Time to migrate
by Mary Branscombe
Microsoft is no longer supporting Windows XP, Office 2003 or its 2003 servers. Mary Branscombe plans your escape route.
HardCopy Issue: 62 | Published: February 25, 2014
Windows XP was the first consumer operating system to use the Windows NT kernel. It fixed DLL Hell, by allowing ‘side by side’ multiple versions of libraries so each application could get the version it needed. In its day, it was an excellent OS. But that was 13 years ago. It was designed before 3G, Blu-ray players or Facebook. It was also designed before Trojans and malware and botnets became endemic, and it can’t cope with the security threats your business now faces; in fact Microsoft had to do major security re-engineering in the first two service packs for XP to cope with the viruses we faced a decade ago. In 2013, according to Microsoft’s own Security Intelligence Report, Windows XP systems were six times more likely to be infected with malware than Windows 8.
Official support for Windows XP (including Internet Explorer 6) ends on 8 April 2014, along with support for Office 2003, Exchange 2003, SharePoint Portal Server 2003 and Project Server 2003. Extended support for Live Communication Server 2003 finished on 14 January 2014. The embedded version of Windows XP gets support for a little longer, into early 2016. Windows Server 2003 reaches end of life on 14 July 2015.
That means there will be no patches or fixes for any problems found in Windows XP, Windows Server 2003 or the other products. There won’t be any new knowledge base articles or other technical content. You won’t be able to phone up for support, even if you have a standard support contract. More importantly there will be no security updates, unless you’re paying for custom support directly from Microsoft – a support plan that’s likely to cost at least as much as buying new PCs or upgrading your existing systems.
All software has vulnerabilities, and even after 13 years, Microsoft is still finding security flaws in Windows XP. After April, even security flaws that are found and fixed in newer versions of Windows will live on in XP, which will make it a very soft target for malicious software. Hackers may be able to use information about new exploits that have been fixed in Windows 7 to target the unpatched Windows XP, and it’s already been suggested that some attackers have exploits stockpiled to use after April.
Many new programs don’t run on Windows XP already, and no new versions of Microsoft software will be available for XP. The same is true on the hardware side; there will be no new drivers for any Microsoft devices for XP, and if a device maker creates a new driver it won’t be distributed through Windows Update. It’s also unlikely that new hardware from other manufacturers will come with XP drivers either. But again it’s security software that will be the hardest hit by the end of support.
Microsoft Security Essentials for Windows XP will no longer be available for download after the end of support in April. However if you already have System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, Windows Intune or Microsoft Security Essentials, then you will be able to get new virus definitions until July 14 2015, and some anti-virus companies will continue to offer updated definitions until April 2016 or longer (the AV-TEST website has a list). But these products only protect you against known viruses that exploit security vulnerabilities in XP. You won’t be getting patches to deal with the underlying vulnerability.
Server app migrations
When it comes time to move off Server 2003, you’ll also need to migrate the applications that you’re running on your server. The most urgent of these will be Exchange Server 2003, SharePoint Server 2003 and Project Server 2003, which go out of support at the same time as Office 2003 and Windows XP.
You can’t perform an in-place upgrade from Exchange 2003 to Exchange 2010 or 2013, and you’re almost certainly going to want to install a new server to run Windows Server 2012 and a new version of Exchange (unless you’re moving to Office 365 instead). That means installing the new server and the new version of Exchange, and then migrate your Exchange data. You can do that with the Exchange Server Deployment Assistant, which is a free Web-based tool, or with third-party tools like Dell’s Quest Migration Manager and Metalogix Email Migrator which will also handle migrating to Office 365. The free MAP Toolkit will also scan your systems and generate reports to help you plan a migration to Office 365.
Third-party tools can also handle migrations from earlier versions of Exchange, or even from Outlook PST files, which saves you from having to do a more complex IMAP migration; and they will help you check which users need new versions of Office client applications, and deploy them. There are also tools to move from other mail systems, so Dell’s GroupWise Migrator will move you from GroupWise to Exchange 2013 or Office 365. Dell also has Migrator tools to move from Notes and Sametime to Exchange, SharePoint and Lync, including Office 365.
To migrate content from SharePoint Server 2003 to Office 365 – or to a recent version of SharePoint without doing the multiple upgrades required to get to SharePoint 2013 – you need a third-party tool like Dell Software Migration Manager for SharePoint, Metalogix Content Matrix for SharePoint or MetaVis Migration Suite. This last can also migrate Project Server 2003 content, Outlook PST files and public folders, or move files from Google Docs to the SkyDrive Pro cloud storage that users get with Office 365.
You can also migrate manually from Project Server 2003 to Project Online, either by opening and saving projects or using VBA scripts.
If you still have Live Communications Server 2003, you can move the users manually to Live Communications Server 2005 using the admin snap-in, and then migrate to a newer version of Lync. However it may be simpler to uninstall Live Communications Server and recreate the users. Similarly, if you’re moving to Office 365, you can import users from Active Directory rather than migrating them.
When it comes to custom applications, Flexera AdminStudio Application Compatibility Pack can also be used to check and fix installation packages and application code against Windows Server 2012 R2.
If you’re in a regulated industry, covered by standards such as HIPPAA or PCI DSS, it’s unlikely that you’ll be in compliance if you continue using Windows XP after April, because the regulations state that your systems have to be up to date with security patches. If no patches are being issued, you can’t be up to date.
Planning your migration
If you don’t already have a migration plan for getting off Windows XP, now is the time to make one. For a larger business, a full migration can take at least six months, so you’ll need to prioritise your most important systems. Look at locking down the machines you can’t migrate. Turn off Java and Flash, or block email and web browsing altogether, as this is how most attacks happen. Turn off administrator access and stop users making configuration changes; with no official updates to apply, you can freeze the system, apart from anti-malware updates.
But you can also make this an opportunity to change the way you work. Instead of upgrading from Office 2003, and moving your servers from Windows Server 2003 to Windows Server 2012, you might choose to subscribe to Office 365 and get Exchange, SharePoint, Lync and Yammer online, plus the desktop Office 2013 programs with SkyDrive Pro cloud storage (shortly to be renamed OneDrive). If you’re not getting a new server to run Exchange, you might migrate some or all of your workloads onto Azure as well. It’s also an opportunity to introduce full-disk encryption; turning on BitLocker encryption when you set up or migrate.
Given that you have to address XP, take the time to look at what you actually need your IT to do, and whether switching some or all of your activities to the cloud is a good fit for your business.
The first step is to find out whether you can upgrade your existing PCs or whether you need to buy new hardware. You can use the Windows Upgrade Assistant to check individual PCs, but if you have a lot of systems you might want to use an asset inventory tool, such as the migration planning reports available in the Microsoft Assessment and Planning Toolkit (MAP), to find out which PCs are ready to upgrade.
You also need to decide between Windows 7 and Windows 8. Migration tools cover both and software compatibility is broadly similar, but if you’re planning to introduce tablets you should pick Windows 8 for its better touch support.
If you want to keep an elderly PC then you may not be able to upgrade to a 64-bit version of Windows 7 or 8. The 64-bit versions of Windows offer better security because more protection can be enforced at the hardware level. Some older PCs will not run Windows 8 at all, because they don’t have specific CPU security hardware that stops malicious code being placed into memory for later execution. You can still upgrade such PCs to Windows 7 though, and a 32-bit version of Windows 7 will give you far better protection than Windows XP.
If you want to get users onto Windows 8 quickly, and you’re planning to replace your PCs but you’re not ready to buy new hardware immediately, you could also consider Windows To Go. This allows you to run Windows 8 directly from a USB 3 stick, including installing applications , getting updates and connecting to Active Directory.
Similarly, although a Windows Server 2003 Virtual Machine (VM) will run on Azure, as long as you install Windows Core Management Package to give you PowerShell 2, this is not a supported guest OS and hasn’t been tested. As a result, Microsoft is unlikely to give you much support if you run into problems.
The next major issue after hardware support is application compatibility. Use your inventory and planning tools to compile a list of all the applications in use and contact the vendors to find out if your current version will run on Windows 7 or 8, or if you need to budget to upgrade the software or even replace it. If the issue is Windows version checking, DLL or registry redirection or user permission requirements then you may be able to use the compatibility settings in Windows 7 and 8 to trick the application into thinking they’re running on an older OS.
In many cases, application compatibility is what has delayed migration off XP this long – along with the belief that if a PC is still working it’s still fit to use, and the security issues should put paid to that fallacy.
If it’s a particular piece of software that’s keeping you on Windows XP, you can look into virtualising the program you need using Windows XP Mode or MED-V for Windows 7, or with third-party virtualisation tools like Virtual Box or VMware. But bear in mind you will still be more vulnerable than if you remove XP completely, because the virtual copy of Windows XP is still running and still needs servicing.
A better solution is to virtualise the app using tools like Citrix XenApp and AppDNA, App-V application virtualization or Remote Desktop Services, because then you’re not running XP on user desktops where it can get compromised. This should work for nearly all XP-specific applications, unless they’re controlling a hardware peripheral that needs a direct connection. For larger businesses with a lot of applications, Dell’s ChangeBASE is an automation tool that includes compatibility testing for applications and websites and tools to remediate, package and virtualise applications
But any software that’s so old it only runs on Windows XP is unlikely to have all the features you’d get in a newer program, so you may want to consider upgrading to a new version or a different tool.
Again, use the migration as an opportunity to evaluate what software is in use in your business, and how much of it you want to keep. You’ll probably need to budget for training and support as you move users to a new version of Windows, so you can cover the move to any new applications at the same time. If you don’t have time to run a pilot project, start making training material available to users as soon as possible and pick users to get extra training so they can provide ‘buddy support’ to their colleagues. Remember, you’re not just migrating hardware and software; you’re also moving users to a new way of working.
Key migration tools
There is no direct upgrade path from Windows XP to either Windows 7 or 8 so, unless you have a very small number of PCs, you’ll want to use deployment tools to standardise and simplify the process. The User State Migration Tool helps ensure that a clean deployment from a standardised image will gives users access to their files – but not their applications, so look for a deployment tool that helps you create an image with applications installed.
Use the Microsoft Application Compatibility Toolkit (ACT), which is available on its own or as part of the Windows Assessment and Deployment Kit (ADK), to compile an inventory of the software running on user machines which you can check for compatibility with Windows 7 and 8, and to check websites and web applications to see if they work with Internet Explorer 10 and 11. You can also see what applications other ACT users have tested and reported on, which could save you time on testing (helpful if you’re starting so late), as well as looking at the list of consumer and big-name applications on the Compatibility Center for Windows 8.
The ADK includes a full set of preparation and deployment tools, including the Windows Performance Toolkit and the Windows Assessment Toolkit which let you test how your applications will perform on the new operating system; the User State Migration Tool for migrating user settings, as an alternative to the Windows Easy Transfer utility in Windows 8; DISM and other deployment tools for actually putting the new Windows images on the PCs that you’re upgrading; and the Volume Activation Management Tool for handling Windows licences.
If you have a more complex setup, and more than a couple of hundred PCs to deal with, the Microsoft Deployment Toolkit will be more suitable. A set of wizards walk you through importing installation files for Windows or Windows Server from a DVD or ISO, preloading volume activation keys, installing applications, preloading drivers and then creating a boot image that you can put on a share, burn to DVD, distribute on a bootable USB stick or deliver via System Center Configuration Manager (SCCM). If the machines you are using to run Windows XP are as old as XP itself then they will probably not be able to boot from USB, so you’ll need to use a deployment tool or take DVDs from PC to PC. If you have more recent PCs that you’ve downgraded to XP, then USB boot will be available.
When it comes to custom applications, Flexera AdminStudio Suite includes the Application Compatibility Pack which can perform thousands of automated tests to evaluate the compatibility of both an application’s installation package and its code with Windows 7, Windows 8 and Windows 8.1, and with up-to-date versions of Internet Explorer. It also claims to fix the “vast majority” of installation package issues.
You can also manage Windows 7 and 8 deployment directly from System Center Configuration Manager, but to deploy Windows 8 fully you need SCCM 2012 SP1. This also lets you manage group policy for everything from blocking the Windows Store to setting Windows 8.1 PCs to boot straight to the desktop rather than to the full-screen Start menu, which can help staff with the transition to the new interface.