So far, I have not heard any compelling arguments to replace Windows XP machines on our network, only a mandate to which I am obligated to abide.

New patches for Windows 7 do not make Windows XP more vulnerable.

According to Microsoft, the Schannel vulnerability is for servers that accept incoming https connections. We don't have any WinXP (or Win7) computers configured to accept incoming https connections.

I am not an alarmist, and as a result we don't have computer security locked down as tight as it could be, yet we have had zero infections at the machine level since we blocked remote access ports with software[builtin] firewall on all the Windows computers (early 2007), and we use the least privileges policy leading us to use non-admin accounts for daily use. It wasn't for lack of trying, because the hackers never stopped knocking on the door, even after a network level hardware firewall was installed (early 2010). This would not be worth mentioning if I had not heard horror stories about departments on campus having multiple (machine level with daily admin user accounts) infections in the same timeframe and having to reinstall Windows operating systems.

Whether you have a discrete GPU or integrated GPU, the GPU is a point of failure. The discrete GPU does not take memory away from the operating system like the integrated GPU, and on a 4Gb Windows 7 32bit machine where some of the high memory is unavailable because of 32bit limitations, the extra memory afforded by a discrete GPU is often important. On a 64bit machine with 8Gb memory, a discrete GPU will not provide the same advantage.

Back in 2005 the university had the same security problems-weaknesses only worse with Windows 2000 machines prevalent, and no firewall by default on Windows XP, yet the university did not block all Windows computers from the network. To quote a friend, "what's next? is the university going to mandate that we all switch to IOS 6 devices because they are [perceived as] more secure?"

The next statement might be a little self-centered because we have far more desktop Windows XP computers than laptop Windows XP computers: it seems like it would be much more reasonable to mandate that all Windows XP laptop computers be upgraded to Windows 7 or replaced by Win7 computers in the next 3.5 months. With desktop computers in a fixed location we have other drastic measures we could take like making their switch/router connections VLAN connections directly to a firewall. VLAN to firewall would take fewer labor hours (in our 99% managed switch environment) and could greatly reduce the attack surface, especially if the hardware firewall is configured with a Default Deny policy for that zone (assuming a lot of university firewalls are using a Default Permit policy like I was forced to use on our firewall).

-Stefan

On 11/17/2014 15:49, Kramer, Jack wrote:

[log in to unmask]" type="cite">

As someone who’s no longer a member of the MSU community, I really don’t have a dog in this fight, but I do have to take exception with a couple of your points:

First of all, you are absolutely compelled to replace XP machines for security reasons, unless you are paying Microsoft for their extended patch cycle. Two words: privilege escalation. It doesn’t matter if you’re running user-mode or admin-mode, XP is vulnerable now (hello, Schannel?) and is only getting more so with every Patch Tuesday. XP machines connected to the network are bombs waiting to go off.

Second of all, if you’re looking to replace machines simply used for Office and web browsing, there’s no way you need to be dropping $775 on a workstation. Dell minitowers or microtowers (Optiplex 3020) are available through CStore with an i3 and 4GB of RAM for $550 or less, and that’s before a quantity discount. With the newer Intel CPUs there’s no need for a discrete GPU unless you intend to run dual displays or heavy graphics applications such as Photoshop, and not having a discrete GPU will eliminate a potential driver and hardware point of failure.

Otherwise, you’re correct—if you have a Win7 COA you’re good for Windows 7. Machines that were Win7 COA’ed but had XP installed will be licensed for Win 7 Pro because that was the license type that included downgrade rights. You should be deploying 64-bit workstations.

In my previous MSU department, we made the Windows 7 conversion at the release of Service Pack 1—any systems with Win7 COAs were upgraded, as well as our Vista machines, and the XP machines were scheduled for replacement as soon as the budget cycle allowed—typically when the 3 year hardware warranty expired. It’s been more than four years since Service Pack 1 went RTM. With the exception of specific software that won’t run on anything newer than XP, I really have trouble seeing how it can possibly be justified to still be running XP systems.

(This is also a great time for departments to look at solutions such as VDI to help manage these sort of concerns in the future; several departments on campus already have replaced lab and general-purpose workstation systems with VDI deployments and thin clients. A 2013 IT Conference presentation talked about VMware’s VDI solution and it may be of interest.)

On Nov 17, 2014, at 1:36 PM, Stefan Ozminski <[log in to unmask]<mailto:[log in to unmask]>> wrote:

To be specific, at KBS we have about 58 Windows XP machines that are used regularly. About 31 of them are used on a daily basis for email and web browsing, so they would be the highest priority to replace to avoid loss of network access. However, we are not compelled to replace them for security, because our machines are not used with administrator accounts. We followed industry security recommendations and did not go with the Microsoft default of setting up the main user with administrator privilege. With Microsoft remote administration TCP/IP ports blocked by a network firewall, our Windows XP machines were secure like Windows Vista and Windows 7 just after Windows Vista came out in 2006.

A new desktop Dell costs about $775 without a monitor, so it would cost us about $24,000 plus the manpower to set up all the new Windows 7 computers as domain computers where users log onto the computer with a non-admin account. UAC helps secure the computer, but it is not sufficient to keep users from installing bad software. Viruses that install themselves at the user level (with the user's help) are dangerous enough as it is. We are not compelled to add to our workload and stress level by providing users the convenience of admin access to their desktop computers.

According to an MSU Computer Store employee, the license to purchase with the $30 Windows 7 32bit Media is Microsoft Windows Pro 8 .1 Upgrade License (stock number 181172, Mfg part FQC-08211) for $54. The $101 upgrade with software assurance can be used for computers that don't have Windows at all.

All of our Windows XP machines have at least 1Gb memory, but a useable Windows 7 machine needs 4Gb, and we strive to have a dedicated graphics card to maximize the memory available to the OS. We have several Dell computers that were purchased with Windows Vista or Windows 7, but were ordered with Windows XP installed. I haven't needed to upgrade any Windows XP machines to Windows 7, but I figure that if it has a Windows Vista or Windows 7 license label on it then it would be workable with enough memory. To upgrade from Windows XP to Windows 7 I would expect to purchase memory. I would expect the most likely source of compatibility problems would be graphics cards and new cards for old machines with dual DVI ports are about $85.

We have a few computers purchased in 2009 with a Windows Vista license label on the machine and Windows XP installed. We have several computers purchased in 2010 or later with a Windows 7 license label and Windows XP installed. We still need to make a complete inventory.

I don't necessarily have to go to the computer to see the Windows 7 or Windows Vista label. If I have the service tag in a list or from a remote admin query, I can go to the Dell support website<http://www.dell.com/support> and look up the computer by service tag, look at the System Configuration, expand the Component section and search for Certificate, because the line for the label is something like:
Label, Certificate Of Authenticity, Operating System VB32/64, V#2008
Many of you probably already know that you can retrieve the serial number of a computer to which you have administrator access (and remote admin is enabled in the firewall) with the following command:
wmic /node:<computer> bios get serialnumber
You can retrieve the total physical memory with the following command:
wmic /node:<computer> computersystem get model,NumberOfLogicalProcessors,NumberOfProcessors,totalphysicalmemory
And you can retrieve the processor information with the following command:
wmic /node:<computer> cpu get name
which will hopefully return information like the following:
Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz
If you are making an inventory, WMIC is not very friendly. I have found VBScript to be more friendly for inventory like procedures. I have a collection of scripts that I use. If there is enough demand, I could create a custom script to retrieve the above information with a commandline switch to specify the remote machine name.

Upgrading computers from Windows XP to Windows 7 will require many hours to inventory, order parts and licenses, download and install drivers, configure the firewall, reinstall application software and join the active directory domain. If I didn't have the firewall configuration and software installations automated, I would say 4 months was half the time needed for two staff members who already have plenty of work to do.

And I haven't even talked about the lab software that only works on Windows XP and fails under Windows 7. Often, the vendors supplying the software didn't even follow standards set by Microsoft when they wrote the software for Windows XP.

-Stefan

On 11/14/2014 17:27, Gary Schrock wrote:

I'd agree that that's what the email implies (form not withstanding). We
heard about it through a forwarded email that we got about a week before
the IT Exchange email, and when we tried to clarify that (I think it was
through the IT helpdesk, but I wasn't the one that was doing that), found
that even *they* didn't know about it at the time (and seemed to have
problems receiving forwarded copies of the email). Quite frankly, given
the relatively tight deadlines, that extra week of time it took to get
"official" notice of it is pretty significant.

(On a personal note, I have to admit I find it somewhat annoying to get
blindsided by this when just a few weeks ago at the security summit the
word was that there were no plans on cutting XP off from the internet.
That's a pretty strong about-face to go to a deadline that's about 2.5
months from when "official" notice goes out. Yes, I recognize that XP is
something of a ticking time bomb (although as someone else mentioned, I'm
not convinced that things like OSX 10.5 and 10.6 aren't issues too). That
Feb 1st deadline is feeling a bit on the overwhelming side at the moment as
I contemplate the number of machines we need to deal with.)

On Fri, Nov 14, 2014 at 5:08 PM, STeve Andre' <[log in to unmask]><mailto:[log in to unmask]> wrote:

The wording of this is not really clear to me, so I am asking here
as I believe that others could be confused, too.

If I got everything right, February 1st is the date when XP/2000
will no longer be able to access the net, either by dhcp or static
IP addresses?

On December 1st, incoming socket requests will be denied for
these machines. This means that peer-to-peer applications will
fail, like Pidgin?

I first heard of this on the 6th, through our financial person,
then via a message from IT Services on the 11th. Shouldn't that
have been the other way around, the technical people being
informed first?

--STeve Andre'