How To Safely Use Windows XP After Microsoft Ends Support
My church has several computers that now run Windows XP. But that operating system (OS) lost all support from Microsoft on April 8, 2014.
Without regular security updates, WinXP machines have become much more vulnerable to being hacked. So, we are left with the choice of either sticking with WinXP, upgrading to a newer version of Windows, or selecting a different OS altogether.
Upgrading to Windows 7 or 8.1 is simply not an option for our small church. Our vintage (read old) computers are perfectly adequate for our purposes. But none of the new Windows versions will run on them, and buying new hardware is just not something our budget will permit at this time.
So, I’ve been investigating what alternatives we have that will allow us to continue running our applications without costing us more money. There seem to be only two realistic possibilities:
- Continue to run Windows XP even though Microsoft no longer supports it. This involves learning how to live with a greatly expanded vulnerability to malware (viruses and the like) and hacking.
- Switch to a free and well supported open source operating system such as Ubuntu Linux. Doing this would require that our volunteers learn new ways of doing things that won’t be nearly as convenient as they are used to.
After doing a lot of research, I’ve developed a plan that mostly involves sticking with WinXP, but that also relies to a small extent on the use of Ubuntu for performing critical web-based functions.
Types of attacks
There are two major ways in which criminals attempt to victimize computer users. One is the “phishing” attack in which the aim is to trick the user into providing sensitive data, such as passwords and logons, or personal information like a bank account PIN or a Social Security number. This type of “social engineering” attack probably won’t change much now that WinXP is no longer supported, since the point of vulnerability is actually the person rather than the technology.
My concern is mostly with how a hacker may try to insert malware (viruses, trojan horses and the like) onto our computers. Once that aim is achieved, an attacker has effectively gained total control of the system without the user having any idea what’s going on. And that’s where a WinXP machine that is no longer receiving security updates becomes extremely vulnerable.
The dangers of continuing to use WinXP after Microsoft's withdrawal of support
The headline in a Time Magazine article says it all concerning what computer security experts expect now that Microsoft support of Windows XP has ended: Windows XP to Become a Hacker’s Dream in 2014.
The reason for that dire prediction is that since the end-of-support date, Microsoft no longer provides security updates to fix the vulnerabilities that, even after more than a dozen years of use, are still being regularly found in WinXP.
In fact, experts expect that Microsoft itself will inadvertently contribute to hackers discovering previously unknown WinXP vulnerabilities. Windows 7 and 8.1 both use a large amount of code inherited from WinXP. When security updates to these new versions of Windows are released, hackers will reverse engineer them to understand the vulnerabilities they are intended to fix, and then check to see if the same vulnerabilities exist in WinXP.
That leads to what the experts call the zero-day forever scenario. “Zero-day” refers to the time between the discovery of a point of attack, and the time when a fix is released for it. With WinXP support now ended, vulnerabilities will continue to be found, but no fixes for them will ever be forthcoming. So, hackers will continue to gleefully exploit those openings for as long as long as WinXP remains in widespread use.
This is why experts are almost unanimous in their advice that if at all possible, users should migrate from WinXP to one of the newer Windows systems.
But for those of us for whom migrating along the Windows upgrade path is not a viable option, I believe there are steps we can take to minimize our exposure to the hacker disaster WinXP’s loss of support could bring on.
Here is what we are doing to make the computers in our church more secure.
1. Make sure that all the apps we use are fully up to date
Now that Microsoft support has ended, no upgrades to WinXP itself will be available. That makes it more important than ever that supporting applications that help keep the operating system secure be kept up to date.
Microsoft Security Essentials and the Malicious Software Removal Tool
Microsoft Security Essentials (MSE) is a free app designed to provide real-time protection against malware getting onto your PC. The Malicious Software Removal Tool (MSRT) is a free utility that checks for malware that may already be installed on your computer and helps remove it.
Microsoft will continue to update MSE and MSRT until July 2015. MSRT can still be downloaded and used. However, if you don’t already have MSE, you can’t get it! When Microsoft ended their WinXP support, they also removed the download links for MSE. But if you do have MSE, you can continue to use it.
