Windows XP

More exploits, no patches

Microsoft is ending the support for Windows XP this Spring (see:…; This means there will be no more patches for exploits that hackers use to break into these systems. Aside from firewalls, patching vulnerabilities has been the most effective strategy in reducing risk of endpoint compromise. There is always a race between vulnerability discovery, patch application and exploit attempts. With the removal of new patches in Windows XP, the remaining hosts become sitting ducks.

Rock & Hard Place

This creates a new set of problems for organizations that are unable to upgrade from XP. Healthcare, SCADA & manufacturing companies are most directly in danger. Custom applications that interface directly with complicated devices like Xray, control systems and assembly line equipment were built to utilize specific platform of Windows XP. With many of these systems, there is no way to upgrade to a Windows 7 or 8 platform and preserve the necessary functionality. This puts these organizations in the difficult position of accepting the risk of sensitive endpoints being highly vulnerable to exploit.

Mitigating Strategy

If there is no viable way of upgrading these assets to a supported platform, mitigating measures need to be taken.

Endpoint Hardening

Accepting that the endpoint is vulnerable requires hardening it the same way a soldier does with a helmet & flackjacket in awareness to his vulnerability to hostile fire.

Security Policy

The Windows security policy (GPO) needs to be as strict as possible that allows core functionality. Non-essential services should be disabled, Internet Explorer disabled or locked down and user privileges should be minimum. The smallest number of programs should be installed. This may requiring personnel to use one computer for legacy functions and a modern desktop for others. For details on hardening Windows machine see the following article from Microsoft:

Endpoint Security

While Microsoft will no longer provide patches, antivirus vendors will continue to provide virus signatures. In addition to traditional signature detection of viruses.
An advanced malware detection solution like SourceFire’s FireAMP solution can monitor the legacy endpoints for zero-day infections via sandboxing and monitoring. The FireAMP cloud includes File Analysis (Cloud-based sandboxing), Cloud-based data storage, File and Network activity logging, Security Intelligence for calculating Indications of Compromise detection and blocking of known CnC server IP addresses, and file and network threat detection.

Network Hardening

In addition to making the endpoint more difficult to compromise, securing the network leading to and from the legacy machines are critical.

Network Segmentation

Once the endpoint has been secured against exploit as much as possible, contingency planning of compromise must occur. This is best accomplished through tight network segmentation. Placing vulnerable XP machines in their own VLANs or utilizing Cisco TrustSec Security Group Tags (SGT) and restricting access to unneeded parts of the network via firewalls, router policy or network access control (like Cisco Identity Services Engine.)

Intrusion Prevention Systems

In the same way that antivirus software can protect the vulnerable machine from known bad files, intrusion prevention systems (IPS) can look for known exploits on the wire targeting known, yet unpatched vulnerabilities. If network segmentation is in place, IPS can be placed at the entry points of the XP segments with a higher sensitivity to exploits than the rest of the network to further mitigate risk.

Network Behavior & Anomaly Monitoring

As I pointed out in Looking East and West, monitoring the behavior of endpoints is as fundamental to successful security as policy and enforcement. The effectiveness of the enforcement and policy mechanisms should be audited using the guidelines I provided in When Enforcement Doesn’t…. 
One nice thing in locked down, purpose focused endpoint monitoring is that the traffic patterns are normally very predictable. This allows for deviation in normal behavior to be easily detected. When a hacker tries to utilize the compromised machine for recon or data theft, StealthWatch will quickly alarm on the anomalous behavior. For details on how StealthWatch accomplishes this, refer to Monitoring Protected Data with NetFlow.


In addition to monitoring vulnerable systems, StealthWatch can assist organizations in inventorying them. StealthWatch can provide operators with traffic patterns seen by known XP machines and those patterns can be searched against StealthWatch host intelligence. If legacy endpoints appear on the network StealthWatch can alert operators so they may ensure the proper hardening steps have been taken.

Wrap Up

Windows XP going out of support is causing significant stress to security professionals as attackers salivate at the opportunity for exploit. Hardening these vulnerable endpoints is the first step in reducing risk followed by strong network segmentation to slow an attacker’s ability to penetrate deeper into the network. Along with these enforcement components, pervasive monitoring of these legacy computers are critical to catch attackers before they are able to do serious damage to an organization and its customers.
*Brandon Rosiak of Cisco contributed to this article.