If you haven’t retired Windows XP and haven’t been fired yet, get busy

Security comes first, with a premium on speed upgrading to a supported Microsoft operating system

Article published first in Network World, March 7, 2014

CIOs who haven’t moved their companies from Windows XP by now ought to be fired, some people think, but those who haven’t and are still on the job have options for saving their bacon.

“Start,” is the first piece of advice from Shawn Allaway, CEO of Converter Technology, which specializes in migrating businesses to new versions of Windows and Microsoft Office. “Even if the project isn’t completed before Microsoft ends support for XP on April 8, it’s important to minimize the window of exposure during which XP runs unsupported on corporate networks.”

Those who haven’t started yet probably should be fired for leaving their businesses open to the impending threat, he says. “This is not like Microsoft dropped this on you six months ago,” he says. “You’re putting your organization at risk.”

That threat is that vulnerabilities discovered after April 8 will never be patched by Microsoft, leaving Windows XP open to an ever expanding range of attacks. In addition, many applications will no longer be supported when running on Windows XP, Gartner warns.

It’s possible and even desirable to sign a custom support contract with Microsoft that provides continued upgrades after the end-of-support date, but it is also expensive, says Directions on Microsoft. If that’s not possible, the main goal is to minimize risks caused by using unsupported XP, which means a review and possible beefing up of security.

Isolating XP machines on corporate networks and limiting what devices they can communicate with is essential, and there are tools for this. For instance Unisys Stealth can limit a machine’s access to other machines and hide it from attackers, says Unisys CIO Dave Frymier. A Stealth shim in the IP stack of XP machines sits between the link and network layers to decrypt IP payloads if it can and drops packets when it can’t. A machine can talk to another only if it is a member of the same community of interest as defined by Active Directory, he says.

“Migrating isn’t a quick process, and the larger the network, the longer it takes. The rule of thumb is that for a 10,000-desktop network with 15 offices, it will take two to three months to complete the project, “Allaway says.

A first step toward the transition is testing application compatibility with a newer operating system, getting new licensing agreements and assessing the need for and buying new hardware.

Like any OS rollout, this one will be done in phases. Organizations that think they’ll miss the deadline should prioritize their applications and users and migrate the most important and most vulnerable first to reduce the risks, Gartner says.

“Some of the preparatory steps can be sped up using tools. For example ChangeBase and AppDNA can help determine whether business apps are compatible with newer OSs. If not businesses may need to buy newer versions that are or in the case of custom software, recoding it,” Allaway says.

Microsoft is offering a free and now unsupported version of Laplink’s PCmover Express for Windows XP to transfer files from XP machines to machines with newer operating systems. PCmover Professional ($60) also moves applications, if that’s called for.

Allaway says it’s a good time to rid the network of deadware – rogue apps installed by end users or corporate apps that are no longer used – that have avoided detection during housecleaning over the years. “There’s a sense of urgency [about the XP migration] but clean a little junk out of your network if you can,” Allaway says. Those who have waited a decade to upgrade the operating system may have let this slide.

“If an apps inventory is long overdue, it is also a good time to check whether apps licenses are in synch with the number of workers actually using the software. Restructuring license agreements may produce cost savings,” he says.

PC upgrades may be needed to support a new operating system, but hardware needs may go beyond that. Old printers may lack drivers for Windows 7 or Windows 8, and there may be some machines such as faxes that may not be necessary at all anymore, he says.

Like any desktop refresh project moving to Windows 7 or Windows 8/8.1 requires someone in charge, either in-house or a consultant, a plan for a phased rollout and personnel to help resolve the inevitable issues that will arise after the rollout. “Don’t resource-starve the project,” Allaway says. “It ultimately costs more and takes longer.”

One thing to remember is that on April 8. Windows XP will keep chugging along, but the risk of being successfully attacked goes up more and more after that. “It’s not Y2K where come April it’s not going to work,” he says.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter @Tim_Greene.