Microsoft to Officially End Support for Windows 7, Server 2008

Windows 7 and Server 2008 will continue to work after Jan. 14, 2020, but will no longer receive security updates.

The end of support is near for Windows 7, Windows Server 2008, and Windows Server 2008 R2. All of these will stop receiving security updates and technical assistance after Jan. 14, 2020.
Windows 7 end-of-support arrives more than 10 years after the OS was released on Oct. 22, 2009. When the support period
ends
, technical assistance and software updates via Windows Update will no longer be available. Related Windows 7 services will be discontinued over time; the Electronic Program Guide for Windows Media Center, for one, will be shut down this month.
Some services will continue to receive support. Microsoft will
continue
to support its Edge browser for another 18 months, terminating support on July 15, 2021, at the earliest. Google will support Chrome on Windows 7 for the same time frame, the company
confirmed
last week.
The end of support for Windows Server 2008 means the end of additional free on-premise security updates, non-security updates, free support options, and online technical content updates. Users
are urged
to migrate their Windows Server 2008 products and services to Azure to access three more years of Critical and Important security updates at no additional charge.
For non-Azure environments, Microsoft advises customers to upgrade to the latest version. Those who cannot meet the end-of-support deadline can buy Extended Security Updates to protect their server workloads until they upgrade, though some restrictions apply, it notes.
Microsoft
began
alerting users of the Windows 7 deadline last April, when pop-up notifications started to arrive on machines running the OS. In October, users of non-domain-joined Windows 7 Pro devices started to see similar end-of-support alerts. The idea was to push users to upgrade before the deadline or risk leaving machines vulnerable to a host of attacks.
Microsoft has been sounding the horn about this for a while now, notes Satnam Narang, senior research engineer for security response at Tenable, who warns threats are imminent. Attackers are chomping at the bit to target victims still running Windows 7 and Server 2008, he says, and its pretty much fair game for them to find ways to exploit vulnerabilities.
One example he points to is
CVE-2019-1458
, an elevation of privilege vulnerability that has been exploited in the wild and affects both Windows 7 and Windows Server 2008. Businesses should be worried about targeted zero-day attacks, Narang continues, but another concern is how attackers can build these into exploit kits and launch more widespread attacks.
Richard Melick, senior technology product manager at Automox, anticipates an increase in services-based attacks leveraging vulnerabilities in Remote Desktop Protocol (RDP), Server Message Block (SMB), and other areas where services run as Windows 7 support terminates. The risk will continue to grow as third-party software products also end support for the OS.
As that continues to advance, the older machines with the older operating systems wont be supported as often as some of the newer ones, he explains. Many companies will go off of Microsofts schedule and stop supporting older products. It helps them with development, Melick says. Why develop for operating systems that are no longer supported?
Both experts agree companies that dont upgrade face a range of phishing and tech support scams with subject lines crying, Your machine is no longer supported!
Theres definitely an opportunity for tech support scammers to take advantage, Narang points out.
Downsides of the Upgrade Process
Why do organizations continue to run an operating system they know will be unsupported? A host of challenges could be to blame, Melick says.
The biggest one is going to come down to operational workflow, he notes. As most security and IT managers are aware, any upgrade potentially disrupts workflow. Because there is so much third-party software in corporate environments, software hurdles vary across businesses. A smaller company may lack resources to do a full OS upgrade. However, doing the research and planning for a massive enterprise with 2,000-plus seats can be daunting, Melick explains.
Larger organizations also face the issue of balance and disconnect between the business and security teams. Melick points to a client that hadnt updated its machines in years because there were so many devices to support. This made them a target.
Do we continue to delay that update due to testing and functionality and workflow, and put us at risk for attack, or do we do the update now and deal with workflow issues and a lot of service tickets? he says.
Experience has taught him the latter is preferable, he noted. This isnt the only issue pushing businesses to upgrade. GDPR, HIPAA, and PCI compliance requirements also apply pressure.
If youre running a machine thats not updated, you could potentially be out of compliance, Melick adds.
Not Upgrading? What to Do Now
If your organization doesnt have the money or resources to upgrade, youre not alone – but there are steps you can take to better protect your systems and prepare for the migration.
Melick advises IT and security teams to come together and establish an audit of services and hardware connected to the network, creating a full picture of every device, status, upgrading capability, and other factors. He also advises applying all available patches as soon as possible.
With the operating system not being updated past tomorrow, deploy all the patches, he says. Lets close that window of attack and minimize the attack surface as much possible … thats going to probably be the easiest way to get there.
In addition to relying on endpoint protection software to detect known threats, Narang advises taking the time to train employees on phishing scams that could arrive in their inboxes after support ends.
Microsoft will likely continue releasing patches for major vulnerabilities that affect Windows 7 and Server 2008, Narang points out. When the
BlueKeep
vulnerability was disclosed, for example, the company released fixes not only for Windows 7 and Windows Server 2008, but also Windows XP and Windows 2000, both of which were no longer supported at the time.
Related Content:
Assessing Cybersecurity Risk in Todays Enterprise
Will This Be the Year of the Branded Cybercriminal?
6 Unique InfoSec Metrics CISOs Should Track in 2020
5 Tips on How to Build a Strong Security Metrics Framework
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
6 Unique InfoSec Metrics CISOs Should Track in 2020
.

Last News
▸ Security pros top concern: Rogue employees, study finds. ◂ Discovered: 26/12/2024 Category: security	▸ Obama supports NSA Prism program, Google denies access point ◂ Discovered: 26/12/2024 Category: security	▸ Glasgow Council fined for weak security. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft to Officially End Support for Windows 7, Server 2008