In the time of COVID-19, with so many people working from home, it’s inevitable that many will be using Windows 7 devices. And that’s a big security problem for IT. As of January 2020, Windows 7 is no longer supported by Microsoft. That means no security patches — particularly dangerous at a time when many people are connecting to enterprise networks from their Windows 7 PCs.
It adds up to one of the biggest security risks many companies have seen for some time. Unpatched systems can be more easily hacked than ones that regularly receive security patches. Hackers go after low-hanging fruit — and right now Windows 7 is the lowest fruit there is. As the FBI stated in an August 2020 warning to businesses:
"Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered."
So if you have remote workers using Windows 7, you should assume that your business is being targeted. Keep in mind that when a hacker gets access to a remote worker’s Windows 7 system, it’s not just that worker who’s vulnerable. So is your entire corporate network, and by extension everyone in your company.
And it’s not just today that you’ll have this problem. This pandemic may last years. Other pandemics may hit. Because of global warming, there will be more frequent storms, more powerful storms, and higher sea levels, disrupting infrastructure in many locations. Remote work, either from home or from satellite offices, has become the new normal. Many companies, including tech giants Facebook, Twitter and Slack, have already announced that they’ll allow remote work permanently for some or most of their workforce.
The suddenness with which the COVID-19 pandemic hit meant that many companies had little choice but to allow employees to use their home computers for work. According to a June 2020 survey by IBM Security and Morning consult, 53% of employees newly working from home are using their own personal laptops and desktop computers to conduct work at least part of the time. And some portion of those devices are running Windows 7. Other businesses may have had Windows 7-to-10 migration plans that were interrupted by the pandemic. Either way, Windows 7 PCs are accessing corporate networks and apps.
Protecting those devices can no longer wait. Here’s what you need to know to keep them as safe as possible.
Tackle the RDP threat
Windows’ Remote Desktop Protocol (RDP) is one of Windows 7’s biggest security holes. It lets you connect to a Windows server or PC remotely, and its use has skyrocketed during the pandemic. So have attacks against the notoriously insecure protocol — particularly against Windows 7 devices, which are more vulnerable to attacks than Windows 10 systems.
Attackers can break into a PC connecting remotely and endanger not just that computer but the rest of the network and enterprise as well. RDP is particularly dangerous when the TCP port it uses (3389) is “exposed” on the internet — in other words, is unprotected.
Even before the pandemic hit, RDP was a hacker’s best friend. The notorious BlueKeep vulnerability in RDP, discovered in 2019, exposed Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 to attack by self-propagating worms. Related vulnerabilities, collectively known as DejaBlue, exposed Windows 7 and later devices to such attacks. The security company Radware warned in the early days of the pandemic, “RDP has been for the most part of 2019, and continues to be, by a fair margin, the most important attack vector for ransomware.”
The pandemic only made things worse. Between January and March 2020, as the pandemic took root around the world, the number of exposed RDP ports skyrocketed from around 3 million to more than 4.5 million, according to security software vendor McAfee. More than 20% of those exposed ports were on Windows 7 PCs. And Atlas VPN reports that attacks on RDP more than tripled in the U.S. between March and May 2020 as remote work surged due to coronavirus lockdowns.
Given all that, what can IT do to keep Windows 7 PCs that use RDP secure? Follow this advice:
- First, make sure that Windows 7 is patched with its final set of security updates. Even though no security patches have been issued since January, the older security patches provide some RDP protection.
- Don’t allow RDP connections over the open internet — only use it with a secure VPN, or a zero-trust remote access gateway.
- Enable Network Level Authentication. This allows only people with valid credentials to perform remote code authentication.
- Require complex passwords and multi-factor authentication for RDP use.
- Use an RDP gateway.
- If you have remote tools that allow for internal audits, check who is using RDP on Windows 7 in your company, and then make sure they’re following the security practices detailed above. If you don’t have the remote tools, perform the audit in another way, for example with an email questionnaire.
- Don’t allow system developers and IT administrators to use RDP on Windows 7 to manage cloud and on-premises systems and applications. These people typically have high levels of access to infrastructure and systems, and if they’re attacked, hackers can get that access as well.
