Slashdot Mirror
Ask Slashdot: Preparing For Windows XP EOL?
An anonymous reader writes "As most of us working in IT may know, Microsoft will stop supporting Windows XP on April 8th, 2014. Although this fact has been known for quite some time, XP is still relatively popular in companies and also enjoys noticeable marketshare for home users. Even ATMs are running XP and will continue to do so for some time. A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions. So what is the best way to secure this remaining Windows XP systems? Installing the latest security patches, checking firewall status and user permissions etc. should be fairly obvious, as Microsoft Security Essentials may also not receive updates anymore, changing antivirus programs seems a sensible thing to do."
Just don't run as an administrator! Also don't run IE or OE. Use Firefox with NoScript. Keep and updated and supported anti virus package installed. Don't use Flash, Adobe Reader or Java. It's actually not a problem.
If XP is behind a corporate firewall - no problem.
Everyone should have a separate non-Windows firewall.
It really is all very simple and never requires the running of ridiculous anti-virus products.
No.
If you think that newer versions of windows don't have anything to offer you shouldn't have to do anything at all (as presumably you don't think continued security support is something worth upgrading for).
I stopped using an antivirus program in 2005, shortly before converting to Linux.
Aren't actual viruses pretty rare nowadays? Most malware attacks the browser and plugins.
If you need to deal with end-of-line, then it would be a good idea to open your file in text mode. It makes no difference on Unix because the line separator is LF anyway, but as you may know on Windows XP it is CRLF.
So what is the best way to secure this remaining Windows XP systems?
If you can't keep the box permanently offline, then the best way to secure Windows XP after the EOL date is to uninstall it. By believing otherwise you are only fooling yourself.
We have mission-critical software that must be run under XP. The software checks the OS somehow and reports Operating System Not Supported if we try to install it under Win7. It *does* run under Win7 in the XP virtual machine, however the software has a hardware security key that attaches to the parallel port, and the VM doesn't let it access the LPT at the low level it needs to (apparently) to recognize the key. It's XP for us for a while, damn the torpedoes.
MSE will have definitions for a year after the EOL: http://blogs.technet.com/b/mmp...
Load all patches, install a good antivirus, have a second or third one that you run occasionally manually (not all anti-virus packages get everything), use an updated chrome or Firefox browser. For Firefox, I'd suggest using noscript and web of trust as well. Keep Java in medium or high security mode, only go to reputable sites, and only enable JavaScript when needed.
Logic is the beginning of reason, not the end of it.
Other than your one embedded example, that I don't think pertains to the other 99% of computer you are discussing, I question that it is really that expensive to upgrade to Win 7...
I realize there is more than hardware costs, but did you really expect your software to work for more than 10-15 years without needing an upgrade? Most people in this situation are there because they have deferred the (most likely needed) updates until now. And now they have an unusual number of computers to upgrade. My employer is squarely in this position.
Bite the bullet and upgrade. If you really want to stand firm against M$ or something, simply install any number of old-hardware-friendly linux distros. Knoppix is my current favorite.
I finally updated my sig, but now it's lame.
While what the article says is probably a good way to handle the EOL.. over time this is just going to get bad.
Ever image a machine to win98 and plug it in to the intertubes lately?
Yeah.
every one that stays with a unsupported OS
whether it is Windows, Apple , or Linux
should be help LEGALLY RESPONSIBLE for all the "shit" they cause
now there are some needed instances that can be solved by running XP on a VM
just like the sometimes needed need to run RH9 on a VM or RHEL3 on a VM
propitiatory NEVER to be updated software
How about this one. All of your software options are better on 7 than XP. Firefox and Chrome are moving away from supporting it. Microsoft is moving away from supporting it too. You know what that means, Mr. Super Conservative Executive/IT guy? It means your threat vectors are now starting to approach "everything installed on this workstation" instead of just the OS.
Migrate your apps, fork the code, invest some cash. And next time, write up a long term strategy regarding on how to live with well known product lifecycles.
I plan to clone my hard drive on April 8th and just restore from that backup whenever I get hacked. No fail in this plan!
In all seriousness, I've been gradually transitioning to Linux Mint as my primary OS, with XP as a dual-boot option (basically for games). I also have a XP VM running under Mint that I'll be able to use if I need XP and don't want to reboot. Everything's installed on a single 1TB platter drive so I really do have 2 cloned backups (on- and off-site) available.
