As Windows 7 nears the end of its life on Jan. 14, most agencies have either completed the migration to Windows 10 or are almost there. But for those who need extra time or have devices that cannot be upgraded to Windows 10, there are several options available for securing Windows 7.
The simplest is to license an extended security update from Microsoft. Obtaining an ESU will keep Windows 7 supported and protected for those who can’t migrate in time or who don’t want to pay for Microsoft’s desktop virtualization service.
Microsoft warns, however, that security updates through this program will only be provided “if and when” available, and that the ESU does not include new features or nonsecurity updates.
Agencies opting for this route should keep their Windows 10 migration plans on track, though, because Microsoft will only offer ESUs until January 2023 — and that date may change.
MORE FROM FEDTECH: Visit the FedTech Windows 7 archive for additional tips and advice on the migration.
How to Get Support After Jan. 14
Agencies can license Windows 7 ESUs from Microsoft in two ways:
- Those using Windows 10 Enterprise E5, Microsoft 365 E5, or Microsoft 365 E5 Security licenses will get an extra year of Windows 7 ESUs and support for devices that have not yet migrated. They can also purchase Windows 7 support for additional years at half-price.
- Those who do not fit into any of the previous categories can purchase a three-year Windows 7 ESU from Microsoft at a per-device cost that can double in price each year. The increasing costs of support should be a good incentive for agencies to accelerate their Windows 10 migration plans.
Microsoft also announced in October that Windows 7 ESUs would be available to all organizations, whether or not they are in a volume licensing program. Organizations without volume licensing can buy Windows 7 ESUs through the Cloud Solution Provider program. Earlier this year, Microsoft announced the general availability of Windows Virtual Desktop, a cloud-hosted virtual desktop solution based on Windows 10. Microsoft is also providing access to fully supported Windows 7 virtual desktops until 2023 to provide extra breathing space for those planning Windows 10 migrations.
But moving from a physical infrastructure to a cloud-hosted virtual desktop infrastructure requires planning and testing. Not all applications play nicely with nonpersistent virtual machines, which is usually the preferred method of assigning VMs to users because they are cheaper and easier to maintain.
Unless agencies opt for more expensive persistent VMs, applications must be tested for compatibility with the VMs. As part of the virtual desktop, Microsoft is providing enhanced versions of Office 365 ProPlus and OneDrive that are optimized to work efficiently with nonpersistent VMs and the Windows 10 multiuser SKU.
In addition to possible issues with application compatibility, agencies need to assess the costs of running Windows 7 in the cloud (Azure compute, network and storage are separate costs from the virtual desktop); the internet bandwidth required for accessing virtual desktops; the risks associated with storing data in the cloud; and the workforce skill set needed to manage a Windows virtual desktop.
Isolate Windows 7 from the Internet
Most security threats come from files and websites hosted on the public internet. If an agency has Windows 7 devices that cannot be migrated to Windows 10, running Windows 7 in isolation may be one method to keep them secure.
However, employees must be prevented from transferring files from removable media such as USB sticks. Controlling physical access to those devices is another option, and local or Active Directory Group Policy can also help to control the devices.
Windows 7 devices that cannot be isolated from the internet and other untrusted networks can be better protected by implementing strong security controls with built-in features and third-party software. Other options include:
- Replacing administrative rights with standard user accounts
- Using unique local administrator passwords
- Applying Microsoft’s security baseline template for Windows 7
- Blocking unauthorized code using Application Control
- Restricting internet access to approved sites
- Implementing hardened Windows Firewall and IPSec policy rules
- Investing in additional protection such as Microsoft Advanced Threat Protection
- Ensuring data is backed up and protected
Most of these controls should be used even when an OS is fully supported, but they take on special significance when security updates are no longer available. Using Windows 7 without security updates always increases the risk of compromise.
Steve Kotecki/U.S. Air Force