With End of Windows 7 Support, Security Risks Lurk

Microsoft will soon stop supporting Windows 7, which poses risks for unpatched and insecure network devices. Is your campus addressing this vulnerability?
Published: December 4, 2019

On Jan. 14, 2020, Microsoft is retiring free support for Windows 7, Windows Server 2008 R2 and Small Business Server (SBS) 2011. This means that security patches and updates will no longer be automatically implemented, leaving Windows 7 workstations and these servers vulnerable to cyberattacks, malware and other threats.

This includes all versions of these operating systems for businesses and consumers except for federally certified voting systems that run Windows 7. The danger to organizations is larger than the risks associated with end of support for just one server or system, says Greg Turner, senior director of Global Technical Services for Honeywell Buildings Solutions.

Potential vulnerabilities are best illustrated by the number of patches currently rolled out monthly to these three systems: Microsoft pushes out fixes for roughly 70 threats each month. “That’s 70 new risks to core operating environments to which organizations could find themselves vulnerable, if unprepared. That’s a relatively large risk to take,” Turner says.

Paid Extended Service Is Available

Microsoft is offering a pair of choices for Windows 7 users to continue receiving security updates beyond Jan. 14, 2020. Both options are for business customers, not consumers.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

The company will sell paid Windows 7 Extended Security Updates (ESUs), per device: $25 per device for Windows 7 Enterprise and $50 per device for Windows 7 Professional for the first year of support. Then its $100 in the second year and $200 in the third year. The ESUs will provide Windows 7 security updates through January 2023.

These ESUs will be available to any Windows 7 Professional and Windows 7 Enterprise users with volume-licensing agreements, and those with Windows Software Assurance and/or Windows 10 Enterprise or Education subscriptions will get a discount. Microsoft made an exception for Windows 7 users with an active Windows 10 subscription; they will receive one year of ESUs for free.

If paying for support is not a palatable option, then campuses need to be moving to Windows 10 as soon as possible, Turner says.

“Organizations should move their applications onto environments that are supported and will continue to be supported by Microsoft in the future — such as Windows Server 2016 or 2019,” he advises.  “The goal is to move all platforms forward, so that organizations are able to continue operating safely and securely.”

Microsoft first began notifying users of the impending support sunset about four years ago. However, millions of Windows 7 PCs are yet to be updated. Data from NetMarketShare shows that approximately 27% of all PCs around the world are still running on Windows 7, which was first introduced in 2009.

Beware of the ‘Weakest Link’

The cautionary note here is campuses, need to be wary of interfacing with organizations who are using outdated — and therefore vulnerable — PCs.

“The idea of a ‘weakest link’ applies more than ever in the realm of IT security — and that can take the form of compromised USB drives, connected devices or old firmware,” Turner says. “Each of these can be used to introduce a virus.”

Ultimately, Microsoft would like to see customers move beyond a migration to Windows 10. On its support pages, the company is steering users to the Microsoft 365 bundle, which includes Windows 10, Office 365 and EMS. A key attraction of the offering are productivity apps with intelligent Cloud services.

Organizations will have to weigh the benefits of a Cloud-hosted solution — including newfound business efficiencies and improved network security — with cost and return on investment (ROI). The imminent demise of Windows 7 could provide the impetus to make the investment.

“Since customers must migrate to secure their operations and assets, there’s an opportunity to move increasingly toward virtualized and Cloud-hosted systems — especially for those who don’t require on-premise servers,” Turner explains. “Things like back-ups and security then become the responsibility of the hosting provider, allowing businesses to focus attention elsewhere.”

Rodney Bosch is senior editor of Campus Safety’s sister publication, Security Sales & Integration. This article originally appeared in SSI.

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series