I hadn't planned on getting a Windows OS after XP due to draconian DRM, although I haven't had a problem with XP licensing since I bought it retail in '04; I'm considering getting Win7+SSD since that's what I have at work and it's actually quite nice. That being said, most of the programs I use are cross-platform FOSS, so it's not a strong need (notable exceptions are rFactor and Visual Studio).
my, your, his/her/its, our, your, their
I'm, you're, he's/she's/it's, we're, you're, they're
Use Firefox. Keep the biggest attack vectors up to date (Adobe stuff in particular). Get rid of Java entirely unless you desperately need it; in that case, keep it up to date religiously. Use Adblock Plus (or equivalent) to block ads which sometimes carry malicious code. Don't do stupid things online. Don't run executables unless you absolutely know they're safe. Don't install pirated software since pirated software sometimes comes with lovely surprise infections. Use a limited user account for your daily activities and an administrator account only for maintenance tasks or to run software that won't work under the limited account. Always use a NAT router between the computer and the Internet, and don't run any open wireless network with that PC attached.
It's largely just a matter of (A) don't do obviously dumb things and (B) don't run everything as an administrator in the first place. Remember that antivirus and security software is a final line of defense; everything else is basically a problem with the user's behavior or knowledge, and if you are careful and follow good security practices in the first place, you aren't at any significantly greater risk than you are now.
One more thing: if someone really wants to break in, they will. XP or 7 or 8 or 8.1 and all the updates in the world won't matter in such a case, so my final piece of advice: don't piss anyone off that might want to come after you.
10 year old laptop now runs Lubuntu and 5 year old desktop "server" is going in the trash, replaced by an ARM SBC running debian.
Hell can you even still do that?
I've been having nothing but hell with a broken updater on all my VMs.. Either it takes 100% CPU usage non stop, or completely fails and immediately fails every update.. Every workaround in the book didn't fix that either.
Luckily I only use the VMs for testing at work.. happy to dump them and get back to my non MS OSes...
one tip i keep seeing is not to log in as an administrator if you don't need to. using a regular user account is fine for most uses. from what I understand, malware need administrator access to copy files and send data to remote servers. I might be wrong. also, keep anti-virus software updated.
only downside to using Windows XP is that some games and new software for home users won't run under XP
I already have a day off scheduled for the 9th. I will get black out wasted drunk.
" A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system".
Sigh, organizations with this mentality still view IT departments as an expense instead of a strategic partner...
For many of my clients that run milling machines that still run XP, I am just making sure that they are not connected any longer. In that scenario, continuing XP is sensible and cost effective, with little to no risk. I'm sure most of the IT world is going to see the flare up of exploits that people have been hanging on to waiting for MS to no longer be willing to patch. Anyone of my other clients - law firms, non profits etc. - I am forcing the upgrade. No need to be so tied to such a clunky and difficult to recover OS anymore. Embrace the already 4 year old future, get on the update bandwagon and move on. None of my clients are seeing this as the end of the world like the media and others are describing it.
There hasn't been a root exploit in XP for a couple of years now, which means if you are running as a user and not root, and you know what you are doing, XP should be fairly safe.
1. Run as a regular user and only elevate permissions when you need to
2. Make sure your directory permissions are locked down properly (there are guides to help you do this)
3. Turn off all unnecessary services
4. Run a 3rd party antivirus app - BitDefender Free is excellent
5. Regularly run rootkit detectors and a second on-demand scanner (I use Trend Micro)
6. Don't use IE, use Firefox with NoScript turned on
7. Don't use Flash, Adobe Reader or Java. Use Sumatra PDF for PDF viewing.
I keep a VM of XP around for running some old apps and reading my junk email account. I've been sent virii and all sorts of junkware, and running the above config is pretty impervious to anything thrown at me. I can revert the image to it's original state if something bad happens, and I've yet to have to do that.
My Other Computer Is A Data General Nova III.
At a large company you pay MS for an extended service contract and life goes on as usual. It isn't like all the ATMs will never get patched again after April.
Don't use IE or Word/Office. That covers most of the exploits.
We were scouring the lab here and noticed that our traffic generator had an embedded OS and it was of course XP. It took a LOT of back and forth with the vendor (whom we pay a big fat support contract to each year) to get a Win 7 disc. Apparently they don't have a plan for XP migration because they don't want to buy a ton of new license keys. This is a problem for people who can not have unpatched systems on the network. Technically the embedded edition is not going EOL yet, but we have concern about Microsoft keeping the patches flowing when the majority of the installs are no longer supported. The last thing we want is someone using one of our own network appliances as an attack vector. The printers are bad enough (they had to be vlaned--no way to properly secure them), but some of the other stuff requires real network access.
I read the internet for the articles.
Year of the linux desktop
Windows SteadyState from Microsoft is available for Windows XP.
SteadyState virtualizes the OS directories transparently on the disk. File writes/updates are directed to a secluded area. You can set it to simply delete those journaled updates upon restart/signoff. Any malware will be effectively gone. Windows Update would still be possible when signing in as the SteadyState administrator (creating an updated image), but that's kind of moot at this point.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
That's what's going to happen to all the XP machines (that haven't been air gapped already) where I work.
Most of the XP holdouts are lab equipment. (Oscilloscopes, Arbitrary Waveform Generators and the like.) They were already air gapped, anyway.
There are a few machines that run old development tools needed for production. (As in factory, not web services.) They will be left connected long enough to catch the last batch of updates, then relegated to USB storage and optical media for data dransfer. (With sensible precautions, like disabling autorun, of course.)
Fortunately, those projects will not be around forever and will slowly be replaced with newer versions that run on Windows 7 and/or Ubuntu 12.04. (Maybe 14.04.)
Next on the todo list, Ubuntu Server 10.04. It's number is up soon, and that one will be a lot more obnixious to get rid of than XP was.
I work in a lab in a large research university, and they are taking it very seriously. All of our lab machines are being swapped out for Windows 7 - a non-trivial task given some of the individual software for certain lab machines is... clunky at best. Any computer that must stay running XP (because the instrument's software requires it) will be removed from the network. Personally, I only run XP (for said lab purposes) in VirtualBox, completely cut off from the web. There has even been serious discussion amongst school administrators to proactively block any machine running XP from even connecting to the school's network. Drastic, perhaps, but I can understand it from their point of view.
I live in constant fear of the Coming of the Red Spiders.
A vast majority of people have moved away from XP due to the natural IT lifecycle - hardware breaking and replacement machines coming with newer operating systems and newer versions of software only working on Vista/7/8. Even Vista is starting to show its age with Microsoft's decision not to let Office 2013 support Vista - so that's a lot of your customer base etc already sorted.
There's always going to be an "overlap", as such, there's no real way of convicing people off something they see no benefit in replacing - the same reason why people drive battered old cars. If it works, why replace it...? The natural lifecycle will denote these products, like anything else, will be replaced when the owner deems them fit to be replaced - when they're not fit for purpose any more.
A lot of people have been chastitsing MS for their decision not to support XP anymore, which they are well within their rights to withdraw support for a product now >13 years old. Shouldn't some of the blame for XP's continual use be shifted onto the third party software developers who kept XP support in their products going for such a long time?
don't use firefox. don't use any browser at all. if you need a browser, you need windows 7. sorry to burst your bubble, but anything else is going to be dangerous. you should be getting rid of any potential vector for badness (any software, particularly software that is known to touch the internet) altogether.
Don't. Don't secure it. Just let the chips fall where they may. Failure is an option, and you've presented things such that it's the best option.
Before you reply with "that's crazy" (or "that's lazy") let me remind you, that you there's "no .. benefit" to being more secure, and "no reason" to worry about the consequences. The submission has already stated that solving the security problem has zero value. So why are you working on it? Just let it go. Security is a don't-care condition. Every hour spent on it, is an hour wasted for no benefit.
If you change your mind about it being a don't-care condition, then you open the door to upgrading to a maintainable OS. But you can't do that, until you decide that upgrading does have benefits, and there is reason to change a running system.
