Windows 7 has been out of extended support for months, however, to no one’s surprise there are still a huge number of Windows 7 devices being utilized in the workplace across multiple industries, with around 25.6% of all devices are still running the operating system, Windows 7 is not going anywhere overnight. That is not to say people AREN’T moving however, the amount of reported Windows 7 devices are dropping at rates similar to XP. Environments are making the move to Windows 10, it’s just a much longer process than we give it credit for. So what exactly takes so long?
The issue is not with notice, we have known about EoL for a long time, the issue, as it often is with IT, is with prioritization. There are a lot of considerations and steps that go into upgrading an OS in a workplace and the idea of disrupting workflow and ignoring current "fires" to provision for what is (or was) seen as currently working fine is for many just was not a feasible undertaking.
Check out our main Security and Compliance page for more information on more information on endpoint security.
Pictured: An administrator NOT thinking about a windows 10 migration
So what reasons are there to stay on Windows 7 despite the end of support? Well from what we've seen there are 4 main reasons given when tapping the brakes upgrading to Windows 10, those are:
- User Familiarity
- Policy writing
Applications, for example, can be an issue if they are local to the machine or are specifically designed to work on a Windows 7 deployment. Applications and drivers will need to updated to maintain compatibility with the new OS, and as we have seen before, some applications simply do not have new versions available for a new OS. Further than that, with Windows 10 being the “final” OS to be released, there will be a constant feed of new updates pushed to the latest operating system that may cause further compatibility issues with existing apps and drivers. Similar to XP this is a big driver for organizations to stick to Windows 7 past EoL.
The reality of it is that moving to a new OS will bring some degree of “growing pains” – a lot of this comes with simply being unfamiliar with the new OS. It takes time for users to adjust and understand the new operating system. What’s more, IT needs to take time to get used to the ins and outs of the new infrastructure.
Manually created policies like with AD GPO’s are written specifically for the operating system of the machines inside an active directory and in the case of endpoint security will generally be used to restrict end-users from accessing specific OS features. Upon upgrading to a new OS these policies must be rewritten to function in the new environment, this rewriting of policies can take up too much time, taking away from other projects or day to day running of the environment.
We’ve been hearing about the “casualties” of Windows 7 support already, one of the higher-profile cases seen at the time of writing is this related to the German government’s Windows 7 Support and their incurred costs. Clearly, people are not wanting to pay the extra, annually increasing, fee for updates that they previously received for free. That said, legitimate, supported versions of Windows 10 enterprise licenses ain't free either, in fact, the cost for the enterprise and pro editions of the OS can be seen as prohibiting factors in upgrading.
All this is not to say one shouldn't upgrade, most definitely you SHOULD... However, understanding that these migrations to an entirely new OS take time, money and a lot of work, what can you do in the interim while preparing to upgrade to Windows 10?
Steps you can take to secure your environment
"Capital letter AND special character, sir"
As mentioned before paying for updates may be too much of an ask, so outside of utilizing extended support what can you do? If moving forward with Windows 7 in 2020 you should follow these best practices at a minimum:
- Avoid untrustworthy sites
- Maintain a good antivirus and firewall
- Avoid unknown e-mails
- Implement MFA
- Block non-essential applications
- Block USB ports
- Educate Employees on attack vectors
Avoid untrustworthy sites
End-users should avoid unsecured or unfamiliar sites when browsing, best practice would be to implement some form of web blocking or site white-listing, this way you can ensure users are keeping away from unsafe sites.
Maintain a good antivirus and firewall
Updating & maintaining your antivirus and keeping a strict firewall should be an utmost priority to help protect against malware. A good 3rd party antivirus is a must as Windows 7 potentially will be targeted by attackers in a similar vein to Windows XP. Firewall should only allow communication from trusted or business essential programmes.
MFA is becoming a standard requirement for many companies and should be enforced in situations where security support is in question. This ensures that, should a user's password be acquired by someone outside the company, their other authentication features should provide added protection.
Block non-essential applications
Applications cause issues and conflicts themselves or malicious applications could run as background processes, you can help defend against this by ensuring non-essential applications are blocked from running, whitelisting your vital apps and keeping the rest from executing.
Block your USB ports
IT administrators need to be aware of the potential risk leaving open USB ports can have on your environment, outside of data leakage. Malware can sit on files stored in flash drives or can piggyback off of mobile devices being plugged into your Windows device’s USB port.
