End of support for Microsoft Windows XP and Microsoft Office 2003

Download CSOC Update, End of support for Microsoft Windows XP and Microsoft Office 2003 (540K PDF), July 2014

Introduction

  1. The Australian Signals Directorate's Strategies to Mitigate Targeted Cyber Intrusions ranks timely patching of applications and operating systems as the second and third most effective strategies to mitigate targeted cyber intrusions.
  2. In April 2014, Microsoft ended support for Microsoft Windows XP and Microsoft Office 2003. Organisations yet to upgrade from this software should review their threat and risk assessments for their ICT environments and implement additional controls to reduce their risk exposure.

Intended audience

  1. This advice is intended for organisations still operating Microsoft Windows XP and/or Microsoft Office 2003.

Scope

  1. This document is separated into:
    1. mitigation strategies for organisations operating an entire Microsoft Windows XP and Microsoft Office 2003 fleet
    2. mitigation strategies for organisations that have limited remaining Microsoft Windows XP and Microsoft Office 2003 deployments to support legacy business applications.

Operating an entire fleet

  1. Organisations continuing to operate an entire Microsoft Windows XP and Microsoft Office 2003 fleet should either negotiate an extended support arrangement with Microsoft or implement the following host-based controls:
    1. Mitigation Strategy #1: Implement an application whitelisting solution, such as Software Restriction Policies (SRP). Application whitelisting, when implemented appropriately, can detect and prevent malicious code execution, network propagation and data exfiltration by an adversary.
    2. Mitigation Strategies #2 and #3: Negotiate an extended support arrangement with Microsoft for the provision of patches for security vulnerabilities in Microsoft Windows XP, Office 2003 and Internet Explorer. While an extended support arrangement won't address all security vulnerabilities disclosed for legacy Microsoft applications, it will reduce the attack surface of workstations.
    3. Mitigation Strategies #2, #5 and #29: For unsupported applications (e.g. Microsoft Office 2003 and Internet Explorer 8), either upgrade to supported versions or, if this is not possible, consider removing the application, using alternative applications to achieve similar business functionality or enabling built-in application features such as Office File Validation and Protected View for Microsoft Office. Each application upgraded, removed or replaced with an alternative generally reduces the attack surface of workstations and can assist in preventing malicious code execution.
    4. Mitigation Strategies #4 and #9: Ensure that privileged account credentials are not entered into Microsoft Windows XP workstations e.g. to administer the workstation or other applications or systems within an organisation’s ICT environment. Instead, a vendor-supported operating system should be used for these activities, and a low-privileged account used for all other non-administrative activities. Microsoft Windows XP workstations are at a higher risk of being compromised due to unpatched vulnerabilities, and lack additional security functionality of newer Microsoft Windows versions to protect privileged account credentials from being captured by an adversary and used to propagate throughout a network.
    5. Mitigation Strategy #7: Implement Microsoft's Enhanced Mitigation Experience Toolkit (EMET) on workstations. Implementing EMET for applications that commonly interact with data from untrusted sources (e.g. Adobe Reader, Adobe Flash, Oracle Java, Microsoft Internet Explorer and Microsoft Office) can reduce the risk of successful malicious code execution as well as assisting in the identification of such attempts.
    6. Mitigation Strategies #21, #25 and #27: Apply basic hardening, where possible, to workstations and user accounts. Applying basic hardening principles to workstations, such as disabling unneeded functionality or common intrusion vectors such as autorun, SMB and NetBlOS services, can assist in preventing malicious code execution and network propagation by an adversary.
    7. Mitigation Strategies #12 and #13: Implement a third-party software-based application firewall on workstations that performs both inbound and outbound filtering of traffic. A software-based application firewall can assist in detecting and preventing malicious code execution, network propagation and data exfiltration by an adversary.
    8. Mitigation Strategies #22 and #30: Ensure antivirus applications on workstations continue to be supported by vendors. If support ceases from a vendor, switch to an alternative vendor that continues to offer Microsoft Windows XP support. The use of antivirus applications on workstations can assist in detecting and preventing malicious code execution.
  2. In addition to the above host-based controls, the following controls can be implemented to reduce the likelihood of malicious code reaching workstations in the first place. These include:
    1. Mitigation Strategy #6: Implement automated dynamic analysis of email and web content in a sandbox to detect suspicious behaviour. By analysing data from untrusted sources for suspicious activity upon simulated user interaction, malicious code can be identified and blocked from reaching vulnerable workstations.
    2. Mitigation Strategies #17 and #18: Implement email and web content filtering of incoming and outgoing data to only allow approved file types. By controlling the types of data that reach workstations, organisations can reduce the likelihood of malicious code execution and as well as identifying the source of any such attempts.
    3. Mitigation Strategy #26: Prevent users from connecting portable media to workstations. Portable media infected with malicious code can result in the exploitation of vulnerable workstations. As Microsoft Windows XP workstations are more susceptible to exploitation, data transfers to such workstations should be controlled via an organisation's ICT service desk to reduce the likelihood of malicious code execution and data exfiltration.

Operating a limited deployment

  1. Organisations continuing to operate a limited Microsoft Windows XP and Microsoft Office 2003 deployment to support legacy business applications should consider implementing the following controls:
    1. Mitigation Strategy #10: Isolate Microsoft Windows XP workstations from other workstations and non-essential network services. This can reduce the risk of an adversary using a compromised Microsoft Windows XP workstation to propagate throughout a network and access other network resources.
    2. Mitigation Strategy #14: Virtualise access to Microsoft Windows XP operating environments and required applications from within a vendor-supported operating system e.g. Microsoft Windows 7. Using virtualised environments can hamper an adversary's ability to extend their reach beyond the virtualised environment and propagate to other network resources.
    3. Mitigation Strategy #23: Deny access from Microsoft Windows XP workstations to the Internet. As legacy business applications are likely to operate in a local stand-alone mode, or only require access over an organisation's intranet, restricting access from such workstations to the Internet can reduce the risk of data exfiltration by an adversary should they ever became compromised.

Additional considerations

  1. Independent of how Microsoft Windows XP and Microsoft Office 2003 are operated by organisations, additional controls can be implemented to assist in the identification and remediation of cyber intrusions. These include:
    1. Mitigation Strategies #15 and #16: Implement a robust centralised logging and auditing framework to capture and analyse both computer and network-based events. An appropriate auditing framework within an organisation can assist in identifying individual workstations that may have been compromised as well as helping to tailor incident response measures to remove infected workstations from an organisation's network.

Further information

  1. This document complements the advice listed in ASD's Strategies to Mitigate Targeted Cyber Intrusions.
  2. Further information on patching applications and operating systems can be found in ASD’s Protect publication Assessing Security Vulnerabilities and Patches.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.