So .. have you changed your mind? Are you still sure there's no benefit to an upgrade and no reason to change a running system? Or have you realized that's TOTALLY FUCKING ABSURD yet? Because I think once you realize that it's TOTALLY FUCKING ABSURD then you're going to see some options appear.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Why am I, a software developer, still using XP on my primary workstation? The only realistic upgrade path is to purchase a new computer.
in place upgrade of XP->Win7 is not reliable, if it works at all. And the licensing DRM on all software I use will ensure that it is impossible even if Microsoft made it easy to upgrade. So everytime this comes up, I look at all the software I have to manually delicense and relicense (assuming the software even allows that), or purchase upgrades since it doesn't fully work under Win7, and I say fuck it. Days of time and $$$ for absolutely no real benefit. As I've gotten older, my increasingly rare downtime has become far too precious for this bullshit.
So why don't I just buy a new machine? Circumstances ( a blown motherboard) forced my to upgrade my current workstation a couple years ago without upgrading the OS and apps (needed to get back working asap). So I have a modern machine running XP which should last me for a few more years.
Counter to what some people seem to think, running XP isn't an end in itself. In the real world you run XP in order to run certain applications, right? Applications that typically won't run on Linux (closed-source Windows-only stuff) and may not even run on Windows-7.
Besides upgrading would be really expensive. Ripping out several million boxes, reformatting they disks, installing Linux, dealing with a substantial percentage of cases where the hardware breaks when you unplug them or on which the more recent kernels won't run is very expensive. So expensive in fact that the license cost for a Windows copy will be completely dwarfed by the cost of handling the hardware and installing Linux.
By the time you're done installing the OS you'll find your troubles are only beginning. You'll find that your old applications (that you built into your business) won't function anymore. You might be able to write one single application for ATM's that runs on Linux or or a more recent version of Windows but you won't have time to test that thoroughly (enough) and you'll replicate that application millions of time. Good luck! For ordinary office machines you'll be facing a big bill in reinstalling all the old packages and even more (training !) if you decide to upgrade the applications too. And then you can watch your office performance sag as everyone starts learning their way around the new apps.
Chances are you'll lose a lot more money handling, migrating, training, and pushing updates to all those millions of boxes than dealing with any security problems that may start to arise in the next two years.
That, in a nutshell, is why it makes financial sense to just isolate the, shortly very vulnerable, XP boxes behind firewalls than to upgrade them.
In fact I think you might even be able to insure yourself against cost of problems when you continue using XP at a rate that's much lower than the cost of migrating.
Twinkies, tents, double-barrel'er, and water jugs
Table-ized A.I.
The virus writers who have been holding back XP payload might have vectors that also hit Vista/7/8. With all the juicy XP targets to compromise, they can do more effective random IP address attacks like the days when XP Service Pack 2 wasn't around. So I'm not totally concerned, but just a little bit concerned that this could hose more than just the XP installations.
God spoke to me
End of support for XP is no real problem at all! Just downgrade to Windows 2000! It doesn't even need activation!
I see this response a lot, and I completely understand it. Business needs what it needs, and so if it doesn't see a need to update, it won't. Got it. Perfectly. Crystal Clear.
But an honest question: What happens to that 100k database (maybe 200k in the future?) 5,10,20 years from now, when the computer it runs on breaks and you can't get replacement parts for that old motherboard. When Windows 98 does not have drivers for the hardware being made. When the database grows so large that the HDD in your Windows 98 box can't even handle it. When Windows 98 can't keep up with the network speeds and standards of the future that are required to stay competitive. When the install medium itself gets scratched too many types and stops reading.
I don't feel like I've EVER seen any contingency plan for this. The excuse is always "You're out of touch, business needs to run older systems". Again, I agree and understand. But at some point, maybe not soon, but at some point it WILL stop working, or at the very least, it's age hampers the budget more than helps.
Is there a plan to at least move to VMs to try to preserve the software a little more? (Maybe you are already using the VMs). Are there good backups for the VMs? Can the VMs access the USB ports and what not for your devices? How many of your devices use old ports that don't even come on any computer sold in the past 10 years?
While I understand the reasons for not upgrading immediately (or not even quickly), 15-20 years seems excessive, and I start to think this is a failure of business leaders more so than a misunderstanding of technical people.
Ummm no. Most people will not change because here is literally no upgrades available.
I'll trying to get an Installfest setup at the local library to help XP users migrate to Ubuntu.
*** One Giant Major F**cking HUMUNGUS OPPORTUNITY For Every Tech in the world! ***
Now tell me you can't find a gig!
