Monday, May 4, 2020

Windows 7 end-of-life security mitigation

On January 14, 2020, Windows 7 entered its End of Life phase.  This means Microsoft no longer offers patches or security updates for Windows 7.  As a result, Windows 7 will be vulnerable to attacks that currently supported Windows operating systems will have patched in future updates.  While our guideline would optimistically be to update any Windows 7 system to supported operating systems, we realize some legacy software and hardware used across the medical and scientific community may not be compatible.

Alternative solutions were raised in discussions on the Trusted CI discuss email list, an article from the University of Michigan, an article from CSO online about isolating the device, and an article from Electronic Specifier focused on medical devices.  From these resources, we offer the following guidelines to reduce the risk of the system to your cyber infrastructure environment, depending on the needs of the host.

Universal controls that apply to all scenarios:
  • Reduce the functionality of the device to only the legacy software needed by doing the following:
    • Uninstall all unnecessary software
    • Turn off all unneeded network services
    • Don't use the system for web browsing or other network client based activities that are non-essential
  • Do not open any new office documents on the system
  • Monitor traffic between host and network at boundaries
Scenario 1: The host is a control system and has no need for access to network
  • Remove host from network, preventing access
  • Prevent accidentally connecting to network by staff by covering Ethernet and USB ports with warning stickers

Scenario 2: The host is a control system where the user physically accesses the host and needs to access the network for sensors as well as to upload data to a server

  • Segment the host from the network via restricted VLAN, allowing access to chosen devices
  • Use local firewall rules to only allow outbound data from host for uploading data and inbound data to host from the specific sensor IPs
  • Disable outside access with a GPO (Group Policy Object) or your local policy

Scenario 3: The host is a control system and needs to allow remote control access and the serving of  data
Trusted CI worked with the Gemini Observatory
in the past on a cyber infrastructure engagement
  • Insert secure bastion host between Windows 7 host and network, requiring access to the bastion host before accessing the Windows 7 host
  • Ensure bastion host follows security best practices for a bastion host role, including multi factor authentication (MFA)
  • Use local firewall rules to limit access to the Windows 7 host
  • Disable outside access with a GPO (Group Policy Object) 

These steps reduce potential risk as well as the impact of a security event should the system become compromised.  In addition to these steps, ensure leadership is informed of the additional risk from this system by informing project leadership. This list is also applicable to other unsupported systems that are vulnerable.  Users of Windows 7 systems can also pay for extended security updates from Microsoft for the next 3 years, which varies in cost by the version of Windows 7 and doubles in price each year.