“Microsoft has warned users clinging to Windows 7 and Windows 8.1 that the end really is near, “Windows 7 went out of support in 2020, but Microsoft recognized that many enterprises were quite happy where they were. For a fee, it made Extended Security Updates (ESU) available, which would at least deal with security patches.”
Released in 2009, Windows 7 outlived its successor Windows 8. The time has now come to say goodbye. If Windows is your thing, Microsoft would be more than happy to direct you to 10 or 11. There are also plenty of alternatives out there these days.
The other stick being wielded by the Windows vendor is the ubiquitous Microsoft 365 suite. With the Windows 7 ESU program gasping its last on January 10, 2023, along with support for Windows 8.1, Microsoft 365 apps running on the deprecated code (including Windows Server 2008 R2) will also stop receiving security updates.
Over time, applications and hardware often become "legacy." Although they still work, developers and manufacturers tend to phase out older products after they’ve served their purpose. Upgrading products and software, mainly operating systems, can be streamlined by using newer technologies such as virtualization for enterprise-size organizations with many assets or offices in several geographic locations. In the past, unpatched legacy operating systems have been susceptible to remote code execution vulnerabilities and privilege escalation, which renders any access controls on operating systems non-functional. Vulnerabilities for popular software applications are not only of interest to nation-state actors but also to script kiddies who now have access to hacking operating.
Tips for Mitigation:
- Create a list of the systems in your enterprise that are in use today and are accessible by users.
- Focus on the legacy systems that deserve further attention from a security perspective.
- Conduct a more complete investigation of each system identified as a potentially high risk. Identify the attack patterns that could damage the enterprise.
- Describe how the enterprise will reduce the security risks associated with each legacy system to an acceptable level. Consider the circumstances associated with each system when developing these mitigation strategies.
- Examine each legacy system individually
- Consider your mitigation options.
- Option 1: Do nothing.
- Option 2: Harden the legacy system.
- Option 3: Enhance the legacy system.
- Option 4: Replace the legacy system.