Upgrade other apps
Any apps that will continue to be used on your WinXP system should be upgraded and kept up to date for as long as WinXP-compatible updates are available. But be prepared for app vendors to begin dropping XP support as time goes on.
A contrarian view of WinXP's demise
You might want to check out a free program, Secunia Software Inspector, which helps to identify apps that need to be upgraded and provides links to upgrade sites.
Where possible, replace Microsoft apps with open source equivalents
With the end of WinXP support, apps like Microsoft’s Media Player that are installed with the operating system or with the Internet Explorer browser may no longer receive upgrades. We are using free, open source equivalents such as the VLC media player.
Keep antivirus software up to date
Use of effective antivirus software is the critical first line of defense in maintaining WinXP security. Since out-of-date antivirus software is essentially worthless, keeping these programs up to date is an absolute necessity.
A number of vendors of free antivirus software have announced their continued support of WinXP. AVG and Avast, for example, have promised to continue their support for at least two more years.
Check out this list of anti-virus software that will continue to be available for WinXP.
2. Use only Google’s Chrome (or Mozilla’s Firefox) as the web browser
The number one avenue by which hackers attempt to get their malware onto WinXP systems is through the web browser. A browser with inadequate security makes a computer vulnerable to what are called “drive-by downloads” in which the malicious software is installed and executed just by visiting an infected website. The user may be totally unaware that the download even took place.
The most secure web browser currently is Microsoft’s Internet Explorer 10. But IE-10 is not an option since the latest version supported on WinXP is IE-8, which falls well short in its security capabilities.
How do you rate the Chrome browser?
At this point, Google’s Chrome has the reputation of being the most secure browser available for WinXP, with Mozilla’s Firefox a close second. Internet security reporter Brian Krebs recently posted the results of analysts’ findings regarding an exploit kit (software sold on the underground market for use by hackers in victimizing unsuspecting PC users) called Styx:
One very interesting pattern I observed in poking at this exploit pack — and others recently — is the decreasing prevalence or complete absence of reported infections from Google Chrome users, and to a lesser extent users of recent versions of Mozilla Firefox.
This Styx installation reports installing malware on systems of just a handful of Firefox users, and against not a single Chrome user. In fact, the author of this kit freely states in a Q&A from an underground forum sales thread that his kit doesn’t even work against Chrome.
3. Use Gmail for email
Microsoft email products like Outlook or Outlook Express lost their support at the same time as WinXP and should no longer be used. Our church has settled on Gmail, Google’s free online email service, as our standard.
We chose Gmail because it benefits from all the technological muscle Google can bring to bear on the issue of email security. The malware scanning in Gmail is extremely thorough, universally applied on both the body and attachments (including photographs) of emails, and constantly updated with the best anti-malware techniques available.
Using Gmail allows all that great anti-malware filtering to take place before a malicious email ever even gets downloaded to our PCs.
4. Disable vulnerable browser plugins like Java, Flash Player, and Adobe Reader
Java is used extensively by websites to display their content. But it is well known for harboring many security vulnerabilities. Both Chrome and Firefox now disable Java by default, requiring a user to make an explicit decision to allow it to run on trusted websites.
Because of the security vulnerabilities in Adobe’s Flash Video player and its Reader app for viewing pdf files, the Chrome browser now has these capabilities built in, so that the Flash and Reader add-ons are no longer necessary to perform these functions.
Experts recommend that even if you never use these browser plugins or add-ons you uninstall them to reduce the number of possible openings your PC presents to an attacker. Just by being present on your computer they put it at risk.
5. Use both hardware and software firewalls
According to Microsoft, “The most effective and important first step you can take to help protect your computer is to turn on a firewall.”
A firewall functions like a security officer guarding each entrance and exit of the premises, and determining who can go in and out. So, the firewall serves to restrict which outside sources can gain access to the computer over the internet, and what information the computer can send out.
