It’s the end of XP as we know it (and it’ll be fine)

Why Replace XP?

Microsoft will no longer be supporting or patching Windows XP after April 8, 2014, rendering the operating system insecure and unsuitable for use on machines connected to the open internet. Campus and CALS security policies state that all machines connected to the campus network will maintain a patched and secure OS, so all WinXP machines connected to the campus network must be at least disconnected if not completely put out of service. Windows 8.1 is the latest Microsoft operating system, though 5-yr-old Windows 7 is more common. It is a loosely guarded secret that unpublished exploits for Windows XP are waiting to be released by black hat hackers immediately after XP’s end-of-life date and last security patch. Now is the time to upgrade and protect.


Data Collection Regimen

In an effort to help local IT staffs, CALS IT has run specialized scans on the data collected by campus border detection systems. We are specifically looking for IP addresses in our network space with signatures that flag them as possibly having Windows XP installed. No other data is monitored or collected by CALS during this effort. Due to the nature of this data and its origins, a large amount of it tends to lead toward machines with XP-like signatures, but aren’t actually running XP. An example of this is local desktop applications were (and still are!) sometimes coded to send information over the internet that identify them as Windows XP for long-defunct compatibility reasons. Taking these false positive considerations into account, we can look at how many times a particular IP address was flagged over time and make an educated decision on whether or not the machine is actually XP.


What Have We Found?

Over the week of Feb. 17-21, 327 systems across all CALS networks were detected as having signatures corresponding to Windows XP. In our experience so far with interpreting the scan results, machines that were flagged with hundreds to thousands of events have been verified by local IT staff to be Windows XP. Machines with lower numbers of events, in the single and double digits, were found to be current operating systems with an application being detected as XP. If we set our first pass threshold to be a machine with 100 or more events is likely to be Windows XP, the current data shows 153 of these systems detected this week, which is around 7% of active CALS machines. It makes sense to start with these machines. Once they are examined and taken care of, additional scans can be performed to identify any outliers.


Needlessly Raising the Difficulty Level

Local investigation is required to confirm the machine’s status and make a plan with the end user on what action to take. However, here is where things get a little more difficult, as tracking down the suspect machine is not always easy in loosely run environments with open access, and sometimes not even possible. This is due to some CALS networks having open, publicly accessible network jacks with dynamically assigned IP addresses that are available for students and others to hook up and use the local building’s network to gain access to the campus network.

Part of the CALS Security Baseline requirements states that all departments will identify and protect wired network jacks so that individuals cannot plug unknown machines into protected and firewalled CALS networks. At this point, most of CALS IT shops have already reported to the Office of Campus Information Security, OCIS, that this process is either complete or in progress. Now is the time to push this security measure to completion and local IT shops have a number of different options in achieving this goal. Our campus wireless backbone is quite robust and most student and other visiting machines should be able to access the internet via campus wireless services like UWNet or eduroam at speeds approaching the wired network. Closing off publicly accessible building wired connections makes our networks safer and also allows us to better identify machines that might need assistance.


Should I Stay or Go?

So you might ask “What should be done about Windows XP machines that are found?” There are a few options available and the right choice depends on the situation. For a faculty or staff user’s work, replacing their computer with one of the campus sponsored Dell bundles for $550 is a reasonable option, and would likely be a nice upgrade. Lab computers running XP with specialized software that are connected to lab equipment are a different case. It’s understandable that upgrading some of these computers to a newer operating system will not be an option since the older software may not run properly and purchasing new lab equipment to replace a computer isn’t feasible. In these cases, arrangements can be made with the local IT staff to retain the XP computer for operating the equipment, connected to local network data storage if necessary, but firewalled off from the rest of the internet.


Jason Pursian
Information Security Officer
Assistant Director, Information Technology