“Doomsday is here! The sky is falling! Windows 7 is out of support and all hell will break loose!” – or, at least, that’s what some cybersecurity experts and press outlets want you to think. In this article, I will offer some advice to businesses of all sizes that may need to continue using Windows 7, while understanding the risk. This is my opinion and should be taken as advice only. Every company is different, and your circumstances are likely to vary.
Windows 7 has been Microsoft’s most successful operating system and, it’s safe to say, one of the most loved. Lessons learned from Windows XP, and especially Vista, allowed Microsoft to build a stable operating system that only required one Service Pack, despite being in use for over 10 years.
However, nothing lasts forever, and with Windows 7 end-of-support originally announced way back in 2015, the end ultimately arrived on January 14, 2020.
Microsoft is facing criticism for ending support for all but enterprise customers paying for extended support, but it’s worth noting that Apple faces no criticism for constantly upgrading iOS and MacOS and for (rather quickly) ending support for legacy versions of those OSes. Of course, we still have to see whether the recent Crypto API spoofing vulnerability will test Microsoft’s resolve to keep Windows 7 unpatched for not-paying customers.
Security benefits of Windows 10
Even Steve Gibson, world-renowned and respected security expert and my favorite podcaster, who swore that he would never move off from Windows 7, is now relenting and moving to Windows 10.
I believe Microsoft has made tremendous progress in the security of their operating system, a process that famously started after the security mishaps of Windows XP and cumulated with a memo sent by Bill Gates (then CEO) to all staff back in 2002. Eighteen years and 4 major Windows versions later, we finally see the benefits of the Trustworthy Computing initiative: a secure-by-design operating client and server systems and applications for on-premise and cloud use.
Here I want to list just a few security benefits of Windows 10:
- Streamlined and automated security updates enabled by default.
- Windows Defender is now a state-of-the-art endpoint protection system, optimally designed to work on Windows 10 and utilizing the power of Microsoft Cloud for optimal protection.
- Core operating system protection with Device Guard, Secure Boot, Application Guard, Isolated browsing and many other features.
- Protected folders guarding against ransomware and document theft.
My issue with Microsoft, though, is that not all of these security features are available in the Home edition, which is frequently purchased by individuals, families and small businesses. I urge Microsoft to reconsider this strategy – security should be part of the core operating system for all and not a paid feature, otherwise the concept of Trustworthy Computing cannot be fully delivered.
There is also another reason to upgrade from Windows 7, and this is specifically relevant for businesses that must comply with the GDPR and equivalent regulations around the world. The GDPR requires security controls to be “secure by default” and “secure by design” with supplemental guidance quoting “state-of-the-art”. As Windows 7 is no longer a supported operating system, one cannot possibly succeed with an argument that keeping an End-Of-Life system operational in its processes is “state-of-the-art” security. Businesses continuing to run Windows 7 should tread carefully and keep Windows 7 at their peril.
How to upgrade Windows 7 for free
The good news is that Microsoft still allows free transition to Windows 10. Compatibility should not be a big issue as Windows 10 can run on most systems that supported Windows 7.
The simplest way to perform upgrades is to run the Windows 10 Upgrade Tool which checks the compatibility of your system and guides you through the upgrade.
However, a big obstacle to upgrading could present legacy applications that simply won’t run on Windows 10.
If you cannot upgrade
Sometimes the upgrade is just not possible, so let me present some options for minimizing the risk of security breaches with Windows 7. Please note, I don’t believe these would constitute sufficient compensating controls for GDPR compliance:
1. Virtualize Windows 7 on top of Windows 10 (available in Professional and Enterprise) and only use it for legacy applications
2. Limit or preferably block access to the Internet and email from machines running Windows 7
3. Enable the Windows 7 firewall and make it as restrictive as possible: whitelist only access to required systems and block all incoming traffic
4. Increase security monitoring of Windows 7 access, file/registry changes and indicators of compromise – assume the operating system is insecure and has been compromised unless proven otherwise
All of the above controls are going to need human and financial resources, which I believe is a good incentive for organizations to fully migrate off Windows 7.
As always, reach out to experts for more detailed advice if your organization is still on its journey to Windows 10.
Those hoping that I was going to justify staying on Windows 7 are likely sorely disappointed.
My advice is “upgrade, upgrade, and UPGRADE” – hardware where possible and operating system without due delay. The cost of new hardware may be daunting, but the cost of a security breach that would have been prevented on a patched, modern and supported system is likely to be much higher.
Source: HelpNetSecurity Author: Vladimir Jirasek, CEO, Foresight Cyber