Computer system firewalls are implemented both in hardware and software, and ideally both should be employed.
Our church’s internal network includes a router with a built-in hardware firewall. In addition, we will also employ a software firewall. Since WinXP’s built-in firewall became unsupported when WinXP did, we are installing the ZoneAlarm free version as our software firewall.
6. Keep vital documents in the cloud on Dropbox
Our systems are all connected with free Dropbox cloud network accounts [see How To Use Dropbox as a Free Cloud Network for a Small Church]. Documents saved to the Dropbox folder on any of the machines are automatically synched on every other machine in our network, and also stored in the “cloud.”
This provides several advantages. First, all documents are available on any church computer. Second, because documents are saved not only locally, but also on Dropbox’s servers, they are automatically backed up with no additional effort on our part. And Dropbox keeps several previous versions of each file, allowing recovery if a file is corrupted.
We access the Dropbox folder on our systems as just another drive – in our case, the N: drive. By making sure to save critical documents or files only to that drive, we should be able to recover even if one or more of our computers is compromised.
If you are interested in Dropbox, you can open a free account here.
7. Allow users to log in only under a non-Administrator account
In WinXP, accounts with Administrator privileges have access to everything on the computer. That means that malware executed under an Administrator account has unrestricted access, and can do maximum damage. The accounts used on a daily basis by users or even administrators should not have Administrative privileges.
Here are the procedures we will observe:
- Each account will require a password in order to log in.
- The accounts under which the bulk of users log in will not have Administrator privileges.
- Even administrators will do most of their work logged in as a regular user. Administrator accounts will be used only for functions that truly require those privileges.
- Administrator accounts will not carry a name that indicates they are Administrator accounts. Hackers look for accounts with that name, and then use various methods to attempt to determine the password. You might also set up a dummy account bearing the Administrator name to deflect potential intruders from the real one. An added advantage of that is that any attempt to access the dummy account can serve as an alert that the computer is being targeted for intrusion. Further information on doing this can be found at Suggested Best Practices for Securing Windows.
8. Use application and web site whitelisting
WinXP supports application whitelisting, which allows only specified applications to run on the computer. No others, including downloaded malware, will be allowed to execute.
Similarly, browser whitelisting allows a user to access only pre-approved websites. Both Chrome and Firefox have add-ons for whitelisting.
Does continuing to use Windows XP make sense?
Since our church computers are expected to run only a limited list of applications, we will set up our application whitelists to restrict our machines to running only those applications. We will also identify a set of websites that might reasonably be accessed for church business, and restrict our browsers to only that list.
When general web browsing is required, as it sometimes is, it will be done by logging in under Ubuntu.
Here are some resources for more information regarding whitelisting.
9. Train users in safe web practices
To operate safely with WinXP’s post-support vulnerabilities, users will have to be much more careful in their use of the internet. Here are some practices we will train our users to observe.
- No recreational web surfing on church computers, and no surfing to unknown websites. This will be enforced through website whitelisting. (Unrestricted web surfing can be done by logging in under Ubuntu rather than WinXP).
- Always heed browser warnings about possibly malicious or infected websites!
- Never download anything! And never click on upgrade requests – report them to the System Administrator.
- Never use WinXP for sensitive activities like banking. Such functions will be done only under Ubuntu.
- No loading of files from home with USB memory sticks (or floppies).
- No accessing of personal social media, including Facebook and Twitter.
- Never enable Java, Flash, etc, even if the browser asks.
Eventually WinXP will have to be replaced
In reality, we know that all these measures are stopgaps. Even though millions of computers around the world continue to use WinXP, it is well into the process of becoming extinct. In two or three years, vendors of critical software applications, like browsers and anti-malware apps, can be expected to finally follow Microsoft’s lead and drop WinXP support altogether.
So, we will take advantage of the techniques outlined above to get a few more years of grace. But at the same time, we’ll be planning for the day when nothing we can do will keep WinXP viable as our operating system of choice.
© 2014 Ronald E Franklin