Enough with the warnings about April 8th, 2014 and how it's irresponsible to think that you can continue run Windows XP because it just works. Tim Rains of the Trustworthy Computing team at TechNet put up a great post about the dangers of running XP after the XPocalypse (thanks, Liquidware, for that awesome term), and, specifically, about how the security measures implemented in Service Pack 3 have already been overcome. Still, there are some people that will have to run XP well into the future, so how do they navigate security? Some people believe that antivirus gives them some protection, but if you read the TechNet article, you'll come away with the sense that viruses are much further down the list of security threats. So much so that if you run XP without support, why bother with AV at all.
Earlier this year I wrote about the cost of paying Microsoft to continue Windows XP support for your organization, and the numbers can be overwhelming. An environment with 5,000 machines will spend $200 per machine for the first year, $400 per machine the second year, and a whopping $1000 per machine for the third year. Some companies are going to be forced to do this, but what happens after year three? Are there really people that will need to keep XP around after 2017?
The short answer to that is yes, and the operative word is "need." Many companies will wind up spending money in the first year, getting them by until they can complete their migrations. By years two and three, though, it could be much more cost effective to just set fire to the building, collect insurance money, and buy all new machines. There are some, though, that simply have to run Windows XP well into the future. Those companies will have to find a way to cope, and that usually means truckloads of money. The unfortunate truth is that if you're planning on running XP for the foreseeable future, the right way to do it is to pay for the "privilege."
I had a twitter conversation yesterday about whether or not antivirus vendors will continue to support
XP. "Why bother?" I offered up, to which @PowerSchill replied "Because Windows XP is going to need AV more than ever after April 8, 2014." That's true, and it makes sense to run antivirus on machines for which you've paid for ongoing support, but if you're not planning on doing that, antivirus alone doesn't get you very far.
What we're really worried about with regards to XP security are zero-day exploits that occur before anyone has a chance to recognize that a hole existed in the first place. An article at IT World mentions that one of the tactics used by hackers is to watch for updates to Windows 7 and 8, then go back and look for whatever exploit those fixes address in Windows XP. Since MS moves major blocks of code around between OS versions, it stands to reason this approach could have a lot of success. And, since these are fundamental issues with the OS, antivirus providers will be only able to provide reactionary support at best. They're limited because they don't actually modify the source code to eliminate the vulnerabilities.
Will AV vendors even support Windows XP after Microsoft washes their hands of it? What's in it for them? If the number of unchecked threats increases, the workload placed on the antivirus companies to identify them also increases. At the same time, though, the number of licenses sold dwindles. How sustainable is that business plan? Will they charge more for XP antivirus to offset the difference? Perhaps more each year to support an ever-dwindling user base? Sounds like the MS paid support plan!
In all likelihood, the antivirus companies will continue to provide support for XP devices in the near term, but when the line between amount of work and profitability cross (or even get close to each other), I'd expect them to pull the plug. Maybe we'll see a cottage industry that contains one or two XP-specific antivirus solutions, or maybe Microsoft will continue making a version of Security Essentials to protect against viruses that is included in the support fees.
At the end of the day, though, AV will only take you so far, and you'll still have to worry about protecting yourself against the zero-day exploits. That means that if you're stuck in the unenviable position of running XP, you're going to have to pay for it. Still, I'm asked if I know any roundabout solutions to patch XP machines or how to deal with XP in the future, Even if they were to exist, is there anything that can give you enough of a sense of security to make it worthwhile? Who, besides Microsoft, is able to ensure that the base OS is legitimate and uncompromised?
The only solution I can think of to ensure your installation of Windows is uncompromised is to use Deep Freeze from Faronics, assuming it remains supported. Maybe that's the roundabout solution that makes the most sense. Install XP, patch it as much as you can, then "freeze" it so that every time it boots, it boots the exact same OS. It does this by creating a virtual file table and making any changes to that. When the machine is rebooted, those changes are thrown out, and a new virtual file table is created based on the gold base image. You should still disconnect or isolate it from the network if you can, but if you can't do that you can cycle it often to ensure some sort of integrity. That could be the best use case for Deep Freeze yet, and it's certainly cheaper than buying support.
Many people are in this situation, so I'm curious what your plans are. Do they go beyond unplugging the network or some other type of isolation? Do you change the OS to Server 2003 R2 to take advantage of the later end of life date (July 14, 2015)? If you're not planning on paying for legitimate support, what are you planning on? Deep Freeze? Letting it ride? Something else?