Exception Process for Windows 7 End of Life (EOL)

Overview

Every Windows product has a life cycle and that life cycle ends when security updates or fixes, software updates, and/or technical support are discontinued. On Jan. 14, 2020 Microsoft ended support for the Windows 7 Operating System. Campus policy requires that devices connected to the network run software for which security patches are made available - and installed - in a timely fashion. Therefore, Windows 7 is no longer be in compliance with campus policy.

Exceptions

Exceptions are allowed only if the system cannot be upgraded and depending on the data classification level and the amount of data of that type. Submit your security exception request as soon as possible.

In addition to these required controls, ISO may require additional controls in the future, should new threats exploiting unpatched vulnerabilities in Windows 7 emerge.

Exceptions are available for:

  • All UC P1 i.e., public data devices
  • UC P2 Privileged Access and Individual Devices
  • UC P4 Individual Devices

Exceptions are not available for:

  • Institutional Devices with UC P3 or UC P4
  • Privileged Access Devices with access to protected data UC P4
  • Any Device with UC P4 or Regulated Data (HIPAA, PCI, etc.)* 

*Please contact us directly at security@berkeley.edu if this applies to your system


If you need assistance determining if your system is eligible please fill out this short form.

To obtain an exception:

  1. Implement and document the appropriate required controls for MSSND exceptions (see below)
  2. Develop and document a timeline for the upgrade or replacement to the outdated operating system
  3. Submit an MSSND security exception request, including all requested documentation 
  4. Once an exception is approved, complete system upgrade/replacement before the expiration of the exception request

Note: if you are requesting exceptions for multiple Windows 7 machines you only need to file one exception request form for all machines.


Required Controls for MSSND Exceptions

These controls are appropriate for workstations that handle public data, UC P2/P3 Privileged Access and Individual Devices, UC P4 Individual Devices, or special use workstations that have elevated access into lower risk institutional systems, or that handle less than 500 records of high-risk data.

  • Device must be tracked in an inventory control system, including physical location, network identity, and primary user
  • Device must be updated with the latest set of security patches for this platform
  • Device must use an automated method to ensure patching/updating of 3rd party software, i.e. BigFix
  • Only software necessary to perform university business should be installed on the device
  • Device must be secured according to the Center for Internet Security (CIS) benchmarks
  • Device must be running currently supported inline (on access) anti-virus and anti-malware software with automatic signature updates
  • Device must use a modern, supported browser with the minimal plugins necessary to perform university business
  • A host-based firewall must block all inbound traffic, except trusted systems management tools. A host-based firewall is included in Windows 7 but must be turned on in Control Panel
  • For PL0 individual devices only, if Remote Desktop services are enabled, access must be restricted to known hosts or the campus VPN service address pool

Alternative Mitigation Controls for Special Use Systems

Appropriate for special use systems, such as lab equipment, instrumentation, controllers, and other devices that do not require general Internet connectivity.

  • Device must be tracked in an inventory control system, including physical location, network identity, and primary user
  • Device must be updated with the latest set of security patches for this platform
  • Firewalls must be used to restrict both inbound and outbound network traffic to known hosts only