Print

Print

I know there are some departments on campus that this is really affecting. If anyone is in need of getting some cheap systems please let me know and we can work with any department to ensure they can get systems with Windows 7. System specs would START at: Core2Quads, 4Gig DDR2, 250Gig HD. I know getting used computers is not common practice but since some are up against a rock and a hard place this might be an inexpensive solution.

We SHOULD also be able to work with departments and make an image for the system so most of the work is already done when you get the system. Win 7 installed, software installed, everything updated, etc.

Thanks

Tim Heckaman

Surplus Store & Recycling Ctr.

884-0362

 

From: Kramer, Jack [mailto:[log in to unmask]]
Sent: Monday, November 17, 2014 3:49 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] Questions about the XP/2000 directive

 

As someone who’s no longer a member of the MSU community, I really don’t have a dog in this fight, but I do have to take exception with a couple of your points:

 

First of all, you are absolutely compelled to replace XP machines for security reasons, unless you are paying Microsoft for their extended patch cycle. Two words: privilege escalation. It doesn’t matter if you’re running user-mode or admin-mode, XP is vulnerable now (hello, Schannel?) and is only getting more so with every Patch Tuesday. XP machines connected to the network are bombs waiting to go off.

 

Second of all, if you’re looking to replace machines simply used for Office and web browsing, there’s no way you need to be dropping $775 on a workstation. Dell minitowers or microtowers (Optiplex 3020) are available through CStore with an i3 and 4GB of RAM for $550 or less, and that’s before a quantity discount. With the newer Intel CPUs there’s no need for a discrete GPU unless you intend to run dual displays or heavy graphics applications such as Photoshop, and not having a discrete GPU will eliminate a potential driver and hardware point of failure.

 

Otherwise, you’re correct—if you have a Win7 COA you’re good for Windows 7. Machines that were Win7 COA’ed but had XP installed will be licensed for Win 7 Pro because that was the license type that included downgrade rights. You should be deploying 64-bit workstations.

 

In my previous MSU department, we made the Windows 7 conversion at the release of Service Pack 1—any systems with Win7 COAs were upgraded, as well as our Vista machines, and the XP machines were scheduled for replacement as soon as the budget cycle allowed—typically when the 3 year hardware warranty expired. It’s been more than four years since Service Pack 1 went RTM. With the exception of specific software that won’t run on anything newer than XP, I really have trouble seeing how it can possibly be justified to still be running XP systems.

 

(This is also a great time for departments to look at solutions such as VDI to help manage these sort of concerns in the future; several departments on campus already have replaced lab and general-purpose workstation systems with VDI deployments and thin clients. A 2013 IT Conference presentation talked about VMware’s VDI solution and it may be of interest.)

 

 

On Nov 17, 2014, at 1:36 PM, Stefan Ozminski <[log in to unmask]> wrote:

 

To be specific, at KBS we have about 58 Windows XP machines that are used regularly.  About 31 of them are used on a daily basis for email and web browsing, so they would be the highest priority to replace to avoid loss of network access.  However, we are not compelled to replace them for security, because our machines are not used with administrator accounts.  We followed industry security recommendations and did not go with the Microsoft default of setting up the main user with administrator privilege.  With Microsoft remote administration TCP/IP ports blocked by a network firewall, our Windows XP machines were secure like Windows Vista and Windows 7 just after Windows Vista came out in 2006.

A new desktop Dell costs about $775 without a monitor, so it would cost us about $24,000 plus the manpower to set up all the new Windows 7 computers as domain computers where users log onto the computer with a non-admin account.  UAC helps secure the computer, but it is not sufficient to keep users from installing bad software.  Viruses that install themselves at the user level (with the user's help) are dangerous enough as it is.  We are not compelled to add to our workload and stress level by providing users the convenience of admin access to their desktop computers.

According to an MSU Computer Store employee, the license to purchase with the $30 Windows 7 32bit Media is Microsoft Windows Pro 8 .1 Upgrade License (stock number 181172, Mfg part FQC-08211) for $54.  The $101 upgrade with software assurance can be used for computers that don't have Windows at all.

