Going, going, gone: What XP's end of support means for your business

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Some 500 million copies of XP were running before Microsoft declared the stalwart operating system dead, and doubtlessly many still soldier on. But without Microsoft XP updates, and with anti-virus and other vendors publicly declaring they will no longer support XP, companies that keep XP going do so at their own peril.

Network World readers know all about the security risks of running a static OS without anti-virus updates. Every computing platform is vulnerable to security attacks, and constantly needs OS patches, antivirus updates, configuration changes, etc., to thwart potential attacks. XP is already a popular target for hackers because it is so widely used. The lack of security updates will make XP look even more attractive to cyber attackers. XP systems on the Internet will be like drops of blood in shark infested waters.

Another concern is regulatory compliance. Financial institutions, for example, are under regulatory pressure to remain on the leading edge of cyber-attack prevention technology to minimize data security threats. So even if enterprises in regulated industries minimize risk by restricting network access, applications, etc., they may be out of compliance. Even without regard to cyber-attacks, some may find it difficult to comply with regulations when they are not able to upgrade their applications. It's highly unlikely that software vendors will continue developing new or updated software for a dead platform.

+ ALSO ON NETWORK WORLD  What you need to know about the end of Windows XP support +

This leads to another application problem that will arise for companies continuing to run XP: third parties will not support XP for long, and maintenance of custom in-house applications running on XP will be difficult. Finding qualified developers capable of updating XP custom applications will become increasingly challenging. The best technical people seldom elect to work with archaic systems.Obviously, IT departments can't just leave systems on Windows XP without putting their company in danger. The only responsible course of action for organizations is to migrate to a newer operating system as quickly as possible to ensure the continuous flow of business. This will eliminate the related range of risks to which those who take no remedial action will be automatically exposed.

Get your head around it

Many executives fail to realize the scale of migrating a global enterprise to a new operating system. Microsoft estimates that it takes a company 18 to 32 months to migrate, from initial planning through completion. In my work with enterprise IT customers, I see organizations struggle with four key issues: compatibility, automation, bandwidth and infrastructure.

Compatibility is fundamental. For starters, hardware needs to be capable of running Windows 7/8, and in some cases computers will have to be replaced or upgraded. An enterprise also may have hundreds or thousands of XP applications they need to upgrade or replace. Even applications that will run on Windows 7/8 may fail to install because they were packaged for XP installation. These applications don't need to be upgraded, but do need to be re-packaged in Windows 7/8-friendly installers. Tools are available to help with this process.

Automation may not be needed in a small company, which can upgrade a handful of computers manually. Since Microsoft does not provide an in-place upgrade from XP to Windows 7/8, the process involves storing user data and settings on external media and then restoring after the new OS is up and running. It's not particularly difficult, just an extra step.

However, for a large company with hundreds or thousands of computers to migrate, automation is critical. This will typically involve creating a standard OS image, which includes the OS plus applications that need to be installed. This is accompanied by a set of logic for installing the OS correctly on different computers. The unattended installation can be handled by a variety of technologies, with Microsoft System Center Configuration Manager (SCCM) being the best known.

Bandwidth is an easy thing to overlook for operating systems deployment, but it's a huge factor for companies with offices all over the world. Merely applying a service pack in large organizations is a serious and complex undertaking. For example, the Windows 7 Service Pack 1 involves the transmission and processing of one gigabyte of information for each computer to be upgraded.

If a company has 20,000 computers and needs to send the service pack to each, that's 20 terabytes of traffic. Of course, files aren't moved over the WAN to each PC, they are moved to a local cache of some kind at each operating location's WAN, and served to PCs from there. OS image files can be up to 20GB or more, and they require regular updating when applications, drivers, etc., are updated. So, even just populating or repopulating this image is a WAN bandwidth challenge.

Infrastructure isn't something people usually consider when they think of migrating computer operating systems. But beside WAN bandwidth and possibly technology to efficiently use that bandwidth, Preboot Execution Environment (PXE) points are required to install new operating systems on computers. These have to be placed on each network segment, unless you're willing to change router configurations (IP helpers, DHCP scope options).

This is also true with state migration points (SMP), the storage space to save users' data and settings before overwriting XP and to apply after installing Windows 7/8. SMPs need to be on the same LAN as the PC being updated to prevent traffic flooding the WAN. Some technologies such as peer-to-peer PXE and virtual SMP can prevent the need to deploy physical servers at sites, by enabling these functions on local clients without perceptibly impacting their performance.

Get it done

If you work in an enterprise that has not yet begun the OS migration process, here is a high-level overview of what needs to happen:

Creating and executing a repeatable unattended build process that works on all machines across the organization can be an unwieldy project. The details depend on the IT policies and complexities of each individual organization. It is a multidisciplinary effort, and involves people, approval processes, control elements, accountability issues, and organizational politics. The selection of tools and infrastructure design coupled with an automation strategy are critical factors to success. Beyond that, it's all about good old-fashioned planning and execution.

Kumar was the lead program manager with Microsoft's Systems Management Server 2003 team, and worked closely on its development, making him an expert on SCCM network environments. He was also lead program manager with the Windows NT Networking team. He has received five patents related to his work on SMS 2003 at Microsoft and has written more than 50 publications, including a book on Windows programming. While at Microsoft, Kumar also authored the Thinkweek paper for Bill Gates that became Project Greenwich, now known as Microsoft Office Communications Server / Lync.

Read more about software in Network World's Software section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about BillLANMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Deepak Kumar, CTO and Founder, Adaptiva

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place