Educate employees on attack vectors
Above all else employee education is a must, basic best practices can help, employees must understand the potential areas malware can strike and the implications their actions can have on the security of the organization. One area in particular is around e-mail security. As e-mails can commonly be vectors for attacks through malicious files or simply by taking advantage of a user's lack of awareness. to put it into perspective, phishing emails caused 67% of ransomware infections last year. This really should be a focus even with a supported operating system, but it is doubly so for environments running Windows 7.
Secure your endpoints – keep users locked down and future proof your devices
The above tips can help keep protect your end-users but it won’t do everything, and it is a lot to keep an eye on individually and to enforce without assistance. Throw in end-users ignoring your security practices, trying to download files, breaking past your policies and rules, or simply introducing BYOD or Remote working, it is almost impossible to keep these endpoints completely secure. So what can you do? Lock them down.
ThinKiosk & Secure Remote Worker
ThinKiosk and Secure Remote Worker are conversion suites for Windows devices that will lock down your endpoints, enforce your defined policies en masse, and provide a central point of management for all your devices through the management console. Further, the solutions can help keep your devices compliant with HIPAA, PCI DSS, and GDPR. Both solutions fully supported on Windows 7.
ThinKiosk is designed to turn your corporate computers into permanent, hardened, software-defined thin clients.
While Secure Remote Worker creates a similar environment, except on personal devices that can be launched as a secure working session.
So what is it about ThinKiosk and Secure Remote Worker that make it the ideal solution to secure your existing Windows 7 endpoints?
- Secured UI
- Centrally managed
- Secure Browsing
- Windows integration
- Multi-Factor Authentication support
- Application & Service white & blacklisting
- USB blocking
ThinKiosk and Secure Remote Worker both run a secured UI that the end-user is completely locked into, what’s more with Magic Filter, they cannot even utilize keystrokes to get under the shell, in fact, these keystrokes are passed right through to the active VM if one is running. This ensures users are unable to access the underlying OS and can only work within your specific parameters. This ensures no user can even access the Windows 7 OS when they are working. Any previous session that may have been running is logged off in the case of Secure Remote Worker, ensuring an isolated working session.
Both solutions are managed by the ThinScale Management Platform. This gives admins total control over connected devices and the central deployment of policy and software updates. Administrators also have a view of reports and audits of each device in their environment, further, they can remotely isolate and disable any device.
The ThinScale Management Platform also allows you to monitor your entire estate centrally and preform an audit on all your machines. At a glance you can quickly see the active devices, the version of software the devices are running and device health status.
The ThinScale Management platform ensures you have total awareness and control over all machines in your environment.
ThinKiosk and Secure Remote Worker are completely compatible with any Windows applications or drivers. Our common mantra is: “if it works for Windows it works for us”, due to our solutions running over a Windows OS and not interfering with it. Have a VPN that is vital for your remote workers that must be local? Or you have a legacy app that can only be run on Windows 7? Or you have a specific 3rd party antivirus that you use as part of your endpoint security. We maintain complete compatibility and can provide access to these applications and driver support within the secured UI.
Both solutions come bundled with a secure browser that can white and blacklist site URLs, block URL entry entirely and provide predetermined links to your end-users. Meaning your end users can access their workspaces through HTML or simply access the company website while ensuring they cannot access anything beyond. Maintaining complete browsing security.
Further expanding on our Windows OS compatibility, ThinKiosk and Secure Remote Worker also allow you to control your Windows Firewall using the ThinScale Management Platform, for both inbound and outbound connections. You also get complete integration with the Windows Security Centre, where security health checks can be run using ThinKiosk and Secure Remote Worker and administrator-defined actions can then occur based on these checks passing or failing. Both integrations giving you more control over these important aspects of device security in one easy to find location.
Multifactor Authentication is also fully supported by ThinKiosk and Secure Remote Worker, meaning even with your Windows 7 operating systems, your user’s access to their environments and resources are no less secure.
Application and Service white & blacklisting
White and blacklist application binaries and windows services from running in the fore or background using Application and Service Execution Prevention. This allows you to ensure absolutely nothing can be active or running without user or administrator knowing.
Completely prevent the reading of insertable drives at the driver level. This allows your ThinKiosk and Secure Remote Worker devices to prevent things like mass storage or mobile devices being used on the machine via USB, while still allowing USB hardware itself to be utilized, for example, USB headsets. This way your Windows 7 machines are no less functional, while still preventing the risks mass storage devices can pose to your environment.
As mentioned, it is important to upgrade to a supported operating system, it's just that we all know it can take a long time and is often approached in phases. Security should be paramount if you are deciding to work with Windows 7, ThinKiosk and Secure Remote Worker, as well as the best practices mentioned earlier, can help make your environment more secure while you make the change up to Windows 10.