All of our Windows XP machines have at least 1Gb memory, but a useable Windows 7 machine needs 4Gb, and we strive to have a dedicated graphics card to maximize the memory available to the OS.  We have several Dell computers that were purchased with Windows Vista or Windows 7, but were ordered with Windows XP installed.  I haven't needed to upgrade any Windows XP machines to Windows 7, but I figure that if it has a Windows Vista or Windows 7 license label on it then it would be workable with enough memory.  To upgrade from Windows XP to Windows 7 I would expect to purchase memory.  I would expect the most likely source of compatibility problems would be graphics cards and new cards for old machines with dual DVI ports are about $85.

We have a few computers purchased in 2009 with a Windows Vista license label on the machine and Windows XP installed.  We have several computers purchased in 2010 or later with a Windows 7 license label and Windows XP installed.  We still need to make a complete inventory.

I don't necessarily have to go to the computer to see the Windows 7 or Windows Vista label.  If I have the service tag in a list or from a remote admin query, I can go to the Dell support website and look up the computer by service tag, look at the System Configuration, expand the Component section and search for Certificate, because the line for the label is something like:

Label, Certificate Of Authenticity, Operating System VB32/64, V#2008

Many of you probably already know that you can retrieve the serial number of a computer to which you have administrator access (and remote admin is enabled in the firewall) with the following command:

wmic /node:<computer> bios get serialnumber

You can retrieve the total physical memory with the following command:

wmic /node:<computer> computersystem get model,NumberOfLogicalProcessors,NumberOfProcessors,totalphysicalmemory

And you can retrieve the processor information with the following command:

wmic /node:<computer> cpu get name

which will hopefully return information like the following:

Intel(R) Core(TM)2 Duo CPU     E7400  @ 2.80GHz

If you are making an inventory, WMIC is not very friendly.  I have found VBScript to be more friendly for inventory like procedures.  I have a collection of scripts that I use.  If there is enough demand, I could create a custom script to retrieve the above information with a commandline switch to specify the remote machine name.

Upgrading computers from Windows XP to Windows 7 will require many hours to inventory, order parts and licenses, download and install drivers, configure the firewall, reinstall application software and join the active directory domain.  If I didn't have the firewall configuration and software installations automated, I would say 4 months was half the time needed for two staff members who already have plenty of work to do.

And I haven't even talked about the lab software that only works on Windows XP and fails under Windows 7.  Often, the vendors supplying the software didn't even follow standards set by Microsoft when they wrote the software for Windows XP.

-Stefan

On 11/14/2014 17:27, Gary Schrock wrote:

I'd agree that that's what the email implies (form not withstanding).  We
heard about it through a forwarded email that we got about a week before
the IT Exchange email, and when we tried to clarify that (I think it was
through the IT helpdesk, but I wasn't the one that was doing that), found
that even *they* didn't know about it at the time (and seemed to have
problems receiving forwarded copies of the email).  Quite frankly, given
the relatively tight deadlines, that extra week of time it took to get
"official" notice of it is pretty significant.
 
(On a personal note, I have to admit I find it somewhat annoying to get
blindsided by this when just a few weeks ago at the security summit the
word was that there were no plans on cutting XP off from the internet.
That's a pretty strong about-face to go to a deadline that's about 2.5
months from when "official" notice goes out.  Yes, I recognize that XP is
something of a ticking time bomb (although as someone else mentioned, I'm
not convinced that things like OSX 10.5 and 10.6 aren't issues too).  That
Feb 1st deadline is feeling a bit on the overwhelming side at the moment as
I contemplate the number of machines we need to deal with.)
 
On Fri, Nov 14, 2014 at 5:08 PM, STeve Andre' <[log in to unmask]> wrote:
 
   The wording of this is not really clear to me, so I am asking here
as I believe that others could be confused, too.
 
   If I got everything right, February 1st is the date when XP/2000
will no longer be able to access the net, either by dhcp or static
IP addresses?
 
  On December 1st, incoming socket requests will be denied for
these machines.  This means that peer-to-peer applications will
fail, like Pidgin?
 
  I first heard of this on the 6th, through our financial person,
then via a message from IT Services on the 11th.  Shouldn't that
have been the other way around, the technical people being
informed first?
 
--STeve Andre'