How to create a compensating control for EOL Windows XP Risk

By on May 13, 2013

Support for Windows XP SP3 will officially end April 8, 2014, meaning users have less than a year to choose which operating system to go with next. For many, the motivation to move off XP to a new operating system hasn’t been very compelling – while Windows 7 may be a reasonable option, Vista wasn’t received well, and the jury is still out about Windows 8. It’s also impractical to think that any migration could be as effective or efficient as that performed by the OS vendor, especially if it’s a jump of several versions. The business still has to validate all of the applications with the updated OS and plan for any end-user training that might be needed to adjust to the change.

You can imagine that with all of these issues, companies are moving cautiously and may very well run out of ramp before XP becomes EOL. Continuing in this mode opens businesses to risk, as there will no longer be vendor-supplied patches to address vulnerabilities. As risky as an outdated operating system may be, additional risk may also come from everyday business applications. Until you are ready to change your desktop environment, McAfee suggests three basic steps to combat risk:

  1. Remove Admin privilege from standard users
  2. Enable memory and buffer overflow protection;
  3. Enable whitelisting for 0-day vulnerability protection.

One of the key metrics many auditors look at when evaluating a compensating control is to see that the control goes above and beyond. An unsupported operating system, or even any software code, can potentially be exploited through memory and buffer manipulation. 0-day vulnerabilities are being aggressively found and used to trigger zero-day attacks, like the recent Java zero-day vulnerability that pushed out crimeware payloads to unprotected users.

Mitigate these issues by normalizing user privileges commensurate with their roles and responsibilities – for example, users should not be Admin level unless they are part of your IT organization. Continue to leverage the McAfee Host Intrusion Protection for Desktop (HIPS) for memory and buffer overflow protection. Prevent unauthorized software from executing on your systems by adding McAfee’s dynamic whitelisting capability through McAfee Application Control.

Managing risk and going beyond with these steps ensures you can address the potential vulnerabilities that may be at hand by continuing on Windows XP for a limited time.

To learn more about today’s evolving landscape of desktop security, be sure to download our whitepaper.

 -Kim Singletary

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs