Microsoft officially ended support for its Windows 7, Windows Server 2008, and Windows Server 2008 R2 operating systems on January 14, 2020.
What Does That Mean?
Microsoft stopped providing free security patches and updates for these operating systems. The only way to obtain subsequent patches and updates is to enroll in Microsoft’s costly Extended Security Updates (ESU) program on a per-device basis. Most organizations elected to upgrade their legacy Windows systems to use modern operating systems such as Windows 10 and Windows Server 2016, but some did not, leaving a gaping hole in the security of their respective networks.
Why Does This Matter?
Everyday new software vulnerabilities are discovered, and new malware is created by cybercriminals. And since free patches and updates for Windows 7 and Windows Server 2008/R2 ended more than 15 months ago, hackers are taking advantage of and exploiting newly discovered vulnerabilities on those systems. Supplemental security controls like antivirus software cannot effectively mitigate these risks, so the continued presence of Windows 7 and Windows Server 2008/R2 systems is very much a ticking time bomb that can explode into a potentially devastating security incident.
If the inability to detect and remediate vulnerabilities isn’t bad enough, the absence of security patches and updates has led to major compatibility issues with modern Windows systems in Active Directory domains. For example, at least one recent update for Windows Server 2016 and 2019 Active Directory domain controllers has been found to break their ability to communicate with legacy Windows Server 2008/R2 systems, meaning that an organization’s otherwise well-intentioned patching strategy could inadvertently cause mass authentication failures and connectivity issues throughout the domain.
For these reasons and others, the best course of action is to immediately upgrade or replace legacy Windows 7 and Windows Server 2008/R2 systems that are still in use. In cases where critical software applications are not supported on modern operating systems, the affected legacy systems should be segmented and isolated from the rest of the production network. While this strategy will not fully mitigate the risk, it will reduce the organization’s attack surface if implemented correctly.
It’s also important to note that Windows Server 2012/R2 will reach EOL status on October 10, 2023, and Windows Server 2016 will reach End of Mainstream Support status on January 11, 2022 (with an EOL in 2027). So at this point, plan to use Windows Server 2019 for any server upgrade.
If your organization still has Windows 7, you may not have a sense or urgency to upgrade, however with the absence of new features and security upgrades your organization will be much more vulnerable. Every Windows operating system has a life cycle and it’s important for your organization to stay up to date with end of life dates as it pertains to your organizations network and cybersecurity. If you need help in managing End of Life, or if you have questions about next steps, our team of Microsoft experts are ready to help. Schedule a consultation with our team today.
Ross is the CISO at Corsica Technologies. He has achieved CCIE Security and CISSP certifications, an MBA from the University of Notre Dame, and has 20 years of experience in the fields of computer and network security engineering and consulting. Ross provides virtual CISO services for clients and helps them to identify information security risks and implement administrative, procedural, and technical controls to mitigate. He works effectively with both technical and managerial personnel and is a trusted resource for our clients.