Vulnerabilities / Threats

6/6/2017
10:30 AM
Kenny Covington
Kenny Covington
Commentary
50%
50%

Advice for Windows Migrations: Automate as Much as Possible

The security lessons Riverside Health System learned when moving to Windows 7 will help it quickly move to Windows 10.

The recent news that the WannaCry virus had impaired the UK's National Health Service's ability to provide care for its tens of millions of patients was scary for all of us working in IT. As a systems administrator for more than 20 years at nonprofit US healthcare provider Riverside Health System, I felt sympathetic.

When reports emerged suggesting that the vulnerability exploited by the hackers was caused by the NHS running Windows XP, I identified in a whole new way. Although Riverside migrated from Windows XP some time ago, it was a challenging process and had a steep learning curve. Riverside isn't on the scale of the NHS (we have about 9,500 machines now, mostly Windows), but all healthcare providers will face similar challenges.

Fortunately for us, and unlike many other healthcare providers, we could take solace in knowing that 90% of our environment was already protected through our normal monthly patch cycle, because we've automated that process. The remaining 10% for which we had to take special measures are those "problem children" unable to receive a patch because of their own technical faults. This is something we're hoping we can remedy as we move to Windows 10.

Riverside completed its Windows 7 migration a couple of years ago. However, if there's a lesson in last month's unfortunate events, it's that none of us should rest on our laurels. The more up-to-date your software, patches, and operating system are, the better. WannaCry is a loud wake-up call reminding us that we all need to stay current. As a result, we're planning to accelerate our move to Windows 10.

Key Lesson
When we started our Windows 7 migration, we did it the old-fashioned, manual way, running a master image (also known as a golden image) for Windows 7 that we provided to our techs. It was a very hands-on approach — each tech had time to build one, maybe two per day, if he or she was lucky — and we had about 4,800 devices to update. We had tons of different makes and models of hardware that hadn't been standardized. It quickly became clear to managers that they were going to have to hire more than $600,000 worth of labor to come in and do the process if we wanted it done within two to three years.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

The other option was automation. We thought we could leverage Microsoft's Configuration Manager, but it would not allow us to propagate such a large image across the T1 network. Then we decided to research third-party vendors that offer automation. In the end, we went with 1E, whose peer-to-peer technology suited our needs. Automation proved key for ensuring that machines could be migrated quickly but consistently to Windows 7: each individual machine has a lot of unique data on it, so it was great to use the migration tools, back up the data on a local machine on the subnet, capture everything, and then restore it cleanly. In the end, 1E's tools helped us compress our Windows 7 upgrade from the two to three years we expected down to one year.

The Road to Windows 10
As we ready ourselves for Windows 10, we face a similarly challenging environment: lots of unique data on the machine, the question of where and how you store it, and how you get these packages across the network quickly. We still have our automation infrastructure in place to deal with these problems. But there are other lessons we're looking to carry over, too, as well as some new challenges we will face.

One difference with Windows 10 concerns its high-speed release cadence. As the WannaCry attack reminds us, from a security point of view, you want to not only be using the latest OS but the latest version of it, and patched as much as possible. In addition, we're planning to migrate swiftly, to avoid having several different flavors of Windows 10 at the same time. Automation will help.

Another challenge for us is that we're looking to go to a 64-bit operating system across the board. With the last migration, to simplify the migration process we stayed with the same OS processor architecture type on each device for compatibility reasons. If the PC was a 64-bit XP machine, then it got 64-bit Windows 7, and if it had a 32-bit system, it got 32-bit Windows 7. We've had vendor applications that absolutely will not run in one version or another. Without an operating systems deployment migration process that allows us to quickly rebuild those machines, that, too, would be a very big undertaking.

We begin our Windows 10 migration very soon. Despite all the challenges and changes,  although consultants told us Windows migrations typically take several years, we believe we can do it in one (or even faster) with automation. Accelerating the move not only improves our security posture but also helps us continue to give our end users and medical professionals a consistent experience — something they've come to value from our IT team.

Related Content:

Kenny Covington, System Administrator for Riverside Health System, based in Newport News, Virginia, has been a member of the information system staff for over 21 years. He originally was hired as a PC technician at age 16 and has been involved with the endpoint side of the IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alicialynch
50%
50%
Alicialynch,
User Rank: Apprentice
6/7/2017 | 7:32:10 PM
Other migration tools
There are a number of alternatives to crappy free tools. Ive worked for places that used the free tool from MS, which was a disaster. Ive heard good reports from other techs about the tool from Tranxition. Heat software also has one as part of their DSM tool..
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-13106
PUBLISHED: 2018-08-15
Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13107
PUBLISHED: 2018-08-15
Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13108
PUBLISHED: 2018-08-15
DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13100
PUBLISHED: 2018-08-15
DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13101
PUBLISHED: 2018-08-15
Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.