Elements to a Secure Environment Becoming Resilient Towards Modern Cyberthreats

Windows XP Support
stops on 8. April 2014
Elements to a Secure Environment Becoming
Resilient Towards Modern Cyberthreats

Protect

Threat
Information

Contain

Detect

Response

Recover

02

Windows XP Support stops on 8. April 2014

Windows XP Support stops on 8. April 2014 why it concerns you

Windows XP Service Pack 3 (SP3) and Office 2003 will reach end of extended support
on 8. April 2014. After this date, Microsoft will not provide public support for these
products, including security patches, non-security hotfixes, incident support or online
technical content updates.
Running Windows XP SP3 after its end of support date may expose organizations to
potential risks, such as security & compliance risks or lack of Independent Software
Vendor (ISV) & Hardware Manufacturers support.
To mitigate the risk of cyberthreat and to protect their IT infrastructure, enterprise
and public sector organizations are strongly recommended to migrate away from
Windows XP to Windows 7 or Windows 8 and to implement an appropriate patching
regime to ensure a good security hygiene.
Windows XP great in its time but times have changed
It has been twelve years since the release of Windows XP and the world
has changed so much since then. Internet usage has grown from ~361
million to more than 2.4 billion users.
We have witnessed the rise of the internet citizen with members of society connected through email, instant
messaging, video-calling, social networking and a host of web-based
and device-centric applications. As
the internet becomes more and more
woven into the fabric of society, it
has also become an increasingly
popular destination for malicious activity (as evidenced in the Microsoft
Security Intelligence Report.) Given
the rapid evolution, software security
has had to evolve to stay ahead of
cybercrime. To help protect users
from rapid changes in the threat
landscape, Microsoft typically provides support for business and developer products for 10 years after
product release, and most consumer,
hardware, and multimedia products
for five years after product release.
Per our long established product
support lifecycle, after 8. April 2014,
Windows XP SP3 users will no lon-

ger receive new security updates,

non-security hotfixes, free or paid
assisted support options or online
technical content updates. This
means that any new vulnerabilities
discovered in Windows XP after its
end of service will not be addressed
by new security updates by Microsoft. Moving forward, this will make
it significantly easier for attackers to
successfully compromise Windows
XP-based systems using exploits for
unpatched vulnerabilities. In this
scenario, antimalware software and
other security mitigations are severely disadvantaged and over time
will become increasingly unable to
protect the Windows XP platform.

or any of the newer Windows operating systems. As the figure on the

next page illustrates, computers
running Windows XP routinely experience a significantly higher malware infection rate than computers
running any other supported version of Windows. Much of the elevated infection rate on Windows XP
can be attributed to the fact that
some of the key built-in security features included with more recent versions of Windows are not present in
Windows XP. Windows XP, designed
in a different era, simply cant mitigate threats as effectively as newer
operating systems, like Windows 7
and Windows 8.

We can get insight into what happens to malware infection rates

once a platform goes out of support
by looking at Windows XP Service
Pack 2 (SP2) as an example. Support
for Windows XP SP2 ended on 13.
July 2010. Although this platform
benefited from numerous security
enhancements when it was released,
today it has a much higher malware
infection rate than Windows XP SP3

As the threat landscape has evolved

over the past twelve years since the
release of Windows XP, so has software security. There are many new
security features today in more
modern operating systems that can
better protect users from criminal
activity including:

Computers cleaned per 1,000 scanned (CCM)

Elements to a Secure Environment Becoming Resilient Towards Modern Cyberthreats

03

25.0

20.0

15.0

Windows XP SP2

10.0

Windows XP SP3

5.0

Windows 7 RTM
Windows 7 SP1

0.0

1H10

2H10

Kernel improvements:
Recent versions of Windows include
a number of security-related improvements to the Windows kernel,
making it harder for cybercriminals
to use standard hacking techniques,
such as exploiting buffer overflows
or predict memory location of code.
Real-Time Malware Protection:
In Windows 8, Windows Defender
provides real-time protection against
malware and potentially unwanted
software out of the box.
BitLocker Drive Encryption:
Introduced in Windows Vista, BitLocker Drive Encryption enables users and administrators to encrypt entire hard drives, protecting data on
lost or stolen computers from unauthorized access. Windows 7 introduced BitLocker To Go, providing full
disk encryption for removable volumes. In Windows 8, BitLocker can
more easily be deployed and managed.
User Account Control (UAC):
Introduced in Windows Vista, User
Account Control helps prevent unauthorized changes to a computer by

1H11

2H11

1H12

enabling user accounts to run without administrator permissions except

when needed to perform administrative tasks. UAC was streamlined in
Windows 7 and later operating systems, providing an improved user
experience.
AppLocker:
Introduced in Windows 7, AppLocker
can be used by IT departments to restrict the programs users can execute
by defining powerful and flexible
rules. In Windows 8, administrators
can restrict Windows Store apps in
addition to legacy Windows applications.
UEFI Secure Boot:
Introduced in Windows 8, UEFI Secure Boot is a hardware based feature that is required on all Windows
8 certified devices. It helps prevent
unauthorized operating systems or
firmware from running at boot time
by maintaining databases of software signers and software images
that are pre-approved to run on the
individual computer.
Trusted Boot:
The Trusted Boot feature in Windows

2H12
8 verifies the integrity of Windows
startup files, and includes an Early
Launch AntiMalware (ELAM) capability that enables the antimalware
software to start before any third
party software. By starting the antimalware solution early and within
the protected boot process, the operation and integrity of the antimalware solution can be better guaranteed. As part of the boot process,
Windows also runs Measured Boot,
which allows third-party software on
a remote server to securely verify the
security of every startup component
in a way that would be very difficult
for malware to forge. If any tampering with the Windows boot process
or the antimalwares ELAM driver is
detected, Trusted Boot will repair the
system by restoring the original files.
Over and above all the security mitigations and features that are available in more modern operating systems, security development practices
have also evolved greatly over the
past decade, but so has the threat
landscape. See the table on the next
page showing the key threats present during the time of release of
Windows XP, Windows Vista, Windows 7 and Windows 8.

04

Windows XP Support stops on 8. April 2014

Key Threats

Internet was just growing

Mail was on the verge

1995
Windows 95
-

Key Threats

Melissa (1999), Love Letter

(2000)
Mainly leveraging social
engineering

2001

Key Threats

Code Red and Nimda (2001),

Blaster (2003), Slammer (2003)
9/11
Mainly exploiting buffer
overflows
Script kiddies
Time from patch to exploit:
Several days to weeks

2004

Windows XP

Windows XP SP2

Key Threats

Key Threats

Logon (Ctrl+Alt+Del)
Access Control
User Profiles
Security Policy
Encrypting File System (File
Based)
Smartcard and PKI Support
Windows Update

Zotob (2005)
Attacks moving up the stack
(Summer of Office 0-day)
Rootkits
Exploitation of Buffer Overflows
Script Kiddies
Raise of Phishing
User running as Admin

2007
Windows Vista

Bitlocker
Patchguard
Improved ASLR and DEP
Full SDL
User Account Control
Internet Explorer Smart
Screen Filter
Digital Right Management
Firewall improvements
Signed Device Driver Requirements
TPM Support
Windows Integrity Levels
Secure by default configuration (Windows features
and IE)

Address Space Layout Randomization (ASLR)

Data Execution Prevention
(DEP)
Security Development Lifecycle
(SDL)
Auto Update on by Default
Firewall on by Default
Windows Security Center
WPA Support

Organized Crime
Botnets
Identity Theft
Conficker (2008)
Time from patch to exploit:
days

2009
Windows 7

Improved ASLR and DEP

Full SDL
Improved IPSec stack
Managed Service Accounts
Improved User Account
Control
Enhanced Auditing
Internet Explorer Smart Screen
Filter
AppLocker
BitLocker to Go
Windows Biometric Service
Windows Action Center
Windows Defender

Key Threats

Organized Crime, potential

state actors
Sophisticated Targeted Attacks
Operation Aurora (2009)
Stuxnet (2010)

2012
Windows 8

UEFI (Secure Boot)

Firmware Based TPM
Trusted Boot (w/ELAM)
Measured Boot and Remote
Attestation Support
Significant Improvements to
ASLR and DEP
AppContainer
Windows Store
Internet Explorer 10 (Plugin-less
and Enhanced Protected Modes)
Application Reputation moved
into Core OS
BitLocker: Encrypted Hard Drive
and Used Disk Space Only Encryption Support
Virtual Smartcard
Picture Password, PIN
Dynamic Access Control
Built-in Anti-Virus

05

Elements to a Secure Environment Becoming Resilient Towards Modern Cyberthreats

The risk of Windows XP not being supported any more

As cybercriminals are very well aware of both XP end of service as well as the fact
that there will no longer be security updates, it can be assumed that exploits will be
targeted and leveraged quickly. In addition, the new operating system offers new opportunities for telecommuting, sharing of documents and information, working with
mobile solutions and connect with cloud services without impacting your security.
The effect of this is that todays cyberthreats are significantly better contained in Windows 8 than in Windows XP.

Secure boot

System
folder
Program
folder

EFS
Bitlocker

Integrity Level

UAC

RMS

Windows
Firewall

AppLocker

No
Autorun

vulnerability

Protected
View

Windows Defender

EFS

Smart
Screen

Hardening applications
and default setting

Program
Folder

vulnerability
Windows
Firewall

Windows 8
System
Folder

Windows XP

Vulnerability of Windows XP compared to windows 8

The risk is real, and it is not only

about security. Further risks include:
Unsupported business software
With security fixes and support for
Windows XP ending on April 8, 2014,
Independent Software Vendors
have already stopped testing new
software versions on Windows XP
and new releases of critical business
software may require Windows 7 at
minimum.

support past 8. April 2014 so customers needing support on XP will

be required to have XP Custom Support Agreement (CSA) in place. Additional cost will include an Enrollment Fee, and a Per Device Fee.

Additional benefits for

migration

Unsupported hardware
Hardware Vendors and OEMs have
also stopped testing new devices on
Windows XP. Many currently shipping computers will not support XP
and device drivers are not available.

Organizations that have migrated to

Windows 7 or 8 are enjoying the
benefits of a much improved user,
and management experience. One
of the great advantages of the migration is the opportunity to transform outdated, manual processes.
Real, tangible cost savings are realized as a natural outcome of the capabilities of Windows 8 Enterprise.

Increases support costs

Software Assurance will not provide

Anywhere Connection
Give people secure, hassle-free ac-

cess to data, applications, and colleagues. They need to stay productive anywhere, any time, and on a
variety of devices.
Personalized Experience
Enhance productivity by giving people personalized experiences that
anticipate their needs, remember
their preferences, and adapt to their
unique workstyle.
Intelligent Infrastructure
Deliver enterprise-grade solutions
designed to help you maintain security, streamline management, and
cut costs.
Desktop Deployment Planning
Services (DDPS)
Plan and prepare for an efficient and
successful Microsoft Office deploy-

06

Windows XP Support stops on 8. April 2014

ment by taking advantage of comprehensive planning services delivered through prequalified partners.

will make it easier to migrate solutions to a modern platform.

Microsoft App Accelerate Program (MAAP)

Test the product and service capabilities in a lab environment, define
requirements for the
new deployment, conduct a pilot, and then fully
deploy the Solution for Flexible
Workstyle.

We can help Public as well as Private

Sector customers protect their information and their own IT infrastructure through the improvement
of the health of their IT ecosystem.
Microsoft can support to create a
more secure, healthy IT ecosystem
through a complementary two steps
approach which are built on Microsofts unmatched expertise:

