As of 2020, a sizable portion of Windows desktop and server machines around the world will no longer be protected by Microsoft. The next time an attacker finds a vulnerability affecting these machines, no patch will be provided and defenders will be left unprotected. This warning applies to Windows Server 2008 R2, Windows Server 2008 and Windows 7.
As of February 2020, these operating systems will stop receiving extended support from Microsoft. This means no more technical support and bug fixes but most importantly, no more free security updates for security flaws. The impact can’t be underestimated, as many vulnerabilities disclosed in Windows affect multiple versions of the operating system, including systems that will not receive any more fixes.
Despite being more than a decade old, these operating systems are still in wide use. More than 50% of Guardicore’s customers run these operating systems in their production environments, many in critical roles such as domain controllers. An additional estimate from Ned Pyle, a Microsoft Principal PM, is that Windows Server 2008 and 2008 R2 make up nearly a third of all server machines worldwide.
Many organizations cannot upgrade their unsupported systems for many reasons. Among them are complicated regulations and certification requirements, lack of budget, or legacy software. Also, this process is typically long, which exposes the network to risk. For this reason, gap solutions are needed.
Organizations are provided with a few options from Microsoft. The first and best option is upgrading to Windows 10 and Windows Server 2016, both having many years of support in the future. Alternatively, organizations can pay Microsoft for custom security fixes, an offer which is likely to be very expensive. Depending on the business relationship with Microsoft and the exact operating system, the cost can be up to $200 a year per machine – not cheap! Microsoft will offer this extended support for free for businesses that migrate to Azure, but that is a project in itself.
Handling Legacy Systems
For organizations that cannot upgrade their unsupported systems, we suggest a series of hardening steps using Guardicore Centra and built-in Windows configuration options.
To start with, we encourage organizations to apply best practice hardening guides for Windows Server 2008 R2 and Windows 7. Microsoft regularly publishes such guidelines as part of the Microsoft Baseline Security Analyzer.
First, wherever possible, disable SMBv1 and enable SMBv2 message signing. This will prevent many lateral movement attacks, including all attacks which use the EternalBlue family of vulnerabilities and many techniques abusing NTLM relaying.
To disable SMBv1 on Windows Server using Powershell and modifying registry, you can run the following command
-Type DWORD -Value 0 -Force
Second, change network authentication settings to block usage of obsolete and weak authentication methods such as NTLMv1 and LanMan. This will prevent many token stealing attacks employed by popular offensive security tools such as Mimikatz.
To disable sending passwords to unauthenticated servers and to block SMB relay attacks, you can change windows policy settings. The relevant setting is Microsoft network client: Send unencrypted password to third-party SMB servers and it is stored under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. It should be set to Disabled.
You can configure SMB settings easily using Local or Group policy settings
To help investigations of any future security incidents and reduce the risk of tampered logs, we recommend forwarding all event logs to a centralized and hardened server. Microsoft provides guidance for this and Palantir provides many examples and helper programs.
Explanations for using these Group Policy settings can be found in this guide.
Segmentation to the rescue
By separating the network into logical pieces, organizations can reduce their network attack surface and lower their risk of being breached. Using Guardicore Centra, many segmentation mitigations are easy to implement- limiting attacker options for lateral movement.
Let’s take a look at one such scenario. In most enterprise networks, desktop machines do not need to communicate with each other. Using Centra, you can easily block traffic between machines inside the same segment, preventing rapid lateral movement. Similarly, most server machines do not communicate with each other, particularly not over SMB. With Centra, you can verify that no SMB traffic is allowed between servers and create policy rules to block SMB traffic.
As previously mentioned, vulnerabilities for these end of life operating systems will come out with no fixes. Some of them may be impossible to mitigate. In these cases, the ability to easily detect a compromise can be the difference between a small incident and a rerun of NotPetya.
Centra also allows you to easily monitor outgoing connections to the Internet from machines running end of life operating systems. Typically, legacy servers communicate with a well-defined list of remote services, recently Centra added support for whitelisting connections to specific domains. This makes it easier for organizations to detect if a machine has been breached and is communicating with malicious servers. In many cases, legacy systems are only used for specific tasks. In this case, Centra makes it easy to find and ring fence such systems and limit their attack surface from the rest of the organization.
As part of the Guardicore Cyber Security Analyst (CSA) service, we offer proactive monitoring of your network for threats and malicious activity. As part of this service, we focus on legacy machines and suggest custom mitigation steps to limit their vulnerability in the network. Additionally, we monitor suspicious connections to the Internet originating from vulnerable machines to detect breaches as early as possible.
While using legacy systems is never a best practice, with careful planning and a combination of Microsoft and Guardicore provided tools, you can significantly reduce the risk of running these obsolete systems while you plan an upgrade.