be high on the agenda going forward. This is easier said than done.

Paul Vlissidis, technical director at NCC Group Secure Test, says, "In a world of super worms and drive-by attacks, internal patching is now as essential as having an up-to-date anti-virus, but this message just does not seem to be getting through. IT security is no longer the sole provision of suppliers, and end-users should be aware of this by now," he says.

Read more on IT risk management