Windows XP End of Support
This document details a policy to mitigate some of the risks associated with continued use of Microsoft Windows XP after April 8th 2014 when support for the product came to an end.
After support ends, risk increases – it is anticipated that the XP operating system will increasingly become a target for attackers seeking to exploit vulnerabilities and so it is important to act to reduce this risk as much as possible.
This policy applies to all Windows XP devices that connect directly or indirectly to the University network, including colleges, departments, centrally managed and personally owned devices.
- Windows XP devices connecting to the Ensuite Online (ESOL) student network service will be unable to pass quarantine from October 2014 and therefore be unable connect to the University ESOL network or DU Student wireless for security reasons.
- Authorised CIS staff may perform network scans of subnets to detect live hosts and Operating System (OS) versions to confirm identification of XP machines.
- Departmental IT administrators and users should work with CIS to identify XP machines in their area.
- CIS and Departmental IT representatives should keep a central, accurate and up to date record of XP machines to help manage risk.
- Identified XP devices should be categorised by function e.g. specialist equipment or general PC.
- XP Devices that are no longer required should have been disconnected from the network and then decommissioned for security reasons.
- XP devices categorised as general use PCs should have been upgraded for security reasons.
- XP devices categorised as specialist equipment should have been disconnected from the network if networking is not an essential requirement to minimise risk.
- XP devices connected to the network and categorised as specialist equipment should have been upgraded where technologically feasible and the cost is not significantly prohibitive.
- Administrators or users responsible for networked XP devices should have implemented all feasible controls to limit vulnerability exposure, including a restrictive host firewall, upgrade to Service Pack 3, removal of unnecessary software and services and run an up to date host anti-virus.
- End of support XP machines should have a static IP address to aid monitoring and control on the network.
- End of support XP machines should not be used for web browsing unless there is a specific need.
- End of support XP machines should be denied direct inbound and outbound internet connections by default and a proxy server used where internet connectivity is essential.
- No XP devices will be permitted to connect to the CIS VPN service for security reasons.
- No new XP devices should be added to the network after April 8th 2014 without prior liaison with CIS.
- CIS will work with departmental IT and users to identify requirements and implement network protections for XP machines including Access Control Lists and VLAN isolation if deemed necessary.
- Owners and administrators are responsible for the increased risk of maintaining networked XP machines in their department after the end of support date.
- CIS must be notified of security breaches of XP devices after the end of support date.