Before I left Tanium, I was working on some content around Operating System EOL Lifecycle. What does this mean exactly though? When an operating system is RTM'd or released to manufacturing (aka, downloadable and installable, in today's day and age), it usually has a set timeframe from the company that created it to support it during its "life time". Resources are needed to keep the published operating system (OS) secure and reliable over time, so keeping people on something that's ten years old for example can be a strain on the company. In order to bypass this, a lifetime for a product is decided, according to how fast the company can publish a new version.

Let's take Microsoft Windows 10 as an example. For the last few years, major updates to the Windows 10 OS typically come out in March and September, so in 2019 the two major updates were 1903 and 1909. These have a specific timeframe for supporting security updates and features on these specific builds. Here is more information about what is supported and when those life cycles go "out of support":

When an OS is within its support window, major and minor updates to the OS are provided freely, provided they are activated appropriately. These can include new features, visual updates, and hopefully lots of fixes to previously known issues and bugs. Security updates sometimes have an extended time window, depending on how critical the threat is. When an OS is outside of this support window, the charges to ask Microsoft to support these systems becomes very expensive. Why though? Because Microsoft must spend more resources that have likely moved on to newer or other projects throughout the company, on something that is not making them money anymore. Newer versions have come out, and support for older versions has mostly ceased, other that critical security patches. Microsoft is a publicly traded company, is has to make money to survive, hence the expense to support these older systems.

What's the solution when someone has older OSes, or out of date ones? Well, that's a tricky question to answer. Home users, that only have their personal data and machine(s) to work on, can hit Windows Update to update their systems. Sometimes this causes issues with software that may be installed, but usually those get fixed pretty quickly. On a grander scale at a worldwide corporation though, the apps that are used for business run on the operating systems that are installed, so an OS patch could affect their ability to do business. For this reason, large scale patching of OSes needs a more tightly controlled mechanism and process in order to update their company's systems. But I want to update my system now! Hahaha, not so fast buddy. If you update, and that update causes apps on your system to misbehave or interrupt business workflow, that can cost the company money in outages. Can you imagine a bad patch being pushed out to thousands of systems running the company's public facing website? An outage like that could cost hundreds of thousands of dollars PER MINUTE. I've seen it happen, and it's quite a scary site.

Ok, so how do I update my company's systems safely? TEST TEST TEST. Grab a few machines that represent the majority of the systems in your company, and install the necessary patches for OS and apps on these systems first, away from the rest of the systems that are making your company money. Once those have been tested for stability and continuity, then a phased approach to update those systems across the enterprise can be performed. Whether this is a small patch, or a larger bi-annual Windows 10 or Server OS patch, the workflow would be the same. Test the updates with the software you normally use, then deploy at a larger scale once verified.

But I'm using Windows Server 2003 and it runs really old software that isn't supported anymore, since the company that created it no longer exists. That's really tough, and I feel for you. I've seen situations where this is more common than you'd think. But still the same issue, though you aren't getting patches anymore at this point. If you can't upgrade to a newer OS, because you can't lose the app that is running on it, this would be a good time to isolate that system, and possibly move it to a secure space in the cloud. At least once it's virtualized, the old hardware can be decommissioned. The old app and OS virtual machine could be in your data center or public clouds like Azure or AWS. Easier to manage, even though it still won't be updated anymore, but at least still can be used.

Some important takeaways to key in on:

  • It's important to know what's no longer supported and when (no upgrades, no updates, no security fixes after the support window closes)
  • Why track this over time?
  • Not paying thousands to hundreds of thousands of dollars, just for security updates
  • Get ahead of OS upgrades
  • Gain better security visibility
  • Already paying for latest Windows through Microsoft Agreements, why not upgrade?