Contributor:
John E Dunn
March 24th, 2014

Golden opportunity to tame application privileges

What is it about Windows XP that has made getting rid of an obsolete operating system so difficult? On the face of it, it should be no contest; XP is inherently less secure than its successors, will no longer receive essential updates, cybercriminals target it more often, and it doesn’t even support the latest secure applications. These factors add up to higher support costs and risk.

Despite this, a hardcore of businesses will continue to use it beyond April’s cut-off date in order to support legacy applications they can’t do without. Organizations facing this situation are in a bit of a bind, aware they must somehow keep XP on secure life support while planning for the inevitable migration to Windows 7 or 8 later on.

Securing XP while migrating to a completely different OS is a big ask but there are plenty of short term fixes on offer, including visualization and isolation, backed up by incredibly pricey extended support contracts at up to $200 a seat. These will do the job but they also turn XP into a patient demanding expensive full time care.

The alternative is to minimize the risks associated with XP using privilege management. This approach not only cuts XP’s security exposure on PCs where it remains still in use but gives organizations a powerful tool to aid their Windows 7 migration roll-out and security going forward.

Securing XP

The weakness of XP was its assumption that admin rights were an affordable luxury. Many programs needed them to work, as did laptop users making simple changes to settings such as adding printers. Pragmatically, admins granted admin rights because it made life easy, creating a hole cybercriminals exploited to install malware.

A least privilege system supporting XP in addition to Vista, Windows 7 and 8 provides an integrated way to lock down admin rights through Windows Group Policy, distributing them only when really needed while creating an audit trail of events. In XP’s case, this doesn’t remove all risk (for instance OS or application vulnerabilities) but it does greatly reduce the attack surface to the absolute minimum and gives admins some visibility on how the OS is being used in real time.

Migrating to Windows 7

The same benefits of least privilege apply to Windows 7 and 8 too, but the strategic gain from a system such as Avecto’s Defendpoint is the advantages it offers during the migration process itself.

When moving from XP to 7 it is essential to look at the bigger picture. Users are going to have to cope with User Account Control (UAC) prompts as standard users, throwing up time management challenges for users and admins alike. The admins, meanwhile, will need to model which applications are in use and by whom, and which need admin rights and when.

This underlines the way that privilege management can be a powerful tool for understanding what is actually happening on the network as a way of getting more visibility on the security risks. Think of it as a radical rationalization, pulling out old and unused apps, stripping privileges back to a minimum on an application by application basis and smoothing out complexity. Increasingly, this is what migration means on modern networks.

The shift from XP to Windows 7 is hard work but it doesn’t have to be a killer. XP can be supported in a locked-down state using the same technology used to manage new Windows 7 or 8 seats. The critical thing is not to waste the potential offered by the end of Windows XP to reform application and user security. This opportunity comes along once in a generation.

More from the Blog

Related technology and security insights

  • 16
    Sep
  • Story related

    Building bridges to a more connected security environment

    For a long time, the threat intelligence landscape could be likened to an archipelago; a collection of islands. There were a few bridges here and there but the various islands remained largely inaccessible. It became clear, however, that in this ...