This article previously published at EagleConsultingPartners.com
Microsoft is ending support for Windows 7, Server 2008, and Server 2008 R2 operating systems in January 2020. Upgrade this year to avoid security vulnerabilities.
All software products have a life-cycle. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running the Windows 7 operating system. After this date, this product will no longer receive free:
- Technical support for any issues
- Software updates
- Security updates or fixes
Computers running the Windows 7 operating system will continue to work even after support ends. However, using unsupported software may increase the risks from viruses and other security threats.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to upgrade to a currently supported operating system.
-- US Cybersecurity and Infrastructure Security Agency announcement, March 19, 2019 (emphasis added)
Why Should You Upgrade?
Why should you upgrade your systems before this end-of-life, instead of just using them for as long as they work? The biggest reason is that outdated and unsupported operating systems are a security risk that will only get worse over time. After the end-of-life in January 2020, "Microsoft will stop delivering security updates automatically, and by then most third-party vendors will have dropped support as well" .
As Takeshi Numoto of Microsoft describes it, "End of support means the end of regular security updates. With cyberattacks becoming more sophisticated and frequent, running apps and data on unsupported versions can create significant security and compliance risks" . Microsoft typically issues security updates every month for various levels of vulnerabilities. So far in 2019, Microsoft security updates have addressed 94 "Critical" or "Important" severity vulnerabilities in each of these operating systems. In January 2020, these updates will stop. All vulnerabilities discovered after that point – and there will be plenty – will not be fixed.
The history of Windows XP provides an apocryphal example. Within months of the Windows XP end-of-life in 2014, compromise of the operating system was widespread. Of particular note, Windows XP weaknesses were at the heart of the WannaCry global ransomware attack in 2017 that crippled hundreds of thousands of computers and caused billions of dollars in damages [6,7].
This isn't hypothetical risk.
A Decade of New Technology
Windows Server 2008 came out in… you guessed it, 2008. Windows 7 first reached consumers in 2009. Both of these operating systems are a decade old, which is an eternity in technology terms.
"It’s incredible how much and how rapidly technology evolves. Microsoft’s server technology is no exception. We entered the 2008 release cycle with a shift from 32-bit to 64-bit computing, the early days of server virtualization and advanced analytics. Fast forward a decade, and we find ourselves in a full-blown era of hybrid cloud computing with exciting innovation in data, artificial intelligence, and more," explains Microsoft's Numoto. 
Meanwhile Windows 7 was followed by Windows 8, 8.1, and now Windows 10. Modern operating systems, such as Windows 10 or Server 2019, and cloud infrastructure such as Azure have been built with security, capabilities, and features that weren't imaginable ten years ago.
Modern systems are faster and more powerful, which has direct productivity impacts.
Upgrading from Windows 7
A few factors to consider when planning to upgrade your Windows 7 machines:
- If you don't have an IT managed services provider (MSP) or professional in-house IT team, now is the time to get one. Rely on professionals when upgrading PCs in an office environment, particularly for systems with access to Protected Health Information.
- Consider compatibility issues with legacy applications. Older applications, for instance older locally-hosted EHRs or billing applications, may have compatibility issues with Windows 10 or other modern operating systems. Your MSP can help you navigate these challenges. Or this may be the final straw for transitioning away from that legacy system.
- Assess your hardware. Depending on when you bought your PCs, the machines may not be able to handle an operating system upgrade. Look into buying new computers.
- Review your operating system options. Windows 10 Pro is the default answer here. The "Pro" level comes with BitLocker disk encryption included, which the "Home" version does not. Also consider Microsoft 365, a relatively new offering from Microsoft for small and medium businesses that includes subscriptions to Windows 10 Pro, Office 365, and a number of additional security features. Finally, if you need limited computing capabilities and do most of your work on the internet, such as through a web-based EHR, take a look at something like Chrome OS, which runs on inexpensive PCs and offers a variety of security and management features.
- Finally, take this opportunity to implement security best practices when upgrading your systems. At a minimum, activate full-disk encryption and strong workstation password policies. Even better, implement an industry-vetted security guide such as the Microsoft Security Baselines or CIS Benchmarks.
Upgrading from Windows Server 2008 / 2008 R2
Some further considerations for server upgrades:
- IT Professionals. Ditto my comments above. Whether in-house or outsourced, get good IT professionals and let them run this process.
- Compatibility issues may be the one reason you can't upgrade your server(s) right away. Consider this the right time to start – or push forward – management discussions about moving to a modern EHR, billing software, or whatever other key application is holding you back.
- This is also the time to question whether you want to keep servers in-house or move to cloud-based infrastructure such as Azure, AWS, Google Cloud, etc. Both local and cloud-based servers have benefits and risks. Our security risk assessment and risk management consulting can help you weigh your options and determine what is right for your organization.
- And as with the workstations, new server implementation is a perfect time to build in some extra security hardening best practices, such as the CIS Benchmarks.
What if You are Stuck with Legacy Systems?
We understand that maintaining legacy systems is sometimes unavoidable. We run into $100,000 medical devices that run Windows XP, old billing software that has to be maintained for data retention, and even HVAC systems that only use Windows XP and that would require half a million dollars to replace. In cases like these:
- Harden the systems as much as possible using CIS Benchmarks or other industry security standard.
- Isolate these legacy systems from everything else. Keep them off the internet and put them on a separate network from sensitive databases and critical applications.
- Continue looking for ways to mitigate the risks to your organization from these legacy and unsupported systems until such time that you can upgrade or replace them.
Protect your organization and the people you serve. Prevent a significant risk to your information systems. Save yourself from some ongoing headaches. Upgrade your Windows 7 and Windows Server 2008 machines before the end of the year.
Resources and Further Reading
-  Microsoft Ending Support for Windows 7 | US-CERT
-  Windows Server 2008 and 2008 R2 End of Support | Microsoft
-  Get answers to “Now what?” for Windows Server 2008 end of support | Microsoft
-  Announcing new options for SQL Server 2008 and Windows Server 2008 End of Support | Microsoft
-  Windows 7: What is your company's exit strategy?
-  Windows 7 migration warning: Plan now to avoid security worries later
-  Windows 7 is Nearing the End of its Life, and It’s Time to Say Goodbye
-  Windows 7 versus Windows 10: Here comes the final showdown
-  Microsoft will stop supporting Windows 7 one year from today
-  Three Dangers of Running an Unsupported Operating System