We are coming to the end of the Windows 7 lifetime. January 2020 is the last time Windows 7 receives a security update, although customers with a prominent support contract can purchase Extended Security Updates (ESU) for Windows 7 Professional and Enterprise until January 2023.
Alternatively, when Windows Azure Virtual Desktop is released, you can purchase a virtual desktop and ESU is provided for free to transfer you to Windows 10. However, some find neither of these options feasible or have a reason (as I do) to keep track of Windows 7 for access to older business applications. In my case, we need to run older versions of specialized software to prepare historical calculations.
It is clear that we do not want to expose our network and our systems to unnecessary risks that Windows 7 offers. What can you do to isolate these potentially vulnerable and risky Windows 7 systems so that they do not introduce any risks to your network? Plenty. These are your options:
- Block the machines from surfing the internet. Use the proxy trick from the XP era to keep older systems off the internet. Enable proxy settings and use the same proxy server for all addresses. Select "Do not use a proxy server for local (intranet) addresses". Then enter 127.0.0.1 in "Address of proxy" and 80 in the "Port" setting. You can also use these settings through Group Policy to block it for specific users.
- Isolate the machine on a private network that does not have internet access.
- Virtualize Windows 7 and limit the scope of use of the system so that it is only used when absolutely necessary. You must license the device with software protection to transfer it to a virtual machine.
- Install the Enhanced Mitigation Experience Toolkit from Microsoft on Windows 7. Although this is also no longer supported, you can import the settings to protect popular software.
- Do not log in to the system with administrative credentials and use only limited user rights. If you are having trouble running a business application without administrative privileges, use LUA Buglight to determine which registry keys or file locations require elevated privileges.
- Disable autorun functionality.
- Check your Data Execution Prevention settings and make sure they are enabled.
- Make sure you update to the latest version of Office and do not use older versions of Office.
- Do not open e-mail on Windows 7 (and especially do not follow HTML links).
- Make sure all the latest updates are installed while Windows 7 starts the last days. Be sure to scan for updates manually and see which optional updates may not have been installed in the past.
All of these steps do not protect you against all unpatched vulnerabilities, so it is crucial that you understand the risks that you take by running unpatched software. If it is necessary to maintain an older operating system, it is best to isolate it from the rest of your production network. Then plan these systems as quickly as possible.