How to isolate a Windows 7 machine from your network

We’re coming up to the Windows 7 end of life date. January 2020 will be the last time Windows 7 will receive a security update, although customers with a premier support contract can purchase Extended Security Updates (ESU) for Windows 7 Professional and Enterprise through January 2023.

Alternatively, when Windows Azure virtual desktop is released, you can purchase virtual desktop and ESU will be provided free of charge to allow you to transition to Windows 10. However, some might find neither option feasible or have a reason (as I do) to keep Windows 7 around to access older line-of-business applications. In my case, we need it to run older versions of specialized software to prepare historical calculations.

Clearly, we do not want to expose our network and our systems to undue risk that Windows 7 presents. What can you do to isolate these potentially vulnerable and risky Windows 7 systems so that they don’t introduce risk into your network? Plenty. Here are your options:

1. Block the machines from being able to browse the internet. Use the proxy trick from the XP era to keep older systems from the web. Enable proxy settings and use the same proxy server for all addresses. Select ”Do not use proxy server for local (intranet) addresses”. Then enter 127.0.0.1 into “Address of proxy” and 80 into the “Port” setting. You can also use these settings via Group policy to block it for certain users.
2. Isolate the machine on a private network that isn’t able to access the internet.
3. Virtualize Windows 7 and narrow the scope of the use of the system so that it’s only used when absolutely necessary. You will need to license the machine using software assurance to transfer it to a virtual machine.
4. Install Microsoft’s Enhanced Mitigation Experience Toolkit on Windows 7. While it, too, is no longer supported, you can import the settings to protect popular software.
5. Don’t log into the system with administrator credentials and use only limited user rights. If you have issues running a line-of-business application without administrator rights, use LUA Buglight to determine what registry keys or file locations need elevated rights.
6. Disable autorun functionality.
7. Review your Data Execution Prevention Protection settings and ensure they are enabled.
8. Ensure you update to the latest version of Office and don’t use older versions of Office.
9. Don’t open email on Windows 7 (and especially don’t follow HTML links).
10. Ensure all final updates are installed as Windows 7 starts its final days. Ensure you manually scan for updates and review what optional updates you may not have installed in the past.

All these steps won’t protect you from all unpatched vulnerabilities, so it’s crucial that you understand the risks you are taking by running unpatched software. If there is a need to keep an older operating system, do the best you can to isolate it from the rest of your production network. Then plan on retiring these systems as soon as you can.