Windows To-Go
As bring-your-own-device (BYOD)
and mobility scenarios become
increasingly common, businesses
need new and more flexible ways to
help users be productive wherever
they are. Windows To Go is a new
feature for enterprise users of Windows 8 that enables users to boot a
full version of Windows from external USB drives on host PCs. Windows To Go drives can use the same
image that enterprises use for their
desktops and laptops, and can be
managed the same way. Offering a
new mobility option.
Reduced cost
IDCs analysis shows that supporting older Windows XP installations,
compared with a modern Windows
7-based solution, saddles organizations with a dramatically higher cost.
Annual cost per PC per year for Windows XP is $870, while a comparable
Windows 7 installation costs $168
per PC per year. That is an incremential $701 per PC per year for IT and
end user labor costs.
(Source: Mitigating Risk: Why Sticking with

How Microsoft can help

1) Conducting Microsoft Security

Risk Assessment through which customers can obtain an overview over
their current risk status
Helping organizations to understand their current threat landscape
is a good start to discuss XP migration. One of the assessments to consider is the MSRA. Microsoft Services Security Risk Assessment
offering (MSRA) is designed to help
determine the security risks in an
application and the infrastructure
supporting it. Using a formal methodology, the offering helps organizations understand their risk of exposure to security breaches in
critical applications and measure
their security controls and processes
against industry practices, thereby
establishing a security baseline from
which to measure progress.
2) Help with deployment of Windows 7 or 8 and making sure that
the new functionality can be used
efficiently

Windows XP is a Bad Idea. IDC White Paper,

May 2012.)

We are aware that there may be a lot

of challenges with the transition to
new systems, and have therefore
developed a number of tools that

The Windows XP to Windows 7 Migration Guide (http://technet.microsoft.com/en-us/ee150430.aspx) provides you with many different tools
that can be downloaded.
The Windows XP Mode for Windows

7 and 8 enables a user to install and

run Windows XP applications directly from a Windows 7-based PC. XP
Mode is an integrated environment
with a number of productivity features including Folder integration to
allow accessing the hosting Windows disk drives within XP Mode,
Seamless applications to access XP
Mode application in the All Programs menu from the hosting Windows machine, USB support for XP
Mode, Clipboard sharing between a
hosting Windows machine and XP
Mode and Printer redirection for XP
Mode.

Elements to a Secure Environment Becoming Resilient Towards Modern Cyberthreats

07

Plan and execute your Windows XP migration so that latest by

beginning of 2014 you have completed the migration!
Windows XP was a great operating
system in its time and provided value to a large number of people and
organizations around the world for
over a decade. But all good things
must come to an end. We hope this
information reinforces the importance of migrating to a modern operating system with increased pro-

tections, and instills a sense of

urgency onto organizations that are
behind schedule on their migration
projects.
In conclusion the clock is ticking
very fast. The support and maintenance for windows XP will end 8.
April 2014. By that time it is crucial

that enterprises and consumers will

have migrated to systems to Windows 7 or 8: our new, modern operating systems that have been made
for the future, both in terms of new
usages such that touch and mobile
computing, but importantly also
due to the heightened security.

Elements to a Secure Environment Becoming Resilient Towards Modern

Cyberthreats
This whitepaper is part of a series of papers on achieving resilience towards modern cyberthreats. It follows the
protect contain detect - response recover framework. In short, the framework is based upon the assessment that against modern attackers it is not enough to apply protective measures but that we need to be prepared to contain potentially successful intruders, detect them, respond to the incident and have the capability to
recover. Threat information is the foundation for all activities and provides awareness during each step.
Protect

Contain

Detect

Response

Recover

Threat
Information

Protect systems from compromise through a combination of training, implementation, and assessments.
Focus efforts on:
Contain attacker lateral movement and privilege escalation by managing the ability to abuse credentials.
Detect active attacks or compromised systems before they become pervasive in the customer.
Respond to an intrusion once it is detected.
Recover from an intrusion through executing planned recovery efforts.
Threat Information provides situational awareness.

08

Windows XP Support stops on 8. April 2014

For More Information Please Visit:

Microsoft Security:
http://www.microsoft.com/security
Trustworthy computing blog:
http://blogs.technet.com/b/security/archive/2013/04/09/
the-countdown-begins-support-for-windows-xp-ends-onapril-8-2014.aspx
Security Intelligence Report V14:
http://www.microsoft.com/security/sir/default.aspx

2013 Microsoft Corporation. All rights reserved.

This document is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.