Exception Process for Windows 7 End of Life (EOL)

Overview

Every Windows product has a life cycle and that life cycle ends when it no longer receives security updates or fixes, software updates, and/or technical support. On Jan. 14, 2020 Microsoft will discontinue support for its Windows 7 Operating System. Campus policy requires that devices connected to the network run software for which security patches are made available in a timely fashion. After support ends, Windows 7 will no longer be in compliance with campus policy.

Exceptions

Exceptions are allowed only if the system cannot be upgraded and depending on the data classification level and the amount of data of that type. Submit your security exception request by November 1, 2019, to allow time to implement mitigations needed before End of Life.

In addition to these required controls, ISO may require additional controls in the future, should new threats exploiting unpatched vulnerabilities in Windows 7 emerge.

Exceptions are available for:

  • All PL0 (public data) devices
  • PL1 Privileged Access and Individual Devices
  • PL2 Individual Devices.

Exceptions are not available for:

  • Institutional Devices with Protected Data level 1 or level 2 (PL1 or PL2)
  • Privileged Access Devices with access  to protected data level 2 (PL2)
  • Any Device with protected data level 3 (PL-3) or Regulated Data (HIPAA,
    PCI, etc.)* 

*Please contact us directly at security@berkeley.edu if this applies to your system


Below are the instructions for applying for an exception. Also provided are alternative mitigations for Special Use Systems such as lab equipment, instrumentation, controllers, and other devices that do not require general Internet connectivity.

To obtain an exception:

  1. Implement and document the appropriate controls on the systems requiring an exception
  2. Develop and document a timeline for a system upgrade or replacement to a supported operating system
  3. Submit an MSSND exception request, including the documentation from steps 1 & 2
  4. Once an exception is approved, complete system upgrade/replacement before the expiration of the exception request

Note: if you are requesting exceptions for multiple Windows 7 machines you only need to file one exception request form for all machines.


Required Controls for MSSND Exceptions

These controls are appropriate for workstations that handle public data (PL0), PL1 Privileged Access and Individual Devices, PL2 Individual Devices, or special use workstations that have elevated access into lower risk institutional systems, or that handle less than 500 records of high-risk data.

  • Device must be tracked in an inventory control system, including physical location, network identity, and primary user
  • Device must be updated with the latest set of security patches for this platform
  • Device must use an automated method to ensure patching/updating of 3rd party software, i.e. BigFix
  • Only software necessary to perform university business should be installed on the device
  • Device must be secured according to the Center for Internet Security (CIS) benchmarks
  • Device must be running currently supported inline (on access) anti-virus and anti-malware software with automatic signature updates
  • Device must use a modern, supported browser with the minimal plugins necessary to perform university business
  • A host-based firewall must block all inbound traffic, except trusted systems management tools. A host-based firewall is included in Windows 7 but must be turned on in Control Panel
  • For PL0 individual devices only, if Remote Desktop services are enabled, access must be restricted to known hosts or the campus VPN service address pool

Alternative Mitigation Controls for Special Use Systems

Appropriate for special use systems, such as lab equipment, instrumentation, controllers, and other devices that do not require general Internet connectivity.

  • Device must be tracked in an inventory control system, including physical location, network identity, and primary user
  • Device must be updated with the latest set of security patches for this platform
  • Firewalls must be used to restrict both inbound and outbound network traffic to known hosts only