Blog

The End of Life for Windows 7 and Server 2008 (R2)

Sep 19, 2019 | Blog

The end of life for Windows 7 and Windows Server 2008 and 2008 R2 is coming January 15, 2020. This means that support, is coming to an end. On this date, these OS’s no longer check certain compliance checkboxes for safe usage.

The biggest impact is going to be on security for the OS itself, but this impacts the whole site. Once these reach end of life, there will be no support whatsoever for critical bugs or massive security holes. That newest zero-day? There’s nothing that can be done about it most likely.

What Should You Do?

You need to be ready so your clients can stay safe. You and your client are sitting on a ticking time bomb if you haven’t started preparing to move already, but at least you have plenty of time to research and get ready, but only if you start as soon as possible. Moving from Windows 7 and Server 2008 (R2) can be difficult, but not with a little bit of planning.

Workstations are easy to get away from for most cases, but servers are a bit harder. This is a great opportunity to also sell the client on newer hardware if you can to get out of the predicament and to outpace the natural inflation of hardware requirements for software. Naturally, this isn’t always possible depending on the client and depending on how new the hardware they’re running is. If the machines have been sitting around since much earlier in the support cycle for Windows 7, your users will probably welcome an upgrade.

What’s Involved?

Licensing and software compatibility are two factors to look into heavily for migrating. A great server from a few years ago can be a huge expense to license a newer version of Windows Server on, but an okay server with a cheaper license (OEM discount, fewer cores, etc.) can even end up cheaper than what you get back selling the old server. SQL Server and Exchange can further convolute the licensing situation however.

Software compatibility is another huge factor in the migration process. Some specialty software just plain doesn’t run on newer OS versions. There are complex ecosystems which are centered on a specific OS version and require an almost complete repurchase of every piece of the ecosystem to upgrade to a new OS in the first place.

These limitations can impact budgets pretty heavily depending on the size and scope of upgrades required. This is something which should be planned from day one of deploying a server (specifically, how to plan a budget around the next jump and when it should be), but is often overlooked. Computers, despite their relative upgradability, are not one time purchases.

Making a Plan

If you or your clients care about security. You will move or at least limit the damage an older box can do. If you haven’t built upgrade cycle budgets into hardware budgets, you need to start as soon as possible. A server or workstation should have a planned lifespan, and the money should be allocated for the replacement as soon as it hits end of life. “If it ain’t broke, don’t fix it,” doesn’t quite cut it for security or future-proofing.

Staging upgrades in over the next few months can also help your clients. This can reduce the perceived cost and make upgrades a bit more predictable. It also gives the clients time to get used to the change. Staging the upgrades in with the most technical or least impactful employees (e.g. interns) at the company to the least technical or most impactful (e.g. C-suite) can help build inertia for deployment and help the company adjust without as much impact.

Overcoming the Limitations

There are machines which cannot sanely be upgraded. There are several methods to overcome the limitations of the upgrade cycle. The two most common tactics are virtualization or partial air-gapping (or getting as close as possible) for the affected machines. These are not completely isolated tactics however and are best combined if possible.

Virtualization

This is the most common tactic to get around upgrades and the safest. There are still many Windows XP VM’s floating around. From old accounting software to legacy industrial systems, there are plenty of reasons to keep XP around. The more specialized the environment, the harder it is to move away from it or even upgrade it depending on the upstream vendor or cost.

For software which just won’t work outside of Windows 7 or Server 2008, most of which actually predates Windows 7 or Server 2008, virtualization is an easy step with modern Windows and decently modern hardware. A P2V migration may be a good idea for these scenarios. For workstations, this is pretty straightforward, especially when the machine is being upgraded because it’s usually too old for Windows 10 to be practical, but it can get a little harder with servers.

For servers, you want to make sure you have a suitable host, and you want to strip the server of as many roles as possible. The less access and privilege this server has on your network, the better. Even if it is less than ideal, it is also a good idea to try and avoid consolidating these servers too much. The more specialized they are, the more exact privileges they can have which limits security holes when intelligently applied.

Partial Air-gapping (Or Getting As Close As Possible)

Air-gapping is the practice of separating a machine entirely from the outside world. While complete air-gapping probably isn’t going to be too practical in most cases, the general principle should be followed as much as possible to partially air-gap a machine. A box which is inaccessible is not going to be practical to compromise. Every layer of convenience is a face to the attack surface for these weak-points.

