How will you manage XP after April 8, 2014 for those situations where you just have to have it?

Enough with the warnings about April 8th, 2014 and how it's irresponsible to think that you can continue run Windows XP because it just works. Tim Rains of the Trustworthy Computing team at TechNet put up a great post about the dangers of running XP after the XPocalypse.

Enough with the warnings about April 8th, 2014 and how it's irresponsible to think that you can continue run Windows XP because it just works. Tim Rains of the Trustworthy Computing team at TechNet put up a great post about the dangers of running XP after the XPocalypse (thanks, Liquidware, for that awesome term), and, specifically, about how the security measures implemented in Service Pack 3 have already been overcome. Still, there are some people that will have to run XP well into the future, so how do they navigate security? Some people believe that antivirus gives them some protection, but if you read the TechNet article, you'll come away with the sense that viruses are much further down the list of security threats. So much so that if you run XP without support, why bother with AV at all.

Earlier this year I wrote about the cost of paying Microsoft to continue Windows XP support for your organization, and the numbers can be overwhelming. An environment with 5,000 machines will spend $200 per machine for the first year, $400 per machine the second year, and a whopping $1000 per machine for the third year. Some companies are going to be forced to do this, but what happens after year three? Are there really people that will need to keep XP around after 2017?

The short answer to that is yes, and the operative word is "need." Many companies will wind up spending money in the first year, getting them by until they can complete their migrations. By years two and three, though, it could be much more cost effective to just set fire to the building, collect insurance money, and buy all new machines. There are some, though, that simply have to run Windows XP well into the future. Those companies will have to find a way to cope, and that usually means truckloads of money. The unfortunate truth is that if you're planning on running XP for the foreseeable future, the right way to do it is to pay for the "privilege."

I had a twitter conversation yesterday about whether or not antivirus vendors will continue to support 

XP. "Why bother?" I offered up, to which @PowerSchill replied "Because Windows XP is going to need AV more than ever after April 8, 2014." That's true, and it makes sense to run antivirus on machines for which you've paid for ongoing support, but if you're not planning on doing that, antivirus alone doesn't get you very far.

What we're really worried about with regards to XP security are zero-day exploits that occur before anyone has a chance to recognize that a hole existed in the first place. An article at IT World mentions that one of the tactics used by hackers is to watch for updates to Windows 7 and 8, then go back and look for whatever exploit those fixes address in Windows XP. Since MS moves major blocks of code around between OS versions, it stands to reason this approach could have a lot of success. And, since these are fundamental issues with the OS, antivirus providers will be only able to provide reactionary support at best. They're limited because they don't actually modify the source code to eliminate the vulnerabilities.

Will AV vendors even support Windows XP after Microsoft washes their hands of it? What's in it for them? If the number of unchecked threats increases, the workload placed on the antivirus companies to identify them also increases. At the same time, though, the number of licenses sold dwindles. How sustainable is that business plan? Will they charge more for XP antivirus to offset the difference? Perhaps more each year to support an ever-dwindling user base? Sounds like the MS paid support plan!

In all likelihood, the antivirus companies will continue to provide support for XP devices in the near term, but when the line between amount of work and profitability cross (or even get close to each other), I'd expect them to pull the plug. Maybe we'll see a cottage industry that contains one or two XP-specific antivirus solutions, or maybe Microsoft will continue making a version of Security Essentials to protect against viruses that is included in the support fees.

At the end of the day, though, AV will only take you so far, and you'll still have to worry about protecting yourself against the zero-day exploits. That means that if you're stuck in the unenviable position of running XP, you're going to have to pay for it. Still, I'm asked if I know any roundabout solutions to patch XP machines or how to deal with XP in the future, Even if they were to exist, is there anything that can give you enough of a sense of security to make it worthwhile? Who, besides Microsoft, is able to ensure that the base OS is legitimate and uncompromised?

The only solution I can think of to ensure your installation of Windows is uncompromised is to use Deep Freeze from Faronics, assuming it remains supported. Maybe that's the roundabout solution that makes the most sense. Install XP, patch it as much as you can, then "freeze" it so that every time it boots, it boots the exact same OS. It does this by creating a virtual file table and making any changes to that. When the machine is rebooted, those changes are thrown out, and a new virtual file table is created based on the gold base image. You should still disconnect or isolate it from the network if you can, but if you can't do that you can cycle it often to ensure some sort of integrity. That could be the best use case for Deep Freeze yet, and it's certainly cheaper than buying support. 

Many people are in this situation, so I'm curious what your plans are. Do they go beyond unplugging the network or some other type of isolation? Do you change the OS to Server 2003 R2 to take advantage of the later end of life date (July 14, 2015)? If you're not planning on paying for legitimate support, what are you planning on? Deep Freeze? Letting it ride? Something else? 

