By Jesse Drake
Time is ticking on Windows 7.
Don't panic, but do make a plan — that’s the message that Windows 7 users should heed before January 14, 2020, when the popular operating system will reach its end of life (EOL). On that date, Microsoft formally ends "extended support" — free patches for security issues and bugs — and leave unsupported PCs exposed to exploits.
"The cost of an incident is significantly higher than the cost of upgrading to Windows 10. It's not a risk worth taking," said Dustin Udy, Security Assessment team lead in UIT's Information Security Office (ISO).
Though it’s 10 years old, Windows 7 still has a significant user base, which Udy said is problematic from a security perspective.
After its EOL, not only will users fall of compliance with the U's Information Security Policy 4-004, Microsoft will stop developing and deploying fixes for new vulnerabilities, and end all support and updates. That will leave PCs largely defenseless against nefarious hacks or malware trying to sneak in to steal or corrupt valuable data. If a system or device running Windows 7 is connected to the public internet, the risks become markedly higher. Windows 7, it should be remembered, is the version of Windows most widely affected by WannaCry ransomware in 2017.
"At this point it's imperative that any systems still running Windows 7 be upgraded or replaced to protect data entrusted to the university," said Chief Information Security Officer Corey Roach. "If there's any reason that a system cannot be upgraded, the system administrator should reach out to ISO to discuss other controls that could be put in place to protect the host."
If mitigating circumstances require the use of Windows 7 after its EOL, you should apply for a policy exception by emailing ISO's Governance, Risk & Compliance (GRC) team at email@example.com and including a brief statement to justify the exception. The GRC team will walk you through the evaluation process.
If you don’t know whether your device or server is running Windows 7, your local IT support staff may be able to assist, or you may contact your respective help desk: UIT Help Desk (801-581-4000, option 1) or ITS Service Desk (801-587-6000).
Information campaigns around Windows 7 EOL have been ramping up for years. More recently, Microsoft rolled out an update for PCs running Windows 7 in April 2019 that included daily EOL pop-up reminders, and on January 15, 2020, the company will push a full-screen warning to users.
At the university, UIT has issued public notices via Node 4 and Twitter, along with regular reminders, and Udy said UIT staff have been working with system administrators to "drastically reduce" the number of campus-side machines running Windows 7. University of Utah Health's Information Technology Services (ITS) has brought the number of machines on Windows 7 from approximately 9,000 a year and a half ago to 270 today, according to U Health Systems Administrator Brandon Marsh.
If an ITS-managed machine is not upgraded by the EOL date, Marsh said users will have limited access to network resources. In addition, ITS has already started limiting access of Windows 7 machines via the host-based firewall feature of Symantec Endpoint Protection.
"The restrictions still allow mapped drives, and access to utah.edu websites and Citrix applications …" Marsh said. "On January 14, further restrictions may be added."
Getting the word out is helpful, but it's only half the battle. Users must take action to protect data resources at the U.
"We're entering final notice time. People should be making their mitigation plans now," Udy said.