Go For it, guys!
That's easy:
fromdos *.txt
We need a "+1 -- nice sig" moderation.
"What's our iceberg preparedness response again?"
We have a system running Win98 at the office. It is not on the network. The only thing it does is controls the door system. To get the updated software supported by a more current OS would cost $5k. It just isn't worth the headache right now. I did talk them into running on a current machine and we just use a virtual Win98 environment to do the software bits. Overall it is still pointless since the machine isn't on any network. Eventually we'll upgrade the whole door lock system but until then that virtual Win98 environment will get the job done.
Still using DOS, Win98, and OS 7 to support thousands in legacy hardware (vendor did not port their applications to newer OS's) These OS's are not networked and used only for supporting the older hardware. Sure, it would be nice to move the old equipment out to pasture, but it still works.
You can keep an old OS going by keeping working backups, accepting limited functionality, not being attached to an external network, accepting that new peripherals are not supported, using best practices, monitoring your system, and being ready to do your own repairs.
Some may be surprised but companies still sell new copies of DOS programs, for niche markets. Just add your 386 box from ebay. XP will just continue the trend.
http://www.peerblock.com/ plus lists from https://www.iblocklist.com/lists.php (and custom lists of your own...I have 249 lists active right now, almost all from iblocklist.com. Since there's no need for my computer to receive or send data to/from China, Russia, etc., it now cannot.)
http://winhelp2002.mvps.org/hosts.htm
http://www.safer-networking.org/business/
Security Compliance Manager and the rest of "Tools & Downloads", along with regularly checking "Read the latest advisories" under "More Tasks" at http://technet.microsoft.com/en-us/security/bb291012
http://technet.microsoft.com/library/cc700810.aspx (How to Configure Memory Protection in Windows XP SP2, from years ago)
Disable IIS, Remote Registry, Routing and Remote Access, Net Meeting, and SSDP discovery service if you do not need them.
for casual web browsing/listening to music on my XP machine I'll boot to puppy linux on a usb drive. Whenever I need to run something in Windows I'll just boot into XP after unplugging the ethernet cable.
"the fax machine is nothing but a waffle iron with a phone attached to it." - Grandpa Simpson
or something.
i just came here to make fun of "this remaining ... systems" :)
Rich
Word came down today that running any XP images is a security violation.
Security violations are potentially an immediate termination offense.
Never answer an anonymous letter. - Yogi Berra
I still use my 1982 Atari 800. Atari doesn't exist anymore. So what?
01/01/01
When has Microsoft supported its products?
I ran Windows Update on my XP box last night. Seemed to work fine. So I guess the answer to your question is "yesterday."
We have Surface Mount Asembly Equipment that runs Windows NT4 and Windows 2000.
Suprisingly, it all still networks OK. (But of course on its own isolated subnet)
There is ZERO chance any of this industrial equimpent will ever have an OS update.
46137
The real concern is remote exploits. I doubt we'll see any that aren't fixed by running with the firewall enabled. So really, this is all a lot of press about an issue that's going to turn out to be a non-event.
If I had an XP exploit, I'd just sit on it until it goes EoL. It's worth more when you can use it with impunity and not worry about it being patched.
What is this "Windows" of which you speak?
My SIG is a P226
My employer is planning on falling back to antivirus for defense. I work at a hospital with thousands of workstations almost all of which are XP. While I don't do any real browsing at work other than following weather in the event it's severe or big news stories, many people do and lack the "common sense" antivirus suite in their head.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
The UCLA Medical System, a gigantic organization, required all hospitals, providers, etc. to standardize on a single, integrated medical record-keeping system. Medical history, diagnoses, prescriptions, appointments — the works. This was within the last 12 months.
It runs on XP.
Happy privacy!
I've been dreading having to roll that big'ass barrel of unused XP CD's out the door. That thing is freakin heavy.
Having to work for a living is the root of all evil.
One popular choice among enterprises which use systems for manufacturing or one reason or another must remain on XP would be to use Whitelisting. Application Control or whitelisting does the job of AV and more by blocking execution of anything new that is not on the white list.
With the parallel port on the host passed through to the guest.
And keep your old working code.
Copy the current machine as a VM and backup the image somewhere. When the current hardware dies, run the VM on something newer.
I'm not gonna prep at all.
