The end of support is near for Windows 7, Windows Server 2008, and Windows Server 2008 R2. All of these will stop receiving security updates and technical assistance after Jan. 14, 2020.
Windows 7 end-of-support arrives more than 10 years after the OS was released on Oct. 22, 2009. When the support period ends, technical assistance and software updates via Windows Update will no longer be available. Related Windows 7 services will be discontinued over time; the Electronic Program Guide for Windows Media Center, for one, will be shut down this month.
Some services will continue to receive support. Microsoft will continue to support its Edge browser for another 18 months, terminating support on July 15, 2021, at the earliest. Google will support Chrome on Windows 7 for the same time frame, the company confirmed last week.
The end of support for Windows Server 2008 means the end of additional free on-premise security updates, non-security updates, free support options, and online technical content updates. Users are urged to migrate their Windows Server 2008 products and services to Azure to access three more years of Critical and Important security updates at no additional charge.
For non-Azure environments, Microsoft advises customers to upgrade to the latest version. Those who cannot meet the end-of-support deadline can buy Extended Security Updates to protect their server workloads until they upgrade, though some restrictions apply, it notes.
Microsoft began alerting users of the Windows 7 deadline last April, when pop-up notifications started to arrive on machines running the OS. In October, users of non-domain-joined Windows 7 Pro devices started to see similar end-of-support alerts. The idea was to push users to upgrade before the deadline or risk leaving machines vulnerable to a host of attacks.
"Microsoft has been sounding the horn about this for a while now," notes Satnam Narang, senior research engineer for security response at Tenable, who warns threats are imminent. Attackers are "chomping at the bit" to target victims still running Windows 7 and Server 2008, he says, and "it's pretty much fair game for them to find ways to exploit vulnerabilities."
One example he points to is CVE-2019-1458, an elevation of privilege vulnerability that has been exploited in the wild and affects both Windows 7 and Windows Server 2008. Businesses should be worried about targeted zero-day attacks, Narang continues, but another concern is how attackers can build these into exploit kits and launch more widespread attacks.
Richard Melick, senior technology product manager at Automox, anticipates an increase in services-based attacks leveraging vulnerabilities in Remote Desktop Protocol (RDP), Server Message Block (SMB), and other areas where services run as Windows 7 support terminates. The risk will continue to grow as third-party software products also end support for the OS.
"As that continues to advance, the older machines with the older operating systems won't be supported as often as some of the newer ones," he explains. Many companies will go off of Microsoft's schedule and stop supporting older products. "It helps them with development," Melick says. "Why develop for operating systems that are no longer supported?"
Both experts agree companies that don't upgrade face a range of phishing and tech support scams with subject lines crying, "Your machine is no longer supported!"
"There's definitely an opportunity for tech support scammers to take advantage," Narang points out.
Downsides of the Upgrade Process
Why do organizations continue to run an operating system they know will be unsupported? A host of challenges could be to blame, Melick says.
"The biggest one is going to come down to operational workflow," he notes. As most security and IT managers are aware, any upgrade potentially disrupts workflow. Because there is so much third-party software in corporate environments, software hurdles vary across businesses. A smaller company may lack resources to do a full OS upgrade. However, doing the research and planning for a massive enterprise with 2,000-plus seats "can be daunting," Melick explains.
Larger organizations also face the issue of balance and disconnect between the business and security teams. Melick points to a client that hadn't updated its machines in years because there were so many devices to support. This made them a target.
"Do we continue to delay that update due to testing and functionality and workflow, and put us at risk for attack, or do we do the update now and deal with workflow issues and a lot of service tickets?" he says.
Experience has taught him the latter is preferable, he noted. This isn't the only issue pushing businesses to upgrade. GDPR, HIPAA, and PCI compliance requirements also apply pressure.
"If you're running a machine that's not updated, you could potentially be out of compliance," Melick adds.
Not Upgrading? What to Do Now
If your organization doesn't have the money or resources to upgrade, you're not alone – but there are steps you can take to better protect your systems and prepare for the migration.
Melick advises IT and security teams to come together and establish an audit of services and hardware connected to the network, creating a full picture of every device, status, upgrading capability, and other factors. He also advises applying all available patches as soon as possible.
"With the operating system not being updated past tomorrow, deploy all the patches," he says. "Let's close that window of attack and minimize the attack surface as much possible … that's going to probably be the easiest way to get there."
In addition to relying on endpoint protection software to detect known threats, Narang advises taking the time to train employees on phishing scams that could arrive in their inboxes after support ends.
Microsoft will likely continue releasing patches for major vulnerabilities that affect Windows 7 and Server 2008, Narang points out. When the BlueKeep vulnerability was disclosed, for example, the company released fixes not only for Windows 7 and Windows Server 2008, but also Windows XP and Windows 2000, both of which were no longer supported at the time.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."