42 days to go for XP – 8 tips if you aren’t going to make it


In a tip of the hat to the late Douglas Adams, we’ll ask, “How many days has XP really got left?”

If you include today – April Fool’s Day, no less – the answer is, “42.”

Here’s my reasoning.

The last Microsoft-issued patches come out for XP in one week’s time, on 08 April 2014.

(If that date is a surprise to you, you probably need to get out more. Or perhaps to stop going out so much.)

After that, as my friend and colleague Chester Wisniewski pointed out in our Sophos Techknow podcast, The End of XP, you’ve got about a month of security normality.

(Audio player above not working for you? Download or listen on Soundcloud.)

If we optimistically but reasonably assume that Microsoft won’t need to issue any unscheduled patches in the month following, your XP systems will enjoy one last full lap of the security stadium, until May’s Patch Tuesday.

On that day, 13 May 2014, all the other runners will keep forging ahead in the security race, but you will be forced off the track.

You will not be allowed back; your race will be over; you will officially be behind; and you will stay behind forever.

So, ignoring any emergency fixes that might leave you behind slightly earlier, you will be on an even footing to users of more recent versions of Windows for the next 42 days, including today.

There you have it: 42.

What if you plan on going past 42?

We’re not going to argue the point that you should change your mind at the last minute and upgrade all your remaining computers at once – not today, at any rate.

We shan’t try to browbeat you into admitting that you’d probably end up saving yourself time and money if you simply retired that XP-only $2000 printer you bought 13 years ago, and replaced it with a smaller, faster, lighter $100 model with 16 times the pixel resolution, and 128 times the memory.

We’ll leave out the guilt trips about how your ever-weaker security will put the rest of us at ever-greater risk.

And we’ll skip over our surprise if your objection is that you don’t like the fact that Microsoft is asking you to pay to upgrade, but you aren’t willing to put your mouth where your money isn’t, and switch to a free alternative. (There are many, including Linux and various incarnations of BSD.)

Eight tips

Instead, we’ll assume there are unavoidable reasons why you have to keep sailing on the Steam Ship Windows XP for a while longer, and simply present you with a list of eight tips.

  1. Get up to date in April 2014, and check you have every patch that Microsoft has ever offered you. 08 April 2014 will be your last Microsoft patch, so you probably won’t be revisiting Windows Update.
  2. Keep updating other software that you may be using, such as Flash, Java, your anti-virus, and more. Sophos Anti-Virus, for example will be supported on XP SP3 until at least 30 September 2015. (See tip [8].)
  3. Consider tightening up the restrictions imposed by your anti-virus and your endpoint firewall (if you use one). If you must keep XP computers going, try to shrink their operational universe, so that they get used only when necessary, rather than whenever it’s convenient.
  4. Remove all software and drivers you are not using. In fact, make an active effort to minimise the set of applications you permit on your XP computers. Even software that is still being patched depends on operating system components that aren’t, and it simply may not be possible for your vendor to work round lower-level holes in Microsoft’s code.
  5. If your anti-virus has an Application Control feature, use it to enforce any software restrictions you decide upon in tip [4]. Application control lets you set rules like, “Skype and other instant messaging clients aren’t allowed at all, so we don’t need to worry about any data they might leak.”
  6. Put your XP computers on their own network, and limit access into and out of that network as strictly as you can. If you are a Sophos UTM user, you can add UTM gateways to set extra, stricter network filtering for your XP computers, such as blocking email and instant messaging traffic, and preventing the use of social networks.
  7. Urgently get rid of administrator-level user accounts if you have any left. You should have done this years ago, throwing out any desktop software which required administrator privilege to work. It’s now more important than ever to do this, in order to reduce the scope of an attack if hackers do manage to get in.
  8. Get on with your personal or organisational efforts to get rid of XP. Tips [2] to [7] don’t really buy you more time – they just reduce the risk while you catch up. Don’t be in this position again when 01 April 2015 comes around.

Some examples

Here are some examples of the limitations you might enforce for your XP computers:

• On a computer used to control specialised hardware, e.g. a lathe.

No browsers, no Microsoft Office, no Flash, no Java and no PDF reader installed. Application Control blocking on all unnecessary software. Internet access limited to known-and-needed sites for security updates.

• On a computer used for general office purposes, including browsing and email.

Upgrade it. It’ll end in tears if you don’t. You have six whole weeks!

• On a computer used online with legacy business apps.

Stick to a non-IE browser that is still getting security updates. All unneeded plugins removed. Application Control blocking on all unnecessary software. Internet access limited to known-and-needed sites for security updates and the legacy apps.

Where to?

You may not like the fact that Microsoft is forcing you to upgrade.

But you’ve had years of warning, so don’t fall back on the excuse that the deadline took you by surprise: if you’re going to miss it, be practical about it.

Set yourself a new deadline, as close in time as you possibly can, and stick to it.

We promised no guilt trips, so take this as an objective and unjudgemental statement: “The rest of us are counting on you.”