I'm just gonna let the damn machines fucking die.
If people don't want to upgrade; fuck-em.
Just format the C: drive, install Ubuntu (instead of calling it C:\ or something else from 1960, you can call it something like /data (why C: ? why not "homedrive" or something more descriptive?). If you are being abandoned by a company you paid money to, then consider where you spend your money. Or not. Its your money, if you are happy/blissful being abandoned and insist that they are the only one, then go ahead and expect to keep having to pay to have a system that doesn't fall down unless you pay for a new version every few years. Pay and pay and pay; have fun with that.
Looks like they finnaly have a sponsor http://community.reactos.org/?...
Haven't hit that yet - take a look at the drivers on some install disks some time. For when we do hit it there is the option of cold spares. For example I got about 10 Sunblade 5 machines second hand not very many years ago to act as spares for antiquated data aquisition systems - and I can see people on the PC side of things doing similar things. It may not be an ideal solution, but it is a solution of a kind which can keep things going until other components reach a point where they can be replaced (eg. the example I gave above is being phased out).
I'd stop getting updates fo XP right now. The ethics challenged folk over at MicroShoddy will probably be putting defects into the final updates to make sure that the XP stops working sometime after the D-Day to propell numerous customers into having to buy those new OS versions.
So save yourself some trouble (as if they (MicroShoddy) have been wasting their profits fixing anything real on XP now or for the recent past...)
Rubbish. For many requirements the cycle is much shorter, some incremental and some longer. An arbitrary number is not "reality" no matter what bold type and capitals you use to pretend your opinion is some sort of fact.
Also with enough spare machines you can pretend machines are going to run forever and just replace them when you need something quicker. If it dies most people can put up with something slower for a day or two until something with better specs than could be justified with a rapid replacement cycle or standard PCs purchased in bulk every 3, 5 whatever years. More work in budgeting but a job isn't there to make it easy for the person doing it.
I've got some people using pretty old stuff with a new video card, an SSD and 3 screens - to them it's like having a new computer but with XP and all their old apps still on it. Others might have had a machine that maxed out at 8GB two years ago, so they got a machine that can take 16GB last year and looking at 32GB now - putting an arbitrary date on these things instead of considering usability is IMHO wrong (with capitals, bold and a lot of exclamation marks if you wish).
It's not entirely clear what you mean when you say "root exploit" but one interpretation is an exploit that when run as a regular user gives you administrator/root permissions. There have definitely been recent XP privilege escalations exploits for XP recently (e.g. CVE-2013-5065 leverages a bug in NDProxy).
Perhaps you meant "remote exploit" but also last year there was CVE-2013-3175 malformed asynchronous RPC request so another machine can attack your XP machine over the network with no user intervention. See this table of 2013 Windows XP CVE entries for a list of what MS have been patching...
If you are no longer able to keep your OS regularly patched it's no longer safe and you are better off using something else for online activities. Save XP for those appliances that have to use it and can be stringently firewalled/quarantined.
The XP users I know have a large menagerie of applications they've collected over a decade or more with very few that will run in Win7. Migration is a matter of replacing a pile of stuff and learning to do things in a new way instead of the quick ways they know from years of use. While current hardware still supports their platform the XP mode virtual machine in Win7 looks like utter crap in comparison and Virtualbox not much better (athough I have a few people on Win7 using that just to run some old AutoDesk software from before they fucked up the interface).
Then there's the stuff locked to hardware that won't run Win7.
To sum up, there's no point people moving unless they get some sort of benefit out of what they move to. More memory that XP can handle was the no brainer for a lot of us, but for some tasks 2-3GB is plenty leaving some people with no problems with the platform.
I think in the future I'll probably end up with people running Win7 (or 9 if it isn't shit) to run MS Office+firefox and for just about everything else they'll VNC to an XP virtual machine on something quick and almost live in that space. People who have been using the same stuff for a decade+ don't want a replacement from a different vendor with a crap metro or ribbon front end, they want the app that they can operate without thinking much about it.
For other kinds boxes, just remove the browser and tell people to surf using their tablet or the shared machine down the hall.
Those whose work absolutely requires them to use a browser you can provide with more modern boxes.
Still way cheaper than replacing every single XP box.
