In our small business, we are using about 75 PCs. Servers and desktops/laptops are all up-to-date and are secured using Panda Business Endpoint Protection and Malwarebytes Business Endpoint Security (MBAM + Ant-Exploit).
However, in our production-environment we have about 15 Windows XP PCs running. They are connected to the company network. Mainly for SQL-connectivity and logging purposes. They have limited write-access to the servers.
The Windows XP PCs are only used for one dedicated (custom) production-application. No office software (email, browsing, office,…).
Furthermore each of these XP-PCs has Panda web access control which does not allow Internet access. The only exceptions are for Windows and Panda Updates.
Is it necessary, from security point-of-view, to replace these Windows XP PCs with new PCs?
Best Answer
No, it's not necessary to replace the PCs. But it is necessary to upgrade those operating systems (this may also involve replacing those PCs - we don't know. But if they are running specialized hardware, then it may be possible to keep the PC).
There are so many real-world stories about supposedly "air-gapped" PCs being infected. This can happen regardless of your operating system, but having a super-old non-updated operating system makes it even more at risk.
Especially as it sounds like your computers are protected by a software restriction to block internet access. This is likely easy to bypass. (caveat: I've never heard of this Panda web access control, but it certainly looks like on-host software).
The problem you are likely to face is a lack of vendor cooperation. It is possible that vendors refuse to help, want to charge $100,000 for an upgrade, or have plain outright gone bankrupt and the IP thrown away.
If this is the case, this is something that the company needs to budget for.
If there really is no option but to keep at 16-year-old operating system running unpatched (maybe this is a million dollar CNC lathe or milling machine or MRI), then you need to do some serious hardware-based host isolation. Putting those machines on their own vlan with extremely restrictive firewall rules would be a good start.
It would appear that you need some hand-holding in this regard, so how's this:
Windows XP is a 16 year old operating system. Sixteen years old. Let that sink in. I would think twice before buying a sixteen year old car, and they still make spare parts for 16 year old cars. There are no 'spare parts' for Windows XP.
By the sounds of it, you have poor host isolation. Let's say that something gets inside your network already. By some other means. Someone plugs in an infected USB stick. It's going to scan your interior network and propagate to anything that has a vulnerability it can exploit. A lack of internet access is irrelevant here because the phone call is coming from inside the house
Honestly though, you shouldn't need to justify replacing these computers and/or operating system. They will be fully depreciated for accounting purposes, they're likely well past the end of any warranty or support from the hardware vendor, they are definitely past any kind of support from Microsoft (even if you wave your titanium American Express in Microsoft's face, they still won't take your money).
Any company that is interested in reducing risk and liability would have replaced those machines years ago. There is little to no excuse for keeping workstations around. I listed some valid excuses above (if it's totally disconnected completely from any and all networks and lives in a closet and runs the elevator music I might - MIGHT - give it a pass). It sounds like you do not have any valid excuse for leaving them around. Especially now that you are aware that they are there, and you have seen the damage that can occur (I assume you were writing this in response to WannaCry/WannaCrypt).