Solved

Is Windows XP (without support) OK as a dumb workstation in a VDI environment?

Posted on 2014-01-18
9
851 Views
Last Modified: 2014-01-23
I previously closed my related question, "What's the best Desktop Virtualization model?" with good answers from Andrew Hancock and Rindi.

Let's say it's a given that users need to use  local printers, USB printers, USB devices (iphones, cameras), handheld scanners, scanners, and USB flash drives for documents ... What does that imply about the choice of OS for the workstation?  Does this make it a whole lot easier to recommend Microsoft workstations?

The point is that we already have XP licenses for our existing 20 (old) workstations, and the hardware is still working.

Andrew mentioned that "Windows XP can be dumbed down and locked, so it just becomes a Windows XP dumb terminal running RDP."

Summary of this new question:
1. With MS discontinuing support for XP, is it secure to recommend "dumbed-down XP" for the workstations?
2. Is it just a whole lot easier to have XP rather than Linux, in order to avoid issues about locally-connected hardware?

Thanks
0
Comment
Question by:Dwight Baer
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 225 total points
ID: 39790865
You will get differing opinions on this issue. Mine, however, is that security exploits already attempt to break security barriers to get an OS to do what it shouldn't. Like give a non-admin account escalated (admin) privileges. So "locking down" XP won't help of the exploit is bypassing those lockdown measures. Using XP will be high security risk. Full stop. I'd not do it.
0
 
LVL 117

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 200 total points
ID: 39790888
1. With MS discontinuing support for XP, is it secure to recommend "dumbed-down XP" for the workstations?

Yes, because you are only using the OS, you will need to use a Client to access your VDI environment, which will use a username and password to access, so does it really matter, what happenes to end PC?

Also when an OS goes out of support, the exploits normally turn to current OS, e.g. Windows 7 and Windows 8.

Where is the security risk and too what? You would have to analyse Where is the Risk?

 Any OS, has a security issue, which needs regular patching,. even if you were to change the OS to Linux, you would have to regularly patch?

The Best VDI Client is Windows, Windows is the most compatible VDI client. If you require USB support with Windows 2012, you will need to use RemoteFX, and Windows 7 or Windows 8, so you will need to replace ALL your clients with something else, Linux is not supported as a client. Also, I'm not sure your hardware is scaled and suitable for a FULL 20 VM Deployment for VDI.

2. Is it just a whole lot easier to have XP rather than Linux, in order to avoid issues about locally-connected hardware?

It's better suited and compatible, yes you can do RDP via Linux, but that's it. No USB support, because that needs RemoteFX, and RDP (Windows 7 and Windows 8).

Windows XP/7/8 is the Best Thin Client (RDP, RemoteFX), and with the price of PCs, purchasing 20 in one lot, is probably cheaper than the hardware required for a 20 user concurrent VDI deployment, if you needed correctly availability and 2 servers.

Required Memory for Windows 7, 2-4GB per VM, 2vCPU.

So you are looking at a server with at least 40GB - 80GB, so your servers, are going to have at least 40GB minimum.

You have many things to consider, and look at the options, and decide.

Most of our clients, use their hardware, until it fails, and then replace with thin clients, but these cost as much as a laptop or deskop PC, but have a longer life, so the manufacturers tell us, until the next OS comes out, and they are not supported!

So with a thin client it's life is probably 3-6 years, before you have to replace to use newer features in e.g. Windows 2015?/Citrix 10/Horizon View 7
0
 
LVL 34

Assisted Solution

by:Michael-Best
Michael-Best earned 25 total points
ID: 39790903
XP is a good and stable OS.
The stoppage of support from microsoft (somewhat) reduces XP security from online hackers..
If not conected online there is zero threat from hackers.
Hackers usually target newer OS PCs.
Continuing to use XP should not pose any problems.
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 25 total points
ID: 39790987
Running XP after the end of support, maybe even now, is a liability. Windows 7/8 isn't perfect, but it is hardened through continual updates and support. As a VDI terminal, XP is subject to the same exploits as it were a regular desktop O.S. It just will not be as noticeable in its "dumbed-down" condition. That could be even worse as a compromised machine may exist on the network and not be found through regular activity. It would be best to upgrade any existing XP computers to Windows 7 at the very least.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 15

