Overview
Every Windows product has a life cycle and that life cycle ends when security updates or fixes, software updates, and/or technical support are discontinued. On Jan. 14, 2020 Microsoft ended support for the Windows 7 Operating System. Campus policy requires that devices connected to the network run software for which security patches are made available - and installed - in a timely fashion. Therefore, Windows 7 is no longer be in compliance with campus policy.
Exceptions
Exceptions are allowed only if the system cannot be upgraded and depending on the data classification level and the amount of data of that type. Submit your security exception request as soon as possible.
In addition to these required controls, ISO may require additional controls in the future, should new threats exploiting unpatched vulnerabilities in Windows 7 emerge.
Exceptions are available for:
- All UC P1 i.e., public data devices
- UC P2 Privileged Access and Individual Devices
- UC P4 Individual Devices
Exceptions are not available for:
- Institutional Devices with UC P3 or UC P4
- Privileged Access Devices with access to protected data UC P4
- Any Device with UC P4 or Regulated Data (HIPAA, PCI, etc.)*
*Please contact us directly at security@berkeley.edu if this applies to your system
If you need assistance determining if your system is eligible please fill out this short form.
To obtain an exception:
- Implement and document the appropriate required controls for MSSND exceptions (see below)
- Develop and document a timeline for the upgrade or replacement to the outdated operating system
- Submit an MSSND security exception request, including the documentation from steps 1 & 2
- Once an exception is approved, complete system upgrade/replacement before the expiration of the exception request
Note: if you are requesting exceptions for multiple Windows 7 machines you only need to file one exception request form for all machines.
Required Controls for MSSND Exceptions
These controls are appropriate for workstations that handle public data, UC P2/P3 Privileged Access and Individual Devices, UC P4 Individual Devices, or special use workstations that have elevated access into lower risk institutional systems, or that handle less than 500 records of high-risk data.
- Device must be tracked in an inventory control system, including physical location, network identity, and primary user
- Device must be updated with the latest set of security patches for this platform
- Device must use an automated method to ensure patching/updating of 3rd party software, i.e. BigFix
- Only software necessary to perform university business should be installed on the device
- Device must be secured according to the Center for Internet Security (CIS) benchmarks
- Device must be running currently supported inline (on access) anti-virus and anti-malware software with automatic signature updates
- Windows 7 includes spyware protection, but to protect against viruses download Microsoft Security Essentials for free https://www.microsoft.com/en-us/download/details.aspx?id=5201
- Device must use a modern, supported browser with the minimal plugins necessary to perform university business
- A host-based firewall must block all inbound traffic, except trusted systems management tools. A host-based firewall is included in Windows 7 but must be turned on in Control Panel
- For PL0 individual devices only, if Remote Desktop services are enabled, access must be restricted to known hosts or the campus VPN service address pool
Alternative Mitigation Controls for Special Use Systems
Appropriate for special use systems, such as lab equipment, instrumentation, controllers, and other devices that do not require general Internet connectivity.
- Device must be tracked in an inventory control system, including physical location, network identity, and primary user
- Device must be updated with the latest set of security patches for this platform
- Firewalls must be used to restrict both inbound and outbound network traffic to known hosts only