Block as much traffic as possible to the given machine. If it was on a domain, take it off. If it has to be on a domain, spin up a secondary domain specifically for it. This limits the attack surface substantially and reduces what a successful attack can do.

If you need file shares, use a clean machine as an intermediary. Have multiple shares and use the intermediary as a jump box of sorts for transfers. Have a limited share between the intermediary and the old agent, and a share between the intermediary and the rest of the network. This adds a layer of complexity, but helps with safety.

How Many Are Out There?

Windows 7 usage sits at about 30%. A subset of our environment (just over 27,000 Windows agents for this example) shows that Windows 7 and all Server 2008 derivatives are sitting at around 30% as well. The general trend seems to remain the same for both business and overall usage. The overall number is in free fall, but still has a ways to go. Enterprise is a bit harder to peg down exactly what is going on.

Obstacles to Upgrades

The only thing which is really holding the numbers back is the lack of a viable alternative to most users. Windows 10 tries to be Windows 7, but misses the mark with both IT professionals and users. The majority of shifts happened during the free upgrade period, and newer shifts to Windows 10 are from machines dying rather than planned upgrades. Some clients even lament the loss of their Windows 7 machines. Some businesses were even buying old keys from salvage machines up until a few months ago. The Windows Update and upgrade system is maddening without moving to Windows 10 Enterprise.

From a server perspective, it doesn’t really offer enough to compel upgrading perfectly functional servers either. The licensing nightmare that is Windows Server further exacerbates the problem. Hopefully, Microsoft thinks to implement a smoother, more transparent plan to move servers (besides their push to Azure). I personally doubt they will as a power play, since they know many business’s hands are tied due to compliance.

Moving Forward

Ultimately, servers may hang on due to licensing, but the vast majority of workstations are going to have to be upgraded for both security purposes as well as pragmatic purposes. Newer software updates will begin shunning Windows 7 and Server 2008 the same as Windows XP back in 2014. It won’t start all at once, but within a year or two, the vast majority of applications which work on Windows 7 will work by lack of change rather than support.

It can be pricey and painful, but it is ultimately necessary. Try to amortize it out where possible and be ready to keep key infrastructure pieces secure which cannot be upgraded. If a client refuses to upgrade, they open themselves up to more and more security compromises which can bring down their business which hurts both them and you. There really isn’t much of a choice but to upgrade, or try to continue supporting a device past the point of obsolescence which weakens their business and yours.

by Sage Driskell

FBI Program Tasked with Infrastructure Security Compromised

FBI Program Tasked with Infrastructure Security Compromised

The FBI program tasked with ensuring critical infrastructure security has been compromised by hackers, who now offer access to the program's data on the dark web. The breach was initially disclosed by Brian Krebs of Krebs on Security, who claims that the data was for...

Streamline Your Business with the Latest Smart Home Technology

Streamline Your Business with the Latest Smart Home Technology

Are you a business owner looking to get the most out of your Google smart home devices? If so, you're in luck! Google has enabled its Nest products and Android OS with the initial rollout of the Matter smart home standard. This means that businesses now have the...

Data Breach at Sequoia One Exposes Sensitive Customer Information

Data Breach at Sequoia One Exposes Sensitive Customer Information

What do you do when your most personal information has been compromised? This is likely the question that customers of Sequoia One asked themselves earlier this month as they were informed that the company had been hacked. Sequoia One specializes in the management of...

Cisco Reports Critical IP Phone Vulnerability

Cisco Reports Critical IP Phone Vulnerability

As a business owner, it's important to stay informed about potential vulnerabilities that could impact your organization. Recently, Cisco reported a critical vulnerability, tracked as CVE-2022-20968, affecting its IP Phone 7800 and 8800 Series. This new vulnerability...

Google Chrome Releases Two New Features

Google Chrome Releases Two New Features

Google Chrome is one of the more commonly used web browsers. Over the years, though, Chrome has gained a reputation for utilizing a large portion of a computer's memory. This can be a problem if you're running other resource-intensive tasks and don't want to slow...

Get a Free Consultation

 

Fill out the form below to receive a free consultation and learn how we can make your technology worry-free!

 

Contact Information

  • 39301 Badger Street, Suite 500
    Palm Desert, CA 9221
  • (760) 333-8523
  • info@icn.tech