How will Windows 7 End-of-Life affect the data centre? Daniel Goldberg, senior security researcher at Guardicore Labs gives us his insight.
On 14 January, Windows Server 2008, Server 2008 R2 and Windows 7 were announced End-Of-Life (EoL). Put simply, this means that unless your organisation is one of a few exceptions – all the machines running the above-mentioned operating systems have now ceased to receive Microsoft security updates.
The next time an attacker finds a vulnerability affecting these operating systems, no security patch will be provided, and the machines will remain defenceless. Of course, many users will rightly upgrade their systems. But for many data centres, upgrading is not an option they can yet consider. In such cases, mitigating the danger from insecure software is a challenging yet mandatory task they must undertake.
The risks to data centres of continuing to run EoL versions long-term is hard to understate. Despite being more than a decade old, these operating systems are still in wide use. The majority of data centres run these operating systems in their production environments, with many assigned critical roles such as domain controllers. Ned Pyle, a Microsoft principal PM, estimates that Windows Server 2008 and 2008 R2 make up nearly a third of all server machines worldwide.
In the short-term, it is unlikely anything drastic will happen to unsupported Windows Server machines. Most software vulnerabilities are not relevant to servers and existing defences will do the job. But the long tail risk is immense; the next BlueKeep, EternalBlue or other remote code execution vulnerabilities will inevitably be used to cut through data centre networks. All that will be required is a foothold inside an organisation and any vulnerable server will be quickly compromised. Such footholds are easy to acquire, as breaches in the UN (Microsoft Sharepoint), Travelex (PulseSecure VPN) and many others make clear.
If upgrading was easy, everyone would be doing it
It is enough to perform a couple of software upgrade cycles to find out that upgrading is never as simple as we wish. Just listing the reasons why this process is complicated could take longer than this article. Rather than giving up, there are a number of steps that can be taken to minimise the danger from new vulnerabilities. New vulnerabilities will be discovered and publicised, but the vast majority of vulnerabilities use the same few common attack vectors.
To start with, we encourage organisations to follow hardening best practices for Windows Server 2008 R2 and Windows 7. Microsoft regularly publishes such guidelines as part of the Microsoft Baseline Security Analyser.
First, wherever possible, disable SMBv1 and enable SMBv2 message signing. This will prevent many lateral movement attacks, including all attacks which use the EternalBlue family of vulnerabilities and many other attack techniques abusing NTLM relaying.
Second, change network authentication settings to block usage of obsolete and weak authentication methods such as NTLMv1 and LanMan. This will eliminate many token stealing attacks employed by popular offensive security tools such as Mimikatz.
Last, to help investigations of any future security incidents and reduce the risk of tampered logs, we recommend forwarding all event logs to a centralised and hardened server. These steps are not complicated to implement in most data centres and will significantly reduce your attack surface from many known attack vectors.
Assume breach and segment
An attacker having a foothold in your network is practically a given, so defences should not only be strong walls but also chokepoints, compartments and other defensive tactics. The strongest and simplest tool is segmentation, separating the network into logical pieces. Applying segmentation, organisations can reduce their network attack surface and lower their risk of being breached.
The classic example of segmentation is a DeMilitarized Zone (DMZ), although this is mostly obsolete in today’s connected networks. A more practical example is blocking cross SMB traffic. While servers often communicate with each other, they typically do not use the SMB protocol for this purpose. Blocking it using endpoint firewalls eliminates the attack vector used by the NotPetya worm which nearly brought down Maersk as well as many other organisations.
Another good application of segmentation is limiting legacy systems’ access to the internet. Most legacy system behaviour is well understood and whitelists for their network activity can be created. In such cases, alerting on deviations from whitelisted behaviour is an effective tool to detect compromise of legacy machines. The last point is worth emphasising: early detection of breaches and compromises is one of the primary advantages of segmentation.
Not just Windows
It’s not just older Microsoft products within a data centre that present EoL risks. While the transition to web-based software has simplified the life of IT departments in endpoint systems, servers are just as problematic as they were in the past if not more so.
Oracle Database is a frequent culprit of compromise in many organisations, along with Red Hat Enterprise Linux and other old platforms. Routers, considered by many to be supported as long as they work, are frequent targets of high-end attackers and rarely receive software patches.
Get a shovel, dig defences
We cannot afford to get rid of all vulnerable legacy software, no matter how hard we try. Our only hope is creating moats around vulnerable systems and monitoring them for breaches. The latest end-of-life announcements from Microsoft will hopefully help spotlight such systems and help security professionals prioritise these systems for protection.