Obsolete platforms security guidance

Created:  27 Nov 2015
Updated:  19 May 2017
Short-term steps to take when you can’t move off out-of-date platforms and applications straight away.

All software will eventually become out of date, after which point  - ideally - it should not be used. This guidance provides advice to organisations who are unable to fully migrate away from obsolete software prior to its end of support date.

Note: this guidance does not provide a risk-free way of continuing to use obsolete products, but will help to reduce the risks of doing so. The only fully effective way to mitigate this risk is to migrate away from the obsolete product.


The problems with obsolete software

Using obsolete software compounds two related problems:

  • the software will no longer receive security updates from its developers, increasing the likelihood that exploitable vulnerabilities will become known by attackers
  • the latest security mitigations are not present in older software, increasing the impact of vulnerabilities, making exploitation more likely to succeed, and making detection of any exploitation more difficult

In combination, these issues mean that high-impact security incidents become more likely to occur, including malware exploiting ‘wormable’ vulnerabilities, which can cause catastrophic impacts across an entire organisation.

When a product is no longer supported by its developer, there are limits on the mitigations that will be effective in protecting against new threats that will emerge. Over time, new vulnerabilities will be discovered that can be exploited by relatively low-skilled attackers. No combination of the mitigations described below will remove the risks posed by a vulnerable operating system remaining in active use, so you should work in parallel to migrate away from the obsolete software.

The following steps apply to any software (client or server operating system, or end user application) which is approaching the end of its support period.

Step 1. Migrate away from obsolete software

It is vital that all organisations only use software products which are supported by the vendor, and that plans be made to migrate from older products as the end of support period is reached. After these dates, there will be no security patches published for these products, and any vulnerabilities found will remain exploitable by low-skilled attackers permanently.

To migrate away from obsolete software, we advise that:

  • No new deployments of such obsolete technologies should be undertaken, and organisations should limit investment on obsolete technologies (for example, no new applications should be deployed which require obsolete operating systems).
  • The upgrade of high risk end user devices and servers should be prioritised. These include systems used for corporate remote access, as they will both be subject to greater physical threat and be more susceptible to network-borne attacks. Devices that can access more sensitive information or services, including personal data, should also be prioritised.

Where it proves impossible to complete the migration before the end of the support period, additional mitigations will be needed to help reduce the likelihood of compromise and to minimise the harm should a compromise occur. These are discussed below.

Finally, even if one component of a system is obsolete, always continue to update and patch the other components of the system. For example, continue to update browsers and anti-malware products, even if the underlying operating system no longer receives updates.

Step 2. Apply short-term mitigations

Weaknesses that are found in unsupported products will remain unpatched and will be exploitable by relatively low skilled attackers. There are two types of mitigations that can be used to reduce the risk:

  • reduce the likelihood of compromise by preventing the devices from accessing untrusted content (effectively making it hard for malicious content to reach the device and exploit it)
  • reduce the impact of compromise by preventing access to sensitive data or services from vulnerable devices (so even if the devices are compromised, the damage will be minimised)

An effective mitigations plan will require a combination of these two approaches.

Step 3. Apply mitigations to reduce the likelihood of compromise

Exploits based on malicious data can only be successful if the data can actually reach a vulnerable product. If untrusted data is prevented from reaching a system, then the likelihood of malicious content reaching the vulnerable system is lowered, and so the risk from malicious content is reduced.

Routes by which malicious data could reach obsolete software include email, web browsing, file shares, network ports, and removable media. We recommend that these routes be reduced for vulnerable devices. Servers should not be used for end-user activities (such as email or web browsing), and data flows to unpatched servers should be carefully considered and reduced wherever possible.

Data and files sourced from the Internet should be treated as untrusted even if originating from a known third party. Data retrieved from enterprise storage services should also be treated as untrusted if its source was originally external.

3.1 Prevent access to untrusted services

Implement technical controls to prevent access to external untrusted services from vulnerable systems. This should include preventing access to external email and preventing the device from browsing the Internet via a native web browser (indirect access e.g. via a thin client is possible). These controls will not be effective if they are not technically enforced.

By preventing access via email and the web browser to untrusted content and services, two of the most likely attack vectors for client systems are removed.

