Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:15 PM
Connect Directly

Microsoft to Officially End Support for Windows 7, Server 2008

Windows 7 and Server 2008 will continue to work after Jan. 14, 2020, but will no longer receive security updates.

The end of support is near for Windows 7, Windows Server 2008, and Windows Server 2008 R2. All of these will stop receiving security updates and technical assistance after Jan. 14, 2020.

Windows 7 end-of-support arrives more than 10 years after the OS was released on Oct. 22, 2009. When the support period ends, technical assistance and software updates via Windows Update will no longer be available. Related Windows 7 services will be discontinued over time; the Electronic Program Guide for Windows Media Center, for one, will be shut down this month.

Some services will continue to receive support. Microsoft will continue to support its Edge browser for another 18 months, terminating support on July 15, 2021, at the earliest. Google will support Chrome on Windows 7 for the same time frame, the company confirmed last week.

The end of support for Windows Server 2008 means the end of additional free on-premise security updates, non-security updates, free support options, and online technical content updates. Users are urged to migrate their Windows Server 2008 products and services to Azure to access three more years of Critical and Important security updates at no additional charge.

For non-Azure environments, Microsoft advises customers to upgrade to the latest version. Those who cannot meet the end-of-support deadline can buy Extended Security Updates to protect their server workloads until they upgrade, though some restrictions apply, it notes.

Microsoft began alerting users of the Windows 7 deadline last April, when pop-up notifications started to arrive on machines running the OS. In October, users of non-domain-joined Windows 7 Pro devices started to see similar end-of-support alerts. The idea was to push users to upgrade before the deadline or risk leaving machines vulnerable to a host of attacks. 

"Microsoft has been sounding the horn about this for a while now," notes Satnam Narang, senior research engineer for security response at Tenable, who warns threats are imminent. Attackers are "chomping at the bit" to target victims still running Windows 7 and Server 2008, he says, and "it's pretty much fair game for them to find ways to exploit vulnerabilities."

One example he points to is CVE-2019-1458, an elevation of privilege vulnerability that has been exploited in the wild and affects both Windows 7 and Windows Server 2008. Businesses should be worried about targeted zero-day attacks, Narang continues, but another concern is how attackers can build these into exploit kits and launch more widespread attacks.

Richard Melick, senior technology product manager at Automox, anticipates an increase in services-based attacks leveraging vulnerabilities in Remote Desktop Protocol (RDP), Server Message Block (SMB), and other areas where services run as Windows 7 support terminates. The risk will continue to grow as third-party software products also end support for the OS.

"As that continues to advance, the older machines with the older operating systems won't be supported as often as some of the newer ones," he explains. Many companies will go off of Microsoft's schedule and stop supporting older products. "It helps them with development," Melick says. "Why develop for operating systems that are no longer supported?"

Both experts agree companies that don't upgrade face a range of phishing and tech support scams with subject lines crying, "Your machine is no longer supported!"

"There's definitely an opportunity for tech support scammers to take advantage," Narang points out.

Downsides of the Upgrade Process
Why do organizations continue to run an operating system they know will be unsupported? A host of challenges could be to blame, Melick says.

"The biggest one is going to come down to operational workflow," he notes. As most security and IT managers are aware, any upgrade potentially disrupts workflow. Because there is so much third-party software in corporate environments, software hurdles vary across businesses. A smaller company may lack resources to do a full OS upgrade. However, doing the research and planning for a massive enterprise with 2,000-plus seats "can be daunting," Melick explains.

Larger organizations also face the issue of balance and disconnect between the business and security teams. Melick points to a client that hadn't updated its machines in years because there were so many devices to support. This made them a target.

"Do we continue to delay that update due to testing and functionality and workflow, and put us at risk for attack, or do we do the update now and deal with workflow issues and a lot of service tickets?" he says.

Experience has taught him the latter is preferable, he noted. This isn't the only issue pushing businesses to upgrade. GDPR, HIPAA, and PCI compliance requirements also apply pressure.

"If you're running a machine that's not updated, you could potentially be out of compliance," Melick adds.

Not Upgrading? What to Do Now
If your organization doesn't have the money or resources to upgrade, you're not alone – but there are steps you can take to better protect your systems and prepare for the migration.

Melick advises IT and security teams to come together and establish an audit of services and hardware connected to the network, creating a full picture of every device, status, upgrading capability, and other factors. He also advises applying all available patches as soon as possible.

"With the operating system not being updated past tomorrow, deploy all the patches," he says. "Let's close that window of attack and minimize the attack surface as much possible … that's going to probably be the easiest way to get there."

In addition to relying on endpoint protection software to detect known threats, Narang advises taking the time to train employees on phishing scams that could arrive in their inboxes after support ends.

Microsoft will likely continue releasing patches for major vulnerabilities that affect Windows 7 and Server 2008, Narang points out. When the BlueKeep vulnerability was disclosed, for example, the company released fixes not only for Windows 7 and Windows Server 2008, but also Windows XP and Windows 2000, both of which were no longer supported at the time.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Black Belt
1/15/2020 | 5:50:45 AM
What after windows 7 end
Windows 7 is my favorite operating system. Not mine even most of the computer users love windows 7 end. Yes, we most of the user are running windows 10 but the user who is running still running in windows 7 can upgrade windows 7 to windows 10 operating system by the following guide.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-25
osCommerce has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...