A society which wants privacy in public places and doesn't allow street photographers to take photos of people without permission and publish or sell them as fine art or as photojournalism doesn't deserve to run Windows XP. -- Sofia Koutsouveli
The idea of "let's fire the developers and outsource to India" idea has been going on for a while and left us with a lot of orphened software that only works on XP.
There's a bit of it in the *nix world too, hence a pile of stuff that can't be moved beyond RHEL5 (and for one spectacular piece of shit that needs an old flexlm, Redhat7.2).
Since we can assume XP will never change once support is over, can't we then do new things to secure it that were impractical in the past?
Hard coded file checks, read only filesystems, out of band checks and so on.. It wouldn't take much to install Linux on a USB key and have it check the local HDD or even just overwrite the OS files at boot, and that's just the first idea that comes to mind. Maybe a bios that won't boot if any of the xp boot files are changed, etc. I'm not saying it's ideal, but it seems like a once moving target is now static, so maybe that can be leveraged to create some safety, especially for the types of systems that are required to continue using XP (I.e. not consumer desktops).
-Lod
One of the local technical schools used software called "Deep Freeze" to lock down the computers. Once the computer is set in a "frozen" state, any changes since the last reboot are lost. So in theory, if you did get a virus on your XP machine after EOL, a reboot would remove it. Extra steps are needed to "thaw" the computer to make changes that will carry across reboots. I do not work for the school or the company that makes Deep Freeze. There are alternatives available also that perform similar functions that you could find with a web search.
I just left a job where we produced POS and back office software for specialty retailers and saw the same thing. The lock-in is just incredible when you're running a nationwide chain with X-number of registers. I think a customer was running Windows 98 on a box with 128 MB of RAM. In fact, if anything you worry about customers looking to upgrade, because if they're going to have to spend all the money to buy new hardware, they're going to reevaluate their software as well, and perhaps choose another vendor.
quiquid id est, timeo puellas et oscula dantes.
After reading comments in this article I wrote up the following to my managment. In my enterprise we have some expensive hardware that is running on XP. We've just been planning to pull them from the network, but the options below were considerations for the XP computers we just could not replace without great expense (>$50,000 each). Please excuse my formatting, pasted in.
I’ve been giving thought as to what we should do to continue to support XP computers that cannot be replaced before XP EOL.
The idea is to turn these computers from our “normal idea of a PC” into an appliance. By locking down these stations we can make them such that they only do one thing: produce the work as intended in a safe manner.
Configuration Description:
Windows steady state installed/configured
EMET (?) Enhanced Mitigation Experience Toolkit (v4)
o This newer tech is designed to close the methods used in application exploits targeting this platform
o This option is listed for technical completeness, but it is expected that it would cause more problems than it would solve
o This option would be in the case where an appliance required access to Java JRE and a public internet site
Does such a scenario exist for us?
Separate VLAN for appliance PCs
o No access outside LAN (no internet)
o Access to file server
o Access only to required resources
Ghost backup of each machine
o Ghost image
required for easy cloning
Disk clone for restoring a system with replacement disk to take place on separate 'ghost image appliance' PC as USB/CDROM/DVD disabled on target PCs
Per machine replacement plans in writing for each appliance
o Planning for modern replacements
o Planning for repair in the event of failure
File server access
o XP has exclusive write to only one shared folder on server
o XP has NO read access for any other folder shares
o Regular VLANS have read only access to above file share
Preventative steps
o Power supply replacements (or availability)
o Hard disk diagnostics (SMART check, disk integrity check)
o Hard disk replacements (or availability)
Cold-swap cloned disks available in computer for highest priority appliances
Lockdown steps
o Disable unused hardware (ex: FireWire)
o Disable CD/DVD, USB, floppy (no sneakernet)
o BIOS admin, access passwords set
Experience description
From a cold boot
Cannot access BIOS setup without password, even to view settings
Boot into Windows XP
o F8 modes still available
Domain logon still used
o Domain controllers must be accessible on XP VLAN
Appliance software runs
Users have no admin rights
o unless required by app, must be documented, explicitly requires SteadyState
Users cannot make changes to configuration
o changes reset at reboot (via SteadyState)
Users cannot access internet
o no VLAN access to internet
o no HTTP access to internal or external resources
Users may write to one area on file server for this appliance's work files to be uploaded, no read access to any other area
o No read access to other areas means that the only file server data accessible is the data that this machine creates
o Example: an XP computer running a special app would have one specific folder available as a mapped drive, no other read access to any
XP Embedded's support doesn't end when XP does.