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I guess Faronics Deep Freeze is better than nothing, but may certainly not be enough either. Yes, Windows XP will be clean again after reboot. But unless you reboot all your Windows XPs at the exact same time, as single compromised machine can quickly re-infect the clean ones again.



Lock the firewall down hard as worms will propagate on any exposed windows service. GPO disable all non critical services.

Its like bailing a sinking boat with a teaspoon its still going down.


@Gabe you could also use application whitelisting along with deepfreeze.


Whitelisting would work from a virus standpoint, but it won't help against exploits, right? Maybe I'm wrong, but I figure once the OS is compromised, all bets are off on what any software we load will or will not do.

I guess it just goes to show the best thing to do is going to be to pay for support, pay for A/V, and probably use Deep Freeze anyway, but only trying to do one of those things in an effort to avoid paying MS is simply not going to work.


What about Bromium. I don't know a whole lot about it but would it be a possible solution?


Not clear what the problem is? How many apps are there really that you must have XP for? There has been plenty of time and warning to do something? What's still outstanding should be an exception and affordable.

If it's because of being lazy, the reward should be the cost taken directly from salary.


DeepFreeze will not freeze away the gross negligence that this suggestion actually is (thanks to @DanShappir for pointing out one of the most OBVIOUS flaws).

The hackers will still enjoy an 8 hour workday of keylogging, spamming, cracking, until the PC is booted, unfrozen again, and simply (automated) reinfected, and so on...

I can think of dozens of good and legitimate uses for DeepFreeze, but this is probably the worst. Ceterum censeo XP esse delendam, as already the Romans knew.


@Gabe, I will be forth coming i run Deepfreeze on around 900 machines (Win 7).

Emanuel highlights a key tenant that a lot of people forget when they think about Deepfreeze and that is you still have to protect the local session. The same thing comes up with the why run AV in non persistent VDI.

App Whitelisting will not fix vulnerabilities but may help to slow malicious code payload propagation (be it user initiated or autonomous-worm). Its effectiveness could be limited because if the attack hits a windows file/service and mutates it, it would also be trusted.


Bromium won't save you, they only support Windows 7 today.  Nothing wrong with Faronics Deep Freeze for restoring application state for testing purposes, etc.  But I wouldn't trust it as a security solution because at the end of the day they're provided some kernel level components that if they are compromised then an attacker could bypass Deep Freeze and leave residual content on the machines.  All Dan already mentioned, the notion of rebooting the machine to clean it only works well when something isn't wormable/spreading and that people actually reboot their systems on a regular basis.   If I had to keep a set of Windows XP around after EOL, the ideal solution I would choose is a set of pooled non-P XP VMs that restore back to their clean image on each boot.  I would also configure timers on the Virtual Desktop Pool to prohibit long duration session connections or retaining of disconnected sessions.  Essentially put a 4-8 hour timer on how long you can use the XP VM before it's reset back to the pool.  Or ideally use an app publishing platform off the XP VMs (like XenDesktop VM hosted apps and tear down the VM as soon as the single instance app is closed.  That's the best possible situation to minimize potential infection.   That XP VDI tier BTW should sit in a separate VLAN / DMZ.   But keep in mind that while everyone is freaking the hell out about XP, trust me when I say your Windows 7 ain't much better and no one is trying to devise security solutions for it.  So quit your panicking about the small fish and think big picture here.  Windows 7 is more secure than XP.  Windows 8 is more secure than 7.  But day after day people don't enable things like EMET, Protected Mode, tiered browser/mail clients on segmented networks, dynamic whitelist and a bazillion other security solutions that while none are guaranteed hacker proof, every single time you make it more difficult for the attacker you win a small victory.



@shoesus8 - That's a great example of the kind of thing we're trying to protect. I mean, "Share a website with you, believe you will love it." Classic.

Yeah, this isn't a wide sweeping problem, but I wanted to know how people did intend to deal with it for the freak situations where it was needed.

Good points about Deep Freeze. It sounds like even if you isolate the crap out of a box with DF on it, it's still not a great solution. The bottom line is that there is no good way to run XP after The End without just buying support outright.

This article serves to put a bow on that (the last one I wrote prompted several emails about ways to safely run XP after it's all over), so I'm calling it good and looking forward to writing no more articles about Windows XP.

We need some sort of celebration on April 8. Maybe at AppDetective's lavishly appointed house in the hills?



Did I understand you correctly that is running on XP? That would explain some things ...


I'm hearing a lot about isolating the OS but what about isolating the app?

Exploits have relatively few means to reach a locked down firewalled machine where the users cannot browse the net directly from the box.

If we're looking at keeping bad old software hanging around I'm pretty sure Presentation Server 4.5 could be installed on XP... boot as a read-only VM and launch the app straight into the users existing Citrix session. As soon as the user logs out burn the VM... ;)


I wonder why not much has been said about Office 2003 custom support.