Windows 7 support: time is running out


Microsoft will stop supporting Windows 7 on 14 January 2020. Anyone still using the operating system will no longer receive security updates after 15 January. We have put together the most important tips to bear in mind when switching over.

The end date for support for Windows 7 has already been fixed for some time. Anyone can find the dates on Microsoft product lifecycle page. Nevertheless, many private users and companies are shying away from switching to a more current version of Windows. Private users have it the easiest - Microsoft made the switchover to Windows 10 more palatable to users willing to make the change by offering a free upgrade. However, that offer was time-limited and is no longer available. 

Here are the most important facts and most frequently asked questions regarding the end of support for Windows 7:

1. Will my computer still operate normally after the deadline?

Yes. The end of support does not mean that existing installations will be deactivated. All Windows 7 computers will remain functional. 
However, there will be no more security updates. 

2. Why should I update my operating system at all? Everything works!

The operating system, now ten years old, offers few enhancement options, especially concerning security. Development in this area is progressing particularly fast. Modern security features cannot always be retrospectively transferred to a legacy system. This is a general phenomenon. In most cases, it is either impossible or uneconomical to retrospectively protect an existing solution. This is why manufacturers like Microsoft try to keep the burden of legacy systems as small as possible.

3. I am using critical software that is not compatible with Windows 10 - what can I do?

This problem is not uncommon - industrial and trade operations as well as medical and healthcare organisations are often still using outdated systems, mostly for financial reasons. For example, a control PC for a production machine sometimes does not get updated because expensive re-licensing would be necessary. In other cases, the manufacturer no longer exists and an upgrade would be tantamount to a financially non-viable repurchase of a complete system.  
In these cases, those affected must take additional measures to isolate the old systems from the rest of their infrastructure as far as possible. For control systems, this means separating them both from the Internet and from the rest of the IT infrastructure, for example by using a dedicated network with no connection to the outside world. Although this means additional effort, it also minimises the risk of an old control PC becoming a stepping stone into the company network for criminals. Chip manufacturer TSMC got a feeling for how expensive this could be after a newly installed computer with an outdated operating system paralysed the production of new chips for several days - with considerable losses in sales.

4. Why is my Windows 7 PC a problem at all?

In the case of the WannaCry ransomware, many of the affected systems still had Windows XP installed - an operating system that was finally discontinued in 2014 after 13 years of support. Three months before WannaCry, Microsoft had made an exception by providing a security patch for these legacy systems, but in many cases the patch was not installed. This factor also contributed to the rapid spread of the malware, which caused billions of dollars of damage worldwide. An old, insecure system can also become a problem for others. 

5. Many of my Windows 7 systems are business-critical and cannot be replaced at short notice - what can I do in this case?

For educational institutions and business customers with Windows 7 Professional or Enterprise, Microsoft will continue offering security updates for Windows 7 beyond January 14, 2020. However, Microsoft will still offer some support – but it will come with a steep price tag. You are looking at up to 50 dollars per computer during the first year; in the second year the price will increase 100 dollars and in the third year to 200 dollars. This service will definitively come to an end in 2023, only giving companies a short (and expensive) breather until then. So upgrading the machines is inevitable. Furthermore, anyone who continues to use the systems will have to answer some uncomfortable questions in the event of damage - especially if an outdated and non-isolated system has been the cause of a security incident. 

So, in most cases, the cost of an upgrade is likely to be lower than paying for extended support that only runs for a maximum of three years.

6. What do I need to keep in mind when switching from Windows 7 to Windows 10?

This is usually easy for private users. A migration and installation wizard does most of the work. However, it is advisable to create a complete backup of the PC before taking the big step, in case something does not run smoothly during the upgrade. In corporate networks, the switchover is somewhat more complicated. First, an inventory of existing hardware is required. If a PC does not meet the minimum hardware requirements for Windows 10, either a replacement or a hardware upgrade is required. It is also important to make sure there is enough storage space on every system. As far as business applications are concerned, compatibility with Windows 10 must be checked as well. Security Group Policies (GPOs) set up on Windows 7 may need to be revised or recreated because they have no equivalent on Windows 10. User accounts need to be checked and migrated - this is also a good opportunity to clean out and either disable or delete unused (but still active) user accounts. Last but not least, users working with the new operating system will also need to be trained. Depending on the size of the company and the number of computers to be updated, this is a mammoth project - and time is running out. 

One thing is clear - switching to Windows 10 is costly and time-consuming for companies. But the costs are much lower than they would be if an organization simply tries to ignore the problem until being forced by an incident to finally address it. Hope has always been a bad security plan.

from Tim Berghoff
Security Evangelist