The popular Microsoft operating system Windows 7 is slated to stop receiving extended support on January 14th, 2020. This means that Microsoft will no longer release patches for vulnerabilities or add any features to the Windows 7 operating system, which comprises nearly 34% of all active Windows OS in use, once it hits “End of Life” (EoL) in January.

While Windows 7 will reach EoL in January, it doesn’t mean that Windows 7 will stop working. You’ll still be able to use Windows 7 as long as you want, but just because you can doesn’t mean you should. Since Windows 7 will no longer receive patches and updates, attackers will begin taking advantage of known Windows 7 vulnerabilities, much like they did when Windows XP reached EoL.

Windows maintains a Windows Lifecycle Fact Sheet that provides details on the lifecycle of all current operating systems, including Windows 7, 8.1, and 10, which can be found here: https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet.

Additionally, Windows Server 2008 R2, Exchange Server 2010 (all editions), Microsoft Hyper-V Server 2008 (+R2) all will stop receiving support January 14th, 2020. Microsoft Office 2010 will reach EoL on October 13, 2020 as well. Here’s a quick reference guide on all Microsoft products reaching End of Life in 2020: https://support.microsoft.com/en-us/help/4470235.

What Should You Do Next?

When Windows 7 reaches EoL, there will be only two (2) supported Windows operating systems: Windows 8.1 and Windows 10. Windows 8.1 will be supported until January 10, 2023. Last year, Microsoft decided to move away from a “Fixed Lifecycle” to a “Modern Lifecycle,” meaning that Microsoft will provide support as long as customer stay “current” (i.e., patch and license properly). Microsoft will provide a minimum of 12 months prior notification before ending support for products going forward, making planning a bit more trepidatious for some organizations.

The Windows 7 End of Life means that many organizations will need to upgrade their workstations to a newer operating system before January or else be susceptible to new vulnerabilities. It might be a good time for your business to migrate to an appropriate edition of Windows 10 and purchase new workstations if your current devices cannot meet the system requirements of Windows 10.

Here’s a comparison of the different Windows 10 editions: https://www.peakup.org/blog/windows-10-edition-comparison/. We recommend the Windows 10 Enterprise edition, which includes AppLocker, BranchCache, and Device Guard, among other quality security controls.

What Do You Need to Consider?

In order to upgrade to a newer operating system from Windows 7, consider the following:

• System Requirements – Most computers purchased in the last three years should be able to run newer operating systems such as Windows 10. Microsoft’s specific system requirements for Windows 10 are as follows:
  • OS: Windows 7 SP1 or Windows 8.1 Update
  • Processor: 1GHz or faster
  • RAM: 1GB RAM for a 32-bit system or 2GB RAM for a 64-bit system
  • Hard drive space: 16GB for a 32-bit system or 20GB for a 64-bit system
  • Graphics card: DirectX 9 or later with WDDM 1.0 driver
• There are multiple configurations available for new operating systems – Ensure that the business version of the operating system is used instead of the home version.
• Browser compatibility – Browser compatibility should be a consideration as well. Microsoft has introduced the Edge web browser to replace Internet Explorer in the future. Although Internet Explorer is still supported in all versions of Windows 10. Edge will be the default browser and will need to be changed to Internet Explorer if needed.
• Time – it is not recommended to wait until the last minute to make the switch. This could risk delays that would force an organization to be running Windows 7 after the End of Life date.

Another important item to consider is looking forward to when the next End of Life date is for the current operating system running. If no End of Life date is identified, keep monitoring the operating system manufacturer’s website periodically to ensure that a plan can be established well ahead of time.

Are ATMs Affected?

Financial institutions must also consider their ATMs. There are over 400,000 ATMs in the US and 3 million worldwide running the Windows 7 operating system, which will also be due for an upgrade. This can be a frustrating scenario since many ATMs were upgraded from Windows XP only a few years ago. Unfortunately, older ATMs that are compatible with Windows 7 may need hardware upgrades to run a newer operating system.

However, the cost of not upgrading your ATM operating system may be much greater than the cost of upgrading in the first place. Security vulnerabilities that may lead to ATMs being compromised, skimmed, or jackpotted lead the list of reasons to upgrade. Fines associated with PCI non-compliance are also a major consideration. The end of technical support, new feature upgrades, and performance issues round out the list of reasons to upgrade your ATM fleet to Windows 10.

Be sure to check with your ATM provider to determine the right course of action for you and your ATMs.

Keeping Up

Proactively managing End of Life dates is extremely beneficial from the aspect of ongoing management, hardware lifecycles, and vulnerability management. Knowing system requirements will ensure that the operating system has what it needs to run efficiently. Enterprise or professional versions of operating systems vs. home versions should always be utilized in a corporate setting, as these versions tuned for those environments and offer stronger security controls as opposed to home versions. Future compatibility with programs needed for business purposes is also a critical consideration. Lastly, waiting to the last minute can cause unforeseen delays leaving the environment at risk.

Written by: Eric Chase
Information Security Consultant
SBS CyberSecurity, LLC

SBS Resources: 

• {Blog} Security Patch Overload: The endless cycle of patching may leave many asking themselves, Why? Is there a better way? How can we improve this process? A modern patch management program should address the following topics. Read Blog
• {Blog} Small Business Security 101: If your business has not addressed these five (5) security control areas, stop what you’re doing and figure out how to protect your organization immediately. Read Blog

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.