Information Security Statement on End-of-Life Operating Systems

January 9, 2020
 

Operating systems (OS) for computing devices follow the software lifecycle, and vendors will declare an OS end-of-life (EOL) when it no longer provides security updates, software updates, and/or technical support. This applies to desktop computers, laptops, servers, and mobile devices such as tablets and smartphones.

For example, Microsoft Windows 7 will become EOL on January 14, 2020, Windows XP was EOL as of April 8, 2014, and RedHat Linux 5 was EOL as of March 31, 2018.

More information on EOL dates for various operating systems can be found via the links included below:

  • Microsoft Windows EOL dates
  • Apple macOS 
    • Apple does not officially release information on OS version releases and lifecycles; however, they generally provide support for the three most recent major macOS releases. This link provides update information for most Apple products
  • RedHat Enterprise Linux
  • EOL information for CCS Managed Servers 
    • Found under the Self-Help tab
  • Mobile Devices - For tablets, phones, and other mobile devices, visit the website for the manufacturer for update information. 

 

Risks

Information Security requires that all devices connected to the campus network run vendor-supported operating systems for which security patches are available. Running an OS which is outdated substantially increases the risk to the University, including the campus network and University systems and data. These risks include: 

  1. Security Risk - An end-of-life operating system is no longer supported by the vendor and will not receive security updates to protect against newly discovered vulnerabilities. Without these updates, systems may be vulnerable to exploit and will be targeted by hackers and malware.  

  1. Compliance Risk - Running end-of-life software constitutes a compliance violation under various regulatory and compliance standards.  

  1. Incompatibility - As changes are introduced to our computing environment, the focus of testing is on current operating systems. When running an outdated OS there is no guarantee that new applications will function as expected.  

  1. Higher Support Costs - Running end-of-life systems may lead to higher support costs as staff attempt to keep these systems secure. These legacy systems may also represent a barrier to innovation, e.g. they could delay forward progress on changes in the environment which could provide a substantial benefit to the campus community. 

 

Enforcement

Information Security requires that systems running end-of-life operating systems be disconnected from the campus network entirely, or at minimum, blocked from internet access. 

Information Security constantly monitors the campus network for unauthorized access and regularly reviews vulnerability and threat reports, including systems running outdated operating systems. Information Security also regularly reports on system compliance to the Board of Governor’s Audit and Risk Committee.  

At present Information Security does not prevent systems running EOL operating systems from connecting to the University network. However, we will remove systems running outdated operating systems in the event that there is: 

  • a security incident involving a system running an outdated OS; 
  • a critical vulnerability disclosed against an EOL operating system that is actively being targeted; or 
  • any other security event that occurs which puts the University systems or network at increased risk.  


Available Options

As the end-of-life date approaches for your operating system, there are several options available to ensure your system remains secure and does not put the University at unnecessary risk. These options include: 

  1. Operating system upgrade 

  • For personally-owned computers, purchase and download a newer operating system and follow the instructions for installation. Students are entitled to receive Windows for Education at no charge and can be obtained from the Software Distribution site (https://guelph.onthehub.com/
  • If your computer is managed by CCS, you will be contacted to have your system upgraded. 
  • If your computer is managed by departmental IT staff, contact your departmental IT administrator.  
  • If you aren't sure which operating system you are running or how to get support for upgrading, contact the CCS Help Centre IThelp@uoguelph.ca or Ext.58888) or contact your departmental IT administrator. 
  1. Purchase a new computer 

  • If you wish to purchase a new University-owned machine with an updated operating system, contact CCS Managed Desktops IThelp@uoguelph.ca or Ext.58888) or your departmental IT administrator. 
  1. Pay for extended support 

  • In some cases, vendors offer extended support and security updates for a period of time past the EOL date for an additional cost. Contact the CCS Help Centre (IThelp@uoguelph.ca or Ext.58888) or your departmental IT administrator. 
  1. Remove it completely from the network 

  • In the case of specialized equipment, it may be acceptable to simply remove the system from the network and run it completely in stand-alone mode. In these cases, contact the Information Security team to ensure this will protect the system and the network adequately. 
  1. Mitigate the risk and request a security exception  

  • There may be valid business reasons why an upgrade is not possible or may be cost-prohibitive for the University. Contact the Information Security team to review potential risk mitigation strategies. 

 

Training

Migrating to a new operating system can be challenging and training can help smooth the transition. The University of Guelph provides access to LinkedIn Learning which offers a number of foundational training sessions for the most popular operating systems that may prove beneficial in the upgrade process. LinkedIn Learning is available at no cost for all students, staff, and faculty. More information on how to access LinkedIn Learning can be found on the CCS LinkedIn Learning service page

Users with questions or requiring assistance should contact the Information Security team via email (infosec@uoguelph.ca) or via phone at 519-824-4120 Ext. 58006.  

 

 

CCS Information Security 
https://infosec.uoguelph.ca