10. January 2023 / PL / reading time: 6 min

Underestimated Risk: Management of End-of-Life Systems in Production Environments

The challenges and the effort required to update current and manufacturer-supported systems can be very high for many industrial IT managers already. Dealing with “expired systems”, or more accurately end-of-life systems, on the other hand, is a completely different issue. In this article, you will learn why the management of these systems should nevertheless be an important part of the security strategy.

 

What does End-of-Life (EoL) mean?

When end-of-life is mentioned, different terms are often mixed up. Therefore, we will first clarify the three most important types.

End-of-Support
The producer no longer offers updates after a certain date. This concerns both function and security updates. Using the MS Windows 7 operating system as an example, the end date was 14.01.2020.1

End-of-License
The product can no longer be licensed and may no longer be distributed by OEMs, for example. This date is often several years after the end of support. This mainly affects embedded licenses, such as Windows 7 Embedded on 27.07.2025

End-of-Life
End-of-life is usually defined as “end-of-license”. This means that the discontinued software product is no longer available from this point on. In addition to the security-related challenges, there is the additional problem that the producer may no longer be able to supply a replacement, depending on the type of license. Taking Windows 8.1 as an example, the end date will be 10.01.2023.2

 

What happens after an operating system is discontinued?

If, for example, Microsoft discontinues an operating system or other software, no more bug fixes or even function updates are provided after the support period.

History of Microsoft Patch Management

How did the patches, updates and upgrades we know today actually come up? Learn more in this article.

geschichte-des-patchens-ondeso

One exception is the ESU program (Extended Security Update) for certain transition periods and only for security-relevant updates. Microsoft states the following in the section “Frequently asked questions about the lifecycle policy”:

“… It contains critical* and/or important* security updates for a maximum period of three years after the end date of extended support for the product. ESUs do not include new features, customer-requested non-security updates, or design change requests.

All Windows 7 and Windows Server 2008/R2 customers received an update on January 14, 2020, as the operating system was supported until then. Updates for these operating systems after January 14, 2020 will only be provided to ESU customers. … “3

(translated from the german version by ondeso)

For Enterprise customers, this means that further security updates can be provided for a transitional period of up to three years. However, this is subject to certain requirements being met, such as operating system edition, licensing and additional contracts.4

For Windows 7, this means the final end of security updates on Jan. 10, 2023.5 In the case of the RDP weak point “BlueKeep”, patches were even provided up to Windows XP, respectively Server 2003, independently of the ESU program due to the potential scope.

Windows 7 support end

After more than 10 years, Microsoft finally stopped providing technical support and updates on January 14, 2020. We show you what to do now.

windows7-support-ende

No available updates = end of systems?

Not exactly, at least not in production environments. Microsoft System Center Configuration Manager and many other office patch and configuration management solutions currently only support operating systems from Windows 8.1 onwards, and attempts to get the client to work in any way seem unsuccessful.6

This means on the other hand, that systems may still be kept alive and officially get provided with security-relevant updates via WSUS by the ESU program, but that these devices are otherwise no longer managed. In the “Guidance for Core Infrastructure”, Microsoft therefore makes the following recommendation:

” … Products that are beyond their support lifecycle are not supported for use with Configuration Manager. This includes all products that are covered by the ESU program. Security updates released under the ESU program are released in Windows Server Update Services (WSUS). These updates are displayed in the Configuration Manager console. While products covered by the ESU program are no longer supported for use with Configuration Manager, the latest published version of Configuration Manager Current Branch can be used to deploy security updates published to Windows in the program.

Client management features that do not relate to Windows software update management or operating system deployment are no longer tested on the operating systems covered by the ESU program, and we cannot guarantee that they will continue to work. It is strongly recommended that you upgrade to a current version of the operating system as soon as possible to maintain support for client management. … “7

(translated from the german version by ondeso)

This means that third-party updates, for example for the Log4J weak spot8 at the end of 2021, would have to be distributed manually or, at best, scripted. Replacing endpoint protection, remote maintenance software or AV scanners on these systems is therefore no longer possible without great effort.

 

Special challenges in the industrial environment

 

Since operating systems cannot always be easily updated or replaced, especially in the industrial environment, it is not uncommon for even MS Windows XP or even older operating system versions to be in use.

 

Example:

In a fictional but not exceptional production environment containing 300 Windows devices, of which 15 are Windows XP, 135 Windows 7 (Embedded and Professional) and 150 Windows 10 (LTSB and LTSC), this would mean that 50% of the devices can no longer be actively managed and would generate a very high manual effort in an emergency.

Often these devices are segmented and separated from the rest of the network as much as possible using firewalls or edge devices.

However, current malware such as Raspberry Robin already shows attempts that, after spreading and infecting the initial device via a USB stick, the malware can continue to spread via open vulnerabilities in the connected segment.10

 

Here’s what you should consider when managing end-of-life systems

Even if updates for these outdated operating systems are either not provided at all or only in rare exceptional cases, there are still some actions and measures that need to be performed regularly as part of daily work or security guidelines.

 

These include:

  • Inventory of hardware and software
    License management, vulnerability management
  • Hardening by uninstalling and switching off unnecessary programs and services
  • Replacement of deployed software components
    e.g. remote maintenance, AV, endpoint protection
  • Update of individual software components or configuration adjustments
    e.g. runtime environments in the case of Log4J
  • (Temporary) deactivation of not needed protocols or configuration of the client firewall
    e.g. BlueKeep
  • User management
    Default users, passwords, employee changes
  • Creation of backups for disaster recovery scenarios
    e.g. ransomware attacks

 

What tools and options are available for this?

You can use the ondeso SR software solution to implement all of these tasks. ondeso SR was developed specifically for these environments and all tasks related to the lifecycle management of industrial IT from Windows XP onwards and can not only provide support for the measures listed, but also fully automate the processes and thus make a significant contribution to minimizing errors, increasing efficiency and scaling.

 

Our recommendation: Test ondeso SR free of charge for 30 days.
You can find more info here.

 

 

Conclusion:

A machine that once represented a seven-figure investment still functions technically, even if the underlying operating system for the control PC is outdated. Since the software used was very special and, if necessary, individually adapted and configured, it cannot be replaced without considerable effort or, in some cases, not at all. It follows that the underlying operating system and other software and configuration components must also continue to be operated – but safely.

Endpoint management solutions from office environments completely discontinue support for managing such devices with end-of-support or end-of-life at the latest, which is why many tasks that still need to be performed on these devices can only be done manually. In order to save time and costs and to be able to maintain the security across the perimeter at the highest possible level on the end devices as well, special solutions for these environments such as ondeso SR are a must-have. Compared to manual solutions, the investment pays off after only a short time and with a small number of end devices to manage.

Contact us now and tell us about your challenges. Together we will develop suitable solutions for your OT systems so that you can concentrate on the essential things again.

How can I help you?

Do not hesitate to contact me – I will be happy to help you.
Lars Pachur, Account Manager

_SSC9133-1 Kopie 4
ondeso-sr-small-new

More about ondeso SR

Click here for more information about our OT administration software designed for industrial PCs.

referenzen-projekte-ondeso-industrial-it

References & Success Stories

Which companies rely on ondeso for their industrial IT management? Discover the answer here.

flur-ueber-ondeso

About ondeso

Learn more about our company and our comprehensive expertise as a pioneer and market leader.