Information Security Statement on End-of-Life Operating Systems

Executive Summary

Running operating systems that are no longer supported and unable to receive security updates represents a significant cyber security risk to the University. Starting in 2024, Information Security will restrict network access for non-compliant systems to maintain a strong security posture. The following information provides guidance and support to mitigate this risk.

Introduction

Information Security requires that all devices connected to the University network, or accessing sensitive University data or services, must run vendor-supported operating systems (OS) for which security patches are available and installed as specified in the University Acceptable Use Policy and Vulnerability Management Policy.

The Information Security team is committed to protecting the University from cyber threats and enforcing security best practices on our network. To reduce risk, enhance our overall security posture, and ensure compliance with regulatory requirements and industry standards, starting in 2024 we will begin the process of restricting network access for systems running end-of-life (EOL) operating systems.

Operating systems for computing devices follow the software lifecycle, and vendors will declare an OS end-of-life when it no longer provides security updates or technical support. This applies to desktop computers, laptops, servers, and mobile devices, such as tablets and smartphones. Operating systems that have reached EOL are highly vulnerable to emerging threats, including malware, exploits, and other security vulnerabilities. Operating an EOL operating system on the University network exposes systems to an increased risk of unauthorized access, data breach, and service disruption for our students, staff, and faculty.

Risks

Running an EOL operating system substantially increases the risk to the University, including the campus network and University systems and data.

These risks include:

1. Security Risk - An end-of-life operating system is no longer supported by the vendor and will not receive security updates to protect against newly discovered vulnerabilities. Without these updates, systems are vulnerable to exploitation and can be targets for attackers and malware. If exploited, an affected system may be used to gain unauthorized access to other systems, data or accounts. This could potentially lead to a wider scale security incident causing significant service disruptions and financial ramifications for the University.
2. Compliance Risk - Running end-of-life software constitutes a compliance violation under various regulatory and compliance standards which could impact the University’s ability to conduct teaching, learning, research, and business operations. It could also have a significant impact on cyber insurance eligibility and premiums.
3. Incompatibility - As changes are introduced to our computing environment, the focus of testing is on current operating systems. When running an outdated operating system there is no guarantee that new applications will function as expected. This puts additional strain on already stretched IT resources to investigate issues which would be resolved by using a current OS. 
4. Higher Support Costs - Running end-of-life systems may lead to higher support costs as staff attempt to keep these systems secure. Legacy systems may also represent a barrier to innovation, leading to delays in forward progress on changes in our environment which could provide a substantial benefit to the broader campus community.

End of Life Dates

CCS (Computing and Communications Services) will monitor and communicate key end of life dates to the University IT community; however system owners are responsible for monitoring their systems and ensuring they are supported and current.

Key upcoming EOL dates include, but are not limited to:

• Windows 10 will reach end of support on October 14, 2025
• RedHat Enterprise Linux (RHEL) 7 will reach end of support June 30, 2024
• Windows Server 2016 – January 12, 2027

Previous EOL dates include:

• Windows Server 2012 – October 10, 2023
• Windows 7 - January 14, 2020
• Windows XP - April 8, 2014
• RHEL 6 November 30, 2020
• RHEL 5 - March 31, 2018

More information on EOL dates for various operating systems can be found at https://endoflife.date and via the links included below:

• Microsoft Windows EOL dates
• Apple macOS Update Information – Please note that Apple does not officially release information on OS version releases and lifecycles. However, they generally provide support for the three most recent major macOS releases. The above link provides important update information for most Apple products.
• RedHat Enterprise Linux
• EOL information for CCS Managed Servers (found under the Self-Help tab)
• Android OS
• Mobile Devices - For tablets, phones, and other mobile devices, visit the website of the manufacturer for support information.

Enforcement

Information Security constantly monitors the University network for vulnerabilities and security threats, including the detection of systems running outdated operating systems. Information Security also regularly reports on system compliance to the Board of Governor’s Audit and Risk Committee.

To proactively address the risks listed above, starting in 2024, CCS Information Security will begin restricting network access for devices running end-of-life operating systems in order to better secure the University from cyber threats. Network access may be suspended with little or to no notice based upon the potential risk associated with any device connecting to the University network, regardless of ownership or department responsibility. Efforts will be made to contact impacted system owners in a timely manner. System owners are responsible for proactively monitoring the systems they are responsible for and planning and budget refresh efforts appropriately.  

Available Options and Mitigating Security Controls

We understand that upgrading operating systems is not a trivial task and there may be circumstances where continued use is necessary to maintain business operations of the University. However, the risk associated with end-of-life operating systems and potential impact on the University must not be underestimated.

As the end-of-life date approaches for your operating system, CCS and Information Security can work with you to understand the available options and mitigating security controls available to ensure your system remains secure and does not put the University at unnecessary risk.

These options include:

1. Operating system upgrade

• For personally owned computers, purchase and download a newer operating system and follow the instructions for installation. Students are entitled to receive Windows for Education at no charge and can be obtained from the Software Distribution website.
• If your computer is managed by CCS, you will be contacted to have your system upgraded.
• If your computer is managed by departmental IT staff, contact your departmental IT administrator. 
• If you are not sure which operating system, you are running or how to get support for upgrading, contact the CCS Help Centre IThelp@uoguelph.ca or Ext.58888) or contact your departmental IT administrator.

2. Purchase a new computer
   If your current hardware does not support an updated operating system, or if you wish to purchase a new University-owned machine with an updated operating system, contact CCS Managed Desktops IThelp@uoguelph.ca or Ext.58888) or your departmental IT administrator.

3. Purchase extended support from the vendor
   In some cases, operating system vendors (Microsoft and Red Hat) offer temporary extended support and security updates past the EOL date for an additional cost. While this is a potential temporary solution, it should only be considered after all other mitigation options have been exhausted as it comes with operational and financial challenges. Contact the CCS Help Centre (IThelp@uoguelph.ca or Ext.58888) or your departmental IT administrator.

4. Remove it completely from the network
   In the case of specialized equipment, it may be acceptable to simply remove the system from the network and run it completely in stand-alone mode. In these cases, contact the Information Security team to ensure this will protect the system and the network adequately.

5. Mitigate the risk and request a security exception 
   There may be valid business reasons why an upgrade is not possible or may be cost-prohibitive for the University. Contact the Information Security team to review potential risk mitigation strategies. The exception process detailed in the Vulnerability Management Policy will be used for all exception requests.

Maintaining the security of the University is a shared responsibility, and the Information Security team appreciates your cooperation and understanding as we work collectively to improve our security posture.

Users with questions or requiring assistance should contact the Information Security team via email (infