Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/6/2017
10:30 AM
Kenny Covington
Kenny Covington
Commentary
50%
50%

Advice for Windows Migrations: Automate as Much as Possible

The security lessons Riverside Health System learned when moving to Windows 7 will help it quickly move to Windows 10.

The recent news that the WannaCry virus had impaired the UK's National Health Service's ability to provide care for its tens of millions of patients was scary for all of us working in IT. As a systems administrator for more than 20 years at nonprofit US healthcare provider Riverside Health System, I felt sympathetic.

When reports emerged suggesting that the vulnerability exploited by the hackers was caused by the NHS running Windows XP, I identified in a whole new way. Although Riverside migrated from Windows XP some time ago, it was a challenging process and had a steep learning curve. Riverside isn't on the scale of the NHS (we have about 9,500 machines now, mostly Windows), but all healthcare providers will face similar challenges.

Fortunately for us, and unlike many other healthcare providers, we could take solace in knowing that 90% of our environment was already protected through our normal monthly patch cycle, because we've automated that process. The remaining 10% for which we had to take special measures are those "problem children" unable to receive a patch because of their own technical faults. This is something we're hoping we can remedy as we move to Windows 10.

Riverside completed its Windows 7 migration a couple of years ago. However, if there's a lesson in last month's unfortunate events, it's that none of us should rest on our laurels. The more up-to-date your software, patches, and operating system are, the better. WannaCry is a loud wake-up call reminding us that we all need to stay current. As a result, we're planning to accelerate our move to Windows 10.

Key Lesson
When we started our Windows 7 migration, we did it the old-fashioned, manual way, running a master image (also known as a golden image) for Windows 7 that we provided to our techs. It was a very hands-on approach — each tech had time to build one, maybe two per day, if he or she was lucky — and we had about 4,800 devices to update. We had tons of different makes and models of hardware that hadn't been standardized. It quickly became clear to managers that they were going to have to hire more than $600,000 worth of labor to come in and do the process if we wanted it done within two to three years.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

The other option was automation. We thought we could leverage Microsoft's Configuration Manager, but it would not allow us to propagate such a large image across the T1 network. Then we decided to research third-party vendors that offer automation. In the end, we went with 1E, whose peer-to-peer technology suited our needs. Automation proved key for ensuring that machines could be migrated quickly but consistently to Windows 7: each individual machine has a lot of unique data on it, so it was great to use the migration tools, back up the data on a local machine on the subnet, capture everything, and then restore it cleanly. In the end, 1E's tools helped us compress our Windows 7 upgrade from the two to three years we expected down to one year.

The Road to Windows 10
As we ready ourselves for Windows 10, we face a similarly challenging environment: lots of unique data on the machine, the question of where and how you store it, and how you get these packages across the network quickly. We still have our automation infrastructure in place to deal with these problems. But there are other lessons we're looking to carry over, too, as well as some new challenges we will face.

One difference with Windows 10 concerns its high-speed release cadence. As the WannaCry attack reminds us, from a security point of view, you want to not only be using the latest OS but the latest version of it, and patched as much as possible. In addition, we're planning to migrate swiftly, to avoid having several different flavors of Windows 10 at the same time. Automation will help.

Another challenge for us is that we're looking to go to a 64-bit operating system across the board. With the last migration, to simplify the migration process we stayed with the same OS processor architecture type on each device for compatibility reasons. If the PC was a 64-bit XP machine, then it got 64-bit Windows 7, and if it had a 32-bit system, it got 32-bit Windows 7. We've had vendor applications that absolutely will not run in one version or another. Without an operating systems deployment migration process that allows us to quickly rebuild those machines, that, too, would be a very big undertaking.

We begin our Windows 10 migration very soon. Despite all the challenges and changes,  although consultants told us Windows migrations typically take several years, we believe we can do it in one (or even faster) with automation. Accelerating the move not only improves our security posture but also helps us continue to give our end users and medical professionals a consistent experience — something they've come to value from our IT team.

Related Content:

Kenny Covington, System Administrator for Riverside Health System, based in Newport News, Virginia, has been a member of the information system staff for over 21 years. He originally was hired as a PC technician at age 16 and has been involved with the endpoint side of the IT ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Alicialynch
50%
50%
Alicialynch,
User Rank: Apprentice
6/7/2017 | 7:32:10 PM
Other migration tools
There are a number of alternatives to crappy free tools. Ive worked for places that used the free tool from MS, which was a disaster. Ive heard good reports from other techs about the tool from Tranxition. Heat software also has one as part of their DSM tool..
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5607
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...