3.2 Reduce use of untrusted services

As it may not be possible to fully prevent access to all external untrusted services without adversely affecting business functions, it is possible to slightly reduce the risk of compromise by ensuring that access to content, particularly active content or media (e.g. macros, browser plugins), is either disabled or done only by a manual action. This can reduce the risk of 'drive-by download' attacks.

There is no way to completely mitigate the exposure of an unpatched web browser to malicious web content, beyond blocking access to the Internet entirely. However, the risk can be lowered by blocking access to rich web content, scripting and by using of a gateway that scans all incoming content for malicious content.

3.3 Prevent access to removable media

Access to removable media should be prevented as it can be used to transport untrusted content. It is also important to consider devices such as smartphones and tablets, which can be used to transfer media, and, if compromised, can also launch attacks against devices they are connected to. Access to removable media and any connected devices can be controlled through numerous third party products and through some BIOS configuration pages.

3.4 Convert obsolete client systems to thin clients

Convert any obsolete machines to thin client devices and use them only as an access mechanism to trusted internal services, such as a VDI environment. By using them as a thin client it is possible to avoid the need for the device to directly process untrusted content. Web browsing, for example, can be performed via a VDI environment running a patched modern browser, and business productivity applications can be accessed in a similar way. This allows the remote session to run supported, patched software, even if the client device used to access services cannot. The remote system should be configured to prevent transfer of data back to the client device using features such as clipboard sharing and file transfers.

This mitigation can be strengthened by ensuring the client devices are in a separate Active Directory forest to the VDI images and other enterprise services.

3.5 Remove network access for remote workers

When an obsolete device is connected to untrusted networks via its network interfaces, it is directly exposed to external network-borne attacks. The only technical mitigation available would be to disable/remove all network access from the device, effectively making them stand-alone devices. This is clearly only possible if the applications on this device do not require access to network services.

Alternatively, the device could be connected to a physically or logically separate network which only has those obsolete applications and their required services on it, which has no external connectivity through which malware could get in. However this would enable malware to spread very quickly should this network be compromised.

3.6 Remove remote access from obsolete client devices

Some remote access solutions include end user device posture checks on incoming connections. It may be possible to use these posture checks to enforce barring of obsolete client devices from remotely accessing corporate systems. This will reduce the risk of the enterprise network being exposed to a compromised unpatched device. This control would only help protect the enterprise network from attack; it does not protect any data stored or cached on a client device.

Where organisations expose some of their internal services to unmanaged end user devices (i.e. in BYOD scenarios) this control is also likely to be useful to ensure that users do not remotely access organisational information from devices known to be vulnerable.

3.7 Remove unneeded services from obsolete servers

Obsolete servers should be checked to ensure that the services they offer are minimal. Those services which are not required to support the business function of the server should be turned off. Wherever possible, migrate required services from obsolete servers to modern, supported, servers. It is recommended that obsolete servers are not used to provide VDI services, or other remote desktop facilities, where there is any expectation of separation between users or where the remote desktop / VDI solution is being used to provide security separation within a network.

3.8 Remove remote access to obsolete servers and services

Obsolete servers are likely to have unpatched vulnerabilities, and fewer exploit mitigations to help prevent those vulnerabilities from being exploited. To reduce the attack surface, these services should not be exposed to untrusted networks such as the Internet. Intrusion prevention services and application firewalls can be used to help defend against attacks, as can protocol breaks through the use of reverse proxy servers.

Step 4. Apply mitigations to reduce the impact of compromise

An unpatched end user device that is directly exposed to malicious content is likely to result in successful compromise. The impact of compromise can be reduced by controlling access to enterprise services hosting sensitive data and improving the ability to detect attacks.

4.1 Remove access to services from obsolete clients

The level of access granted to obsolete devices into an enterprise environment should be restricted to only those functions which are absolutely critical. Implementation of this mitigation will require network separation and zoning controls to be used.

4.2 Re-image/wipe devices regularly to attempt to remove any resident malware

Obsolete platforms will be more likely to contain malware from a previous compromise so they should be regularly re-imaged to remove any malware present. However, it is important to remember that this will only temporarily sanitise the devices; the vulnerability the malware used initially to gain a presence on the platform will continue to work after the device has been re-imaged, so the device will still be vulnerable to attack.

