Many of you have asked about or been tasked with securing legacy Windows systems. Since Microsoft extended support can be cost prohibitive it can be extremely challenging to businesses that have a need to continue using these systems until the workload can be ported/upgraded to a supported platform. Many times it might be a 3rd party that doesn't support the new operating systems.
This blog post is a way to help increase the security posture of those legacy systems using Intel Security solutions. Ultimately the goal should be to get those systems to a more current OS, or de-commissioned when possible. This blog is to give general prescriptive guidance, and not a step by step how to guide. Each environment is unique in its own perspective and the solutions outlined below should be configured according to each environments unique requirements.
- First and foremost you should continue to run Anti-malware protection on these systems. For legacy systems this would be McAfee Virus Scan for Enterprise (VSE). Make sure to keep VSE updated and fully patched to the latest patches, or hot fixes that are supported on those systems.
- Many of these systems are in place for a very specific feature or function. By leveraging McAfee Application Control, you can allow that particular function/application(s) to run, and by prohibiting any non-white listed applications from executing you can achieve the business goals without comprising security. Application Control (formerly called Solidcore) will securely lock down these legacy devices, and prevent any attacks current and future, on any CVE's that are un-patched or newly discovered. McAfee Application Control is a fast, flexible and scalable solution that runs on Windows 2000 machines, XP, Server2003, as well as recent Operating Systems such as Windows 10. Application control includes built in memory protection as well. For more information click here or contact your local Intel Security sales team.
- Segregation is another aspect to consider when it comes to legacy systems. It's best to separate the legacy systems from the rest of the environment so in the event they do become compromised further attacks on the rest of the environment can be prevented. Segregation can be achieved in a number of ways.
- The first way and most restrictive way is completely disconnected. While this is the most secure way of segregating a machine, it can be a challenge, as the machine can no longer function properly, for example getting files from another system via the network.
- Secondly, separation using firewalls. This can work well if the legacy systems reside within the same segment of the network, and can easily be segmented from the rest of the environment. This becomes more of a challenge if the systems are distributed throughout the environment.
- The Third option is leveraging a HOST based firewall. McAfee's Host Intrusion Prevention solution (HIPS) provides an extensible firewall engine that can be configured centrally using ePO. It also contains additional built in Intrusion Prevention logic that can also be configuredintrusions and zero-day threat protection coverage at the network, endpoint, and application.
Again, the ultimate goal would be to get those systems either upgraded to a supported OS, or decommissioned, however by leveraging these 3 solutions from Intel Security, you can secure those legacy systems and still allow the business to function.
For additional information on any of these or other technologies reach out to your local Intel Security team.