The end of life for Windows 7 and Windows Server 2008 and 2008 R2 is coming January 15, 2020. This means that support, is coming to an end. On this date, these OS’s no longer check certain compliance checkboxes for safe usage.
The biggest impact is going to be on security for the OS itself, but this impacts the whole site. Once these reach end of life, there will be no support whatsoever for critical bugs or massive security holes. That newest zero-day? There’s nothing that can be done about it most likely.
What Should You Do?
You need to be ready so your clients can stay safe. You and your client are sitting on a ticking time bomb if you haven’t started preparing to move already, but at least you have plenty of time to research and get ready, but only if you start as soon as possible. Moving from Windows 7 and Server 2008 (R2) can be difficult, but not with a little bit of planning.
Workstations are easy to get away from for most cases, but servers are a bit harder. This is a great opportunity to also sell the client on newer hardware if you can to get out of the predicament and to outpace the natural inflation of hardware requirements for software. Naturally, this isn’t always possible depending on the client and depending on how new the hardware they’re running is. If the machines have been sitting around since much earlier in the support cycle for Windows 7, your users will probably welcome an upgrade.
Licensing and software compatibility are two factors to look into heavily for migrating. A great server from a few years ago can be a huge expense to license a newer version of Windows Server on, but an okay server with a cheaper license (OEM discount, fewer cores, etc.) can even end up cheaper than what you get back selling the old server. SQL Server and Exchange can further convolute the licensing situation however.
Software compatibility is another huge factor in the migration process. Some specialty software just plain doesn’t run on newer OS versions. There are complex ecosystems which are centered on a specific OS version and require an almost complete repurchase of every piece of the ecosystem to upgrade to a new OS in the first place.
These limitations can impact budgets pretty heavily depending on the size and scope of upgrades required. This is something which should be planned from day one of deploying a server (specifically, how to plan a budget around the next jump and when it should be), but is often overlooked. Computers, despite their relative upgradability, are not one time purchases.
Making a Plan
If you or your clients care about security. You will move or at least limit the damage an older box can do. If you haven’t built upgrade cycle budgets into hardware budgets, you need to start as soon as possible. A server or workstation should have a planned lifespan, and the money should be allocated for the replacement as soon as it hits end of life. “If it ain’t broke, don’t fix it,” doesn’t quite cut it for security or future-proofing.
Staging upgrades in over the next few months can also help your clients. This can reduce the perceived cost and make upgrades a bit more predictable. It also gives the clients time to get used to the change. Staging the upgrades in with the most technical or least impactful employees (e.g. interns) at the company to the least technical or most impactful (e.g. C-suite) can help build inertia for deployment and help the company adjust without as much impact.
Overcoming the Limitations
There are machines which cannot sanely be upgraded. There are several methods to overcome the limitations of the upgrade cycle. The two most common tactics are virtualization or partial air-gapping (or getting as close as possible) for the affected machines. These are not completely isolated tactics however and are best combined if possible.
This is the most common tactic to get around upgrades and the safest. There are still many Windows XP VM’s floating around. From old accounting software to legacy industrial systems, there are plenty of reasons to keep XP around. The more specialized the environment, the harder it is to move away from it or even upgrade it depending on the upstream vendor or cost.
For software which just won’t work outside of Windows 7 or Server 2008, most of which actually predates Windows 7 or Server 2008, virtualization is an easy step with modern Windows and decently modern hardware. A P2V migration may be a good idea for these scenarios. For workstations, this is pretty straightforward, especially when the machine is being upgraded because it’s usually too old for Windows 10 to be practical, but it can get a little harder with servers.
For servers, you want to make sure you have a suitable host, and you want to strip the server of as many roles as possible. The less access and privilege this server has on your network, the better. Even if it is less than ideal, it is also a good idea to try and avoid consolidating these servers too much. The more specialized they are, the more exact privileges they can have which limits security holes when intelligently applied.
Partial Air-gapping (Or Getting As Close As Possible)
Air-gapping is the practice of separating a machine entirely from the outside world. While complete air-gapping probably isn’t going to be too practical in most cases, the general principle should be followed as much as possible to partially air-gap a machine. A box which is inaccessible is not going to be practical to compromise. Every layer of convenience is a face to the attack surface for these weak-points.
Block as much traffic as possible to the given machine. If it was on a domain, take it off. If it has to be on a domain, spin up a secondary domain specifically for it. This limits the attack surface substantially and reduces what a successful attack can do.
If you need file shares, use a clean machine as an intermediary. Have multiple shares and use the intermediary as a jump box of sorts for transfers. Have a limited share between the intermediary and the old agent, and a share between the intermediary and the rest of the network. This adds a layer of complexity, but helps with safety.
How Many Are Out There?
Windows 7 usage sits at about 30%. A subset of our environment (just over 27,000 Windows agents for this example) shows that Windows 7 and all Server 2008 derivatives are sitting at around 30% as well. The general trend seems to remain the same for both business and overall usage. The overall number is in free fall, but still has a ways to go. Enterprise is a bit harder to peg down exactly what is going on.
Obstacles to Upgrades
The only thing which is really holding the numbers back is the lack of a viable alternative to most users. Windows 10 tries to be Windows 7, but misses the mark with both IT professionals and users. The majority of shifts happened during the free upgrade period, and newer shifts to Windows 10 are from machines dying rather than planned upgrades. Some clients even lament the loss of their Windows 7 machines. Some businesses were even buying old keys from salvage machines up until a few months ago. The Windows Update and upgrade system is maddening without moving to Windows 10 Enterprise.
From a server perspective, it doesn’t really offer enough to compel upgrading perfectly functional servers either. The licensing nightmare that is Windows Server further exacerbates the problem. Hopefully, Microsoft thinks to implement a smoother, more transparent plan to move servers (besides their push to Azure). I personally doubt they will as a power play, since they know many business’s hands are tied due to compliance.
Ultimately, servers may hang on due to licensing, but the vast majority of workstations are going to have to be upgraded for both security purposes as well as pragmatic purposes. Newer software updates will begin shunning Windows 7 and Server 2008 the same as Windows XP back in 2014. It won’t start all at once, but within a year or two, the vast majority of applications which work on Windows 7 will work by lack of change rather than support.
It can be pricey and painful, but it is ultimately necessary. Try to amortize it out where possible and be ready to keep key infrastructure pieces secure which cannot be upgraded. If a client refuses to upgrade, they open themselves up to more and more security compromises which can bring down their business which hurts both them and you. There really isn’t much of a choice but to upgrade, or try to continue supporting a device past the point of obsolescence which weakens their business and yours.
by Sage Driskell