4.3 Treat obsolete systems as unmanaged or untrusted

Where obsolete client devices continue to be used within an organisation, we recommend that they be treated as untrusted devices and given constrained access. Obsolete servers should be treated by the wider enterprise as being untrusted, and data and services they offer should be handled accordingly.

4.4 Network zoning

By zoning the network it is possible to reduce the ability for malware to spread laterally through an enterprise. The traffic flows between zones should be well defined, providing the ability to block and prevent unauthorised communications, such as those made by malware trying to reach its command and control systems.

It must be assumed that successful attacks against obsolete or unpatched operating systems are likely to be able to subvert the controls provided by any software firewall in that operating system.

Appropriate internet gateway mitigations, such as using an authenticated outbound proxy, will help ensure that internet-bound traffic flows are authorised. Also by using website reputation filtering it is possible to reduce the likelihood users can reach malicious sites.

Obsolete servers should be placed into network zones that minimise the traffic which can reach them. Access to those zones should only be granted to clients with a need to communicate with servers in those zones. Consider using an air gap if feasible.

4.5 Protective monitoring capability improvement

For the times in which the enterprise environment is at higher risk (e.g. when running obsolete software) it is especially important to ensure an effective and proactive protective monitoring capability is in place. Many organisations often have the ability to record security events but do not proactively alert or take action based upon those events.

4.6 Anti-malware and intrusion detection products

Products such as antivirus, host-based and network-based intrusion detection systems can be used and will continue to offer some benefits in detecting malicious code. Their effectiveness may be reduced as the products may not be updated when running on an unsupported operating system and signatures may not be tuned to detect attacks targeted at obsolete systems.

4.7 Incident response

Timely response to security critical events becomes increasingly important if obsolete and vulnerable software is present within the enterprise environment. Actions to contain and eradicate the compromise should be swift to try and reduce any compromise spreading.

Step 5. Understand third party connections

If third party organisations use their own devices within or to connect in to your environment (for example, suppliers that manage services within your enterprise environment) it is important to understand whether they are running obsolete and vulnerable software which could pose a risk to your systems - and to take action to address such risks.


Appendix: Specific mitigations for Microsoft products

The ‘end of support’ dates for products such as Microsoft Windows and Microsoft Office should be understood, and effective plans made for migration to alternative, supported products. 

1. Office file types

If you have a requirement to keep an obsolete version of Office installed, consider applying controls to prevent the file types that Office can open being transferred through gateways. Alternatively, using online productivity suites such as Office 365 in the browser, and configuring email attachments to automatically open online, can lower the risk of exploitation. 

Windows can be configured to prevent Office files from being opened by default in the obsolete Office version. A PowerShell script follows which can be used to find file extensions that will be opened using Office and Media Player. Removing the registry key settings identified by the following PowerShell script will achieve this. A similar script could be created for other versions of obsolete software.

Get-ChildItem HKLM:\Software\Classes -Recurse -ErrorAction SilentlyContinue | foreach {
  if($_ -match "\\shell\\[a-zA-Z0-9]*\\command$")
  $path = $_
  #Search for filetypes associated with Windows Media Player
  if($path.GetValue('') -match "wmplayer.exe")
  Write-Host -ForegroundColor Green $path
  #Search for filetypes associated with Office 2003
  if($path.GetValue('') -match "Microsoft Office\\Office11")
  Write-Host -ForegroundColor Green $path

Note that appropriate testing should be carried out before implementing this across the estate. If third party products handle some files in the list that are produced by the PowerShell script above, then those file extensions could be removed from the list to ensure that only file types still associated with those products are disabled.

2. Deploy EMET

Some of the older Microsoft platforms still have a supported version of the EMET available. This tool makes it harder for some vulnerabilities in the platform to be exploited, but will not completely prevent attacks.

3. Custom Support Agreement (CSA)

The CSA is a paid for service available to customers who have a Microsoft Premier Support agreement. Under such an agreement Microsoft will supply both Critical and Important security updates (Important updates are available at an additional fee). The types of updates that will be available via the CSA will be similar to those that would be available to a product in ‘extended support’, but will need to be installed manually as they will not come through Windows Update.

Once a product goes into extended support there is no guarantee that all future security vulnerabilities will be addressed and so it should not be seen as a long term alternative to full migration to a modern supported operating system.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No