Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

How to isolate a Windows 7 machine from your network

How-To
May 22, 20193 mins
Network SecuritySecuritySmall and Medium Business

If you have a business reason to keep a Windows 7 system active past its 2020 end-of-life date, here's how to keep it from being a security liability on your network.

windows 7 logo on mirrors man with derby hat on dock
Credit: Getty Images / Microsoft

We’re coming up to the Windows 7 end of life date. January 2020 will be the last time Windows 7 will receive a security update, although customers with a premier support contract can purchase Extended Security Updates (ESU) for Windows 7 Professional and Enterprise through January 2023.

Alternatively, when Windows Azure virtual desktop is released, you can purchase virtual desktop and ESU will be provided free of charge to allow you to transition to Windows 10. However, some might find neither option feasible or have a reason (as I do) to keep Windows 7 around to access older line-of-business applications. In my case, we need it to run older versions of specialized software to prepare historical calculations.

Clearly, we do not want to expose our network and our systems to undue risk that Windows 7 presents. What can you do to isolate these potentially vulnerable and risky Windows 7 systems so that they don’t introduce risk into your network? Plenty. Here are your options:

  1. Block the machines from being able to browse the internet. Use the proxy trick from the XP era to keep older systems from the web. Enable proxy settings and use the same proxy server for all addresses. Select ”Do not use proxy server for local (intranet) addresses”. Then enter 127.0.0.1 into “Address of proxy” and 80 into the “Port” setting. You can also use these settings via Group policy to block it for certain users.
  2. Isolate the machine on a private network that isn’t able to access the internet.
  3. Virtualize Windows 7 and narrow the scope of the use of the system so that it’s only used when absolutely necessary. You will need to license the machine using software assurance to transfer it to a virtual machine.
  4. Install Microsoft’s Enhanced Mitigation Experience Toolkit on Windows 7. While it, too, is no longer supported, you can import the settings to protect popular software.
  5. Don’t log into the system with administrator credentials and use only limited user rights. If you have issues running a line-of-business application without administrator rights, use LUA Buglight to determine what registry keys or file locations need elevated rights.
  6. Disable autorun functionality.
  7. Review your Data Execution Prevention Protection settings and ensure they are enabled.
  8. Ensure you update to the latest version of Office and don’t use older versions of Office.
  9. Don’t open email on Windows 7 (and especially don’t follow HTML links).
  10. Ensure all final updates are installed as Windows 7 starts its final days. Ensure you manually scan for updates and review what optional updates you may not have installed in the past.

All these steps won’t protect you from all unpatched vulnerabilities, so it’s crucial that you understand the risks you are taking by running unpatched software. If there is a need to keep an older operating system, do the best you can to isolate it from the rest of your production network. Then plan on retiring these systems as soon as you can.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author