Microsoft Windows XP End Of Life

March 1, 2014

Background

Effective April 8, 2014, Microsoft is discontinuing support for its Windows XP operating system. After April 8th of 2014, there will be no security patches for this operating system from Microsoft. For more information please see:

http://www.microsoft.com/en-us/windows/enterprise/endofsupport.aspx

There is a tremendous risk in allowing Windows XP systems to remain on the campus network after end of support. Windows XP systems suffer from much higher infection rates than newer Windows operating systems. Without security patches for newly discovered vulnerabilities, Windows XP systems will be easy targets for hackers looking to exploit systems with minimal effort. Industry experts generally agree this is a very likely scenario following April 8th 2014.

Enforcement of campus Minimum Security Standards for Windows XP hosts

Campus Minimum Security Standards for Networked Devices (MSSND) require that devices connected to the campus network only run software for which security patches are made available in a timely fashion: https://security.berkeley.edu/mssnd. After April 8th, Windows XP will no longer be in compliance with MSSND. This long-standing policy is in place to ensure the security of institutional data, and to ensure the network remains usable for the entire campus community.

Starting April 8, 2014, Information Security and Policy (ISP) will send email notices to the responsible individual or group for Windows XP systems connected to the campus network, asking these devices be upgraded to a supported operating system or else removed from the network.

Starting May 1 2014, ISP will begin escalating these notices to blocks from the campus network.

All Windows XP devices seen on the campus network will be subject to this enforcement action.

MSSND Exceptions for Windows XP

For exceptional circumstances requiring Windows XP to remain on the campus network past April 8th, 2014, an exception request must be submitted and an exception to campus policy obtained. The exception request allows the Windows XP device to remain on the network for the specified period of time, provided that all the required compensating controls (described below) are maintained. Compensating controls are alternatives to maintaining a patched operating system. In all cases, compensating controls must be implemented for the exception to be granted.

At the end of the exception period, the Windows XP device must be retired or upgraded, or else another exception request must be filed.
Exception requests should be emailed to security@berkeley.edu with the title of "Windows XP exception request". The email must contain the following information:

  • The reason for requesting the exception
  • The machines in question, including the IP address and MAC address of each device
  • The data classification level of each device (see below, "Data Classification")
  • Which of the three device categories does the Windows XP machine belong to (see below, "Device Categories")
  • Which set of compensating controls has been implemented for each device (see below, "Control Sets")
  • The length of time for the requested exception, with a maximum of one year
  • The plan for upgrading or retiring the device at the end of the exception period

It is strongly preferred that a department requesting exceptions for multiple Windows XP machines file the exception in a single request.

Data Classification

Data classification is the starting point for how security risk is evaluated. Not all data requires the same level of protection. Public data requires very little, whereas personally-identifiable data such as social security numbers requires considerable protective measures.

The campus data classification standard ranks data from 0 (low impact in the event of unauthorized disclosure) to 3 (extreme impact). Protection level 1 data requires the least protective measures, whereas protection level 3 data requires the most. Computing devices, such as Windows XP machines, are classified according to the highest protection level of data they store, process or transmit. For example, if a Windows XP is mostly used by someone to browse the web and answer email (protection level 0), but it also has spreadsheets with social security numbers (protection level 2), then the Windows XP device is considered protection level 2.

Externally regulated data, such as PCI and HIPAA, do not allow for exceptions. No exceptions for such regulated data will be granted.

To determine what compensating controls must be deployed for a Windows XP device to remain on the network after April 8 2014, the data protection level of the device must be understood. Understanding the data protection level requires analysis and inventorying data and access of the device by those responsible for its operation.

More information on the data classification standard for campus is available at: https://security.berkeley.edu/content/draft-data-classification-standard

Device Categories

Besides data classification, the other major factor in evaluating security risk is the amount of data the device stores, processes or transmits. In campus policy, this is called "device type". Device type is found in the Minimum Security Standards for Electronic Information (MSSEI) found at https://security.berkeley.edu/mssei#device-use.

The three device categories are individual, privileged use, and institutional. Individual use is used by an individual and contains very small amounts of data of a given protection level. Most workstations should be of this type, though this should be confirmed to be the case by verifying significant amounts of data are not stored on the device. Privileged use is typically a device used by an IT worker with IT administrative access to information systems. Institutional use devices tend to be devices storing significant quantities (500 or more protection level 2 records, or 1000 or more protection level 1 records) of sensitive data.

Control Sets

Based on the kind of data present (data classification) and the amount of data of that type (device category), the below chart lists the available compensating control set options.

Data Protection LevelIndividual DevicePrivileged Access DeviceInstitutional Device
Protection Level  0 Control Set 1, 2, or 3 Control Set 1, 2, or 3 Control Set 1, 2, or 3
Protection Level 1 Control Set 1, 2, or 3 Control Set 2 or 3 No Exceptions
Protection Level 2 Control Set 2 or 3 No Exceptions No Exceptions
Protection Level 3 No Exceptions No Exceptions No Exceptions
Other regulated data (HIPAA, PCI) No Exceptions No Exceptions No Exceptions

 

To obtain an exception for the use of Windows XP on the campus network after May 1 2014, complete the following steps:

  1. Review the matrix and required control set for the systems requiring an exception
  2. Implement and document the appropriate controls on the systems requiring an exception
  3. Develop and document a timeline for system upgrade or replacement to a supported operating system
  4. Submit an MSSND exception request, including the documentation from steps 2 and 3
  5. Once an exception is approved, complete system upgrade/replacement before expiration of the exception request

Required controls for Windows XP MSSND Exceptions

Control Set 1

Appropriate for general use workstations that do not handle high risk data

  • Appropriate for general use workstations that do not handle high risk data
  • Device must be tracked in an inventory control system, including physical location, network identity, and primary user
  • Device must be Windows XP SP3 with the latest set of security patches for this platform
  • Device must use an automated method to ensure patching/updating of 3rd party software
  • All 3rd party software must be currently supported by the vendor and regularly patched
  • Device must be secured according to the Center for Internet Security (CIS) benchmarks for Windows XP
  • Device must be running currently supported inline (on access) anti-malware software with automatic signature updates
  • General web browsing on the device must be done only using modern, supported browsers. Use of Internet Explorer (IE) must be restricted to known/trusted sites.
  • Browser plug-ins must be up-to-date and free of security vulnerabilities. If the Java browser plugin is used, it must be restricted to known sites.
  • A host-based firewall must be blocking all inbound traffic to the device from off-campus, and allow only services from on campus necessary for system management
  • If Remote Desktop services are enabled, access must be restricted to known hosts or the campus VPN service address pool

Control Set 2

Appropriate for special use workstations that have elevated access into lower risk institutional systems, or that handle less that 500 records of high risk data

  • Device must be tracked in an inventory control system, including physical location, network identity, and primary user
  • Device must be Windows XP SP3 with the latest set of security patches for this platform
  • Device must use an automated method to ensure patching/updating of 3rd party software
  • Only software necessary to perform university business must be installed on the device
  • Device must be secured according to the Center for Internet Security (CIS) benchmarks for Windows XP
  • Device must be running currently supported inline (on access) anti-malware software with automatic signature updates
  • Device must use a modern, supported browser with the minimal plugins necessary to perform university business. Use of Internet Explorer (IE) must be restricted to known/trusted sites.
  • Browser plug-ins must be up-to-date and free of security vulnerabilities. If the Java browser plugin is used, it must be restricted to known sites.
  • A host-based firewall must block all inbound traffic, except from trusted systems management tools

Control Set 3

Appropriate for special use systems, such as lab equipment, instrumentation, controllers, and other devices that do not require general Internet connectivity

  • Device must be tracked in an inventory control system, including physical location, network identity, and primary user
  • Device must be Windows XP SP3 with the latest set of security patches for this platform
  • Firewalls must be used to restrict both inbound and outbound network traffic to known hosts only
  • Device must not be used for web browsing or email

(Please note: Windows XP's built-in firewall does not provide the ability to restrict outbound traffic.  An alternative software or hardware firewall would be required to implement outbound firewall rules.  One possible software firewall solution is Symantec Endpoint Protection.)

Summary

All Windows XP machines must be upgraded or removed from the network by April 8th of 2014.

For unusual circumstances requiring the continued use of Windows XP, an exception request must be submitted and approved. All Windows XP devices seen on the network which do not have an approved exception will be subject to a network block after May 1, 2014.

To submit an exception request, send an email to security@berkeley.edu titled "Windows XP exception request" with the below information for all Windows XP machines:

  • The reason for requesting the exception
  • The machines in question, including the IP address and MAC address of each device
  • The data classification level of each device (see above, "Data Classification")
  • Which of the three device categories does the Windows XP machine belong to (see above, "Device Categories")
  • Which set of compensating controls has been implemented for each device (see above, "Control Sets")
  • The length of time for the requested exception, with a maximum of one year
  • The plan for upgrading or retiring the device at the end of the exception period