Windows XP Embedded (Toolkit and Runtime), all versions - January 12, 2016
From https://www.microsoft.com/wind...
It's foolish to try and secure XP after its support ends. So much logic is thrown out the window with this idea. Try to remember that Windows XP was designed and released around the the time of the Tech Boom/Bust. A pretty different technical environment. That it's still being used is, in a way, a testament to Microsoft's dedication to it, but after twelve years - I mean, geeze, who runs the same OS for twelve years? Do you still play games on a Sega Dreamcast? Ok, that's a bad example, even I still play games on a Sega Dreamcast. But that's an entirely different era by tech standards. The larger problem you may be dealing with is that Microsoft can basically pull support when it likes and if your shop doesn't like it, you should focus on alternatives. If you're going to be a Microsoft Shop, you should adjust your upgrade budget and IT Shop's priorities appropriately, not try to keep using XP and O/S2 Warp and Windows Me because the change is too (understandably) painful.
Doubtful, hardware has a finite lifetime and parts fail. Companies literally will not have the hardware to repair it because the chipsets will no longer support it and are no longer being made. Within the next 5 years or so they will need to upgrade whether they like it or not unless your company is absurdly lucky. My company was planning on sticking with XP until we realized the hardware was no longer available, now they are scrambling to get Windows 7 and Linux running on our devices.
I'm not even sure what your "salient" point is. We have a $250,000 research NMR with a computer controlling it running XP. The upgrade to use Windows 7 requires a $50,000 investment in new hardware. We don't have that kind of money just hiding in the cracks of the sofa. That NMR doesn't stop running just because Microsoft is tired of playing with XP.
I have one researcher still using Windows 95 on a semiconductor test instrument. That's not getting upgraded either. The cost to "fix/recover" is much cheaper than upgrading. We keep spare drives and drive images and all data is copied off the machine. My biggest concern is replacing a bad motherboard and finding drivers that run the older OS.
Simply slapping a new fresh install of Win8.1 on a research instrument controller is not always an easy or cheap thing to do. Not everybody is just using their computer to surf the web and check email.
Someone mentioned it above. There is software called Windows Steadystate that keeps the base file system unwritable to regular users and instead lets them write changes to a journaled file system that can be selectively restored from the base.
What Industry are you in? It sounds to me like $1M and a couple of young engineers could take a run at your business and take you out in 12 months. No no, don't update, upgrade or for gods sake please don't innovate.
"... and you know what you are doing ..."
#kneeslap
#headdesk
Slashdot readers are much more sophisticated than the average home user, who only uses a computer for e-mail, social media, and web surfing. Why should they be expected to pay good money for a new computer, or to upgrade from XP and install all of the necessary drivers, hardware, etc.
That's an example of abusing your equipment without properly maintaining it. Given the amount of product that vehicle moved, keeping the transmission maintained and throwing a new starter in it would've be such a small fraction of it's overall net cost as to be negligable.
Additionally, it's a 1937, that's just a sweet old ride, especially as a 2 ton truck :)
Yes, you can hobble along, using MS XP for a bit longer. But soon you will start to be frustrated by the lack of driver support for your new (future) hardware devices. Really, make computer life easy for yourself. Switch to some flavor of Linux. I switched on a 100% use basis after Win 98 was dumped. I have never regretted the switch. All my old data files were easily transferrable. With easy-to-use Linux versions such as Mint and Ubuntu you can stay with a GUI-only operating environment if you choose. They are a far sight easier to use than Win 8 and the price is right. ~ VillageElder
That sounds like a good-citizen thing to do. Introduce others to a better way of computing life. ~ VillageElder [See my additional comments below]
If the OS was bug free, none of this would be an issue. Oh.... but that's too hard, right?
Is an upgrade to Win7 in these kinds of situations really any fix? Likelihood is that we'll see the same situation come round again in a few years time.
Sometimes it's possible to skip a whole stage, for example, NT to Win7.
That's the logic anyway, for people who don't trust the upgrade cycle, usually burnt from vendor lock-in.
A blog I run for the wealth