Securing out-of-lifecycle systems

I have a confession to make about our business: we still have one PC running Windows XP.


Fortunately I’m not alone. Recent data obtained by NetMartketShare indicates that just over one percent of computers worldwide are still running Windows XP even though Microsoft stopped releasing security fixes for the platform seven years ago. And while most of those millions of PCs running XP are probably used by older individuals in rural areas or countries with low GDP, I know of a few businesses here in my own hometown of Winnipeg, Canada that still need XP around to run some essential legacy software or control some key industrial equipment to ensure the continued operations of their business processes.

Now if those computers are not connected to the Internet and are properly physically secured, then I suppose it’s OK to keep using them to run that big ugly ACME Widget machine or whatever. Because on the Internet is the most dangerous place to be nowadays, so it’s probably fine to keep using an old operating system that hasn’t been patched in years. And to ensure the machine is secure against physical access you may want to lock it away in a cage or closet, pull out the floppy disk drive and CD-ROM drive, and squeeze some Gorilla Glue into the USB ports on the front and back of the machine. Of course you also have to keep your old system hardware running properly, so don’t forget to scrounge around for spare parts and hoard them in case something burns out in those old PCs. And don’t forget to clean out the dustballs.

But what if you need your XP machine to be online? In that case you’ve got a problem. Here are a couple of steps you might want to consider to prevent your entire network from getting compromised because of having one out-of-lifecycle system that hasn’t been properly secured.

Install antivirus software on your PC

This can be a problem. Back in February of this year Norton announced that they were no longer going to support Windows XP with their popular suite of protection software. This means you may need to look around for another antivirus product to keep your old Windows XP box protected from the nasties floating around on the Internet. Fortunately there are still several of these you can choose from.

My own favorite alternative for small businesses is Avast, but even they have announced that while they’ll still provide definition updates for their antivirus software running on XP, they won’t be able to provide you with the exciting new bells and whistles that come with newer versions of their program. Not that you would need them though, probably.

If you’re in the market for something free in terms of antivirus for Windows XP then you may want to follow the suggestion of one of my colleagues and look into ClamWin. Clamwin is a free antivirus product that is used by more than 600k users worldwide and works on Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, Windows Me, Windows 200 and—wow—even Windows 98! But not on Windows 95 or Windows 3.1 or MS-DOS 6.22 apparently—schade. While this sounds too good to be true, the reason behind why this software can do what it purports to do is because it’s licensed under the GNU General Public License (GNU GPL) by the Free Software Foundation. Software like this usually takes a bit more effort to set up and maintain than commercial products, but if you’re into Open Source stuff like Linux then running ClamWin on XP should be a breeze.

Create a really tight network to run your PC on

In addition to running an antivirus program on your old XP box—or as an alternative if you like living in the risky fast lane of business and life—you might want to consider hardening how XP is deployed on your company’s network. There are several steps you can perform to do this depending upon how your XP machine is being used in your environment.

You could run XP in a virtual machine on a virtualization host using Hyper-V, VMware or VirtualBox. Note however that this can be tricky since XP is no longer an unsupported platform. To install XP on a VM in Hyper-V for example you must use a Gen 1 VM not Gen 2, and you’ll also need the Integration Components from an older version of Hyper-V’s vmguest.iso, you can read more details here. Then once you’ve got XP running in a VM you can configure the virtual network on the host for connectivity the way you want it with the rest of your network.

A second option you might consider, whether for physical or virtual XP machines, would be to put your XP VM in its own VLAN and bind only specific inbound and outbound ports and protocols in the firewall on your machine. In other words, you isolate it to only talk to systems you want to allow it to talk to, both on your network and on the Internet. This approach will take a bit of work to get things to work properly depending on what you want your XP machine to be able to do, but tweaking stuff is part and parcel of what the job of being an IT professional is all about.

Or you could junk that old machine and buy a brand new spanking Windows 11 box to run that ACME Widget machine.

Oh wait, the controller software for that device only runs on Windows XP.


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top