Assisted Solution

by:Perarduaadastra
Perarduaadastra earned 25 total points
ID: 39791199
Put simply, if the XP computers have any exposure to the internet, then continuing to use it is a bad idea. The idea that hackers will turn away from it in pursuit of exploits for later versions is, in my view, unsustainable. Hackers are always looking for the easiest method of gaining access to computer systems and obsolete OSes simply facilitate that, as any weaknesses discovered after support for them has ended will not be fixed, ever.

However, I have a client who runs a small office on an Windows Server 2003 network that was installed in mid-2004 and has had no patches or updates since that time because he took a decision at the outset to have no internet access to or from his LAN. Email and internet is handled by a single modern PC that has all the latest updates, anti-virus, etc., so if anything bad happens he is concerned with only one computer and not his entire system. The drawback is that eventually new hardware such as printers won't have driver support for the OS he's using; that and inevitable hardware failure will force him into upgrading if nothing else does. Still, using the same computer system ten years on and counting is no mean feat in this day and age...

I grant you that for most companies this approach is unworkable, but it's the only safe one if you intend to continue using XP past its EOL date.
0
 

Assisted Solution

by:Dwight Baer
Dwight Baer earned 0 total points
ID: 39791204
I am indeed hearing a variety of opinions.

I think Andrew has a point:  What is the worst that can happen to a "dumbed-down" XP machine functioning as a workstation offering Remote Desktop Service?  The data is stored elsewhere.  If the machine stops functioning, it can be easily swapped out.

The only drawback to using XP seems to be USB support.

I'm guessing that I'll propose using the XP machines as workstations wherever USB support isn't an issue.

But where it IS an issue ... then do I have to buy a Windows 8 license for both the workstation and the instance of that user's desktop on the server?  

I've read the following but I don't really understand the licensing question:

http://www.virtualizationpractice.com/microsofts-new-client-access-license-snubs-desktop-virtualization-10001/

and

http://www.virtualizationpractice.com/microsoft-relaxes-licensing-rules-to-elevate-its-customers-the-cloud-11035/

I understand that both the above articles are quite old. But I'm not finding anything newer.

Thanks
0
 
LVL 117

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE)
Andrew Hancock (VMware vExpert / EE MVE) earned 200 total points
ID: 39791249
Yes, you do, you need a license for the Workstation, and a License for the VDI (Workstation).

So in effect you would need 40 x Windows 8 Licenses.

and also ensure your Server, has support for SLAT (Extended Page Tables), and a supported graphics card (GPU) that supported RemoteFX (DirectX 11).

and enough memory to run all the VDI workstations concurrently.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 225 total points
ID: 39791514
To my mind, the worst thing that can happen is the XP client can itself be used to capture credentials (including to your RDS machine), send spam, be used as anlainchpad fpr pther blended-threat attacks...

Yeah. I still think it is a terrible idea and would never do it.
0
 

Author Closing Comment

by:Dwight Baer
ID: 39802542
I haven't decided yet.  Thankfully I have a colleague (more senior than myself) who will also have an opinion.  
I am honored to have 5 experts weigh in with your carefully-thought-out suggestions ... including the top two gurus in the list that I see to the right of my screen.  Thanks very much, all.
The only reason I gave Andrew Hancock the "best solution" designation is because he has stuck with me since I posted a similar question yesterday, and because of the volume of his words.  :)  Truthfully, Cliff, the majority of the posts are in agreement with you.  But my guess is if the customer decides to try to get some more service from his old XP machines, he will not be alone amongst XP users who are willing to take a chance when MS support ceases in a few months.
Thanks again.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now