- Finally, if people aren’t using RDP, IT should disable RDP on all machines as well as disabling TCP port 3389, the port RDP uses, enterprise-side as well.
For more details about protecting RDP on all machines, not just those that use Windows 7, see Microsoft’s “Security guidance for remote desktop adoption.”
Patch all your software
It’s not just Windows 7 itself that’s vulnerable to remote hacks and other kinds of hacks. The applications that run on Windows 7 are often more vulnerable to attacks than software running on more modern versions of Windows.
For example, Zoom running on Windows 7 and older devices was found to have an exploitable security hole that Zoom running on Windows 10 doesn’t have. The vulnerability lets remote attackers execute arbitrary code on Windows 7 PCs that have the Zoom client for Windows installed. That’s a particularly problematic vulnerability during a time when so many people use Zoom for work and to keep in touch with friends and family.
Zoom released a new version of its Windows 7 client after the vulnerability was found. But machines that don’t install that new version are still vulnerable to the hack — which is why it’s so vital for anyone with Windows 7 PCs to constantly patch all their software.
Even worse, because Windows 7 PCs are so old, many can be running old, unsupported software — applications that no longer get security patches and updates. IT should make sure that people uninstall any unsupported software on Windows 7 PCs. Also, old versions of browser plug-ins like Java, Adobe Flash, Adobe Reader, and QuickTime are all potentially vulnerable to attack. All of them should be uninstalled.
Beware of Internet Explorer
Speaking of old software, Internet Explorer is the default web browser for Windows 7. There’s a long list of IE vulnerabilities. No one anywhere should be using it. So IT should make sure that people switch from Internet Explorer to a modern, safer browser like the Chrome, Firefox, or the Chromium version of Edge.
Download up-to-date malware protection
Another problem with Windows 7 and old software: Microsoft Security Essentials, Windows 7’s built-in malware protection, isn’t being updated by Microsoft any more except for new virus definitions. The software itself isn’t built to handle current threats. So IT should make sure that every Windows 7 device has more up-to-date malware protection.
Check your remote management tools
IT can advise people to follow all these rules, but it can be difficult for IT staff to make sure people follow the advice, because the machines are remote. However, there are a wide variety of enterprise management tools that IT can use to manage remote machines, including installing and uninstalling software, making sure machines adhere to security policies, and so on.
An analysis of all those tools is beyond the scope of this article. But if you have a contract with a service provider, check what remote tools the provider has to offer and use those. And keep in mind that IT won’t be able to manage remote devices using Microsoft’s Intune service, because when Windows 7 went out of service in January 2020, Microsoft dropped Intune support for it.
Pay for Windows 7 security patches
There’s one significant thing IT can do if it’s willing to fork over the money — pay for Windows 7 Extended Security Updates (ESUs). ESUs offer security patches, which will help keep Windows 7 PCs safe. These ESUs are available to businesses of all sizes, but only for PCs running Windows 7 Professional and Windows 7 Enterprise; they’ll be available until January 2023.
Costs vary according to company size and number of Windows 7 devices. Typically ESUs for Windows 7 Enterprise cost $25 per machine for 2020, $50 per machine for 2021 and $100 per machine for 2022. ESUs for Windows 7 Professional typically cost $50 per machine for 2020, $100 per machine for 2021 and $200 per machine for 2022. Windows 7 Home machines can’t get ESUs.
Note, though, that it’s not necessarily easy to buy ESUs for Windows 7 for your company. The largest enterprises shouldn’t have a problem buying them by contacting Microsoft. But smaller companies will have to buy them from a Microsoft cloud solution provider (CSP), and it can be hard to find a CSP willing to sell them. For details and help, see “Just because Microsoft sells Windows 7 support doesn't mean you can buy it.”
Obviously, all that can be expensive. But keep in mind that you won’t need it for everyone in your company, so it may well be worth the cost — especially compared to the financial damage a serious breach can cause.
Upgrade, upgrade, upgrade
The ultimate solution to all these woes, of course, is to upgrade all Windows 7 devices to Windows 10. That’ll reduce remote vulnerabilities significantly and make IT’s life far easier. So make the pitch for upgrades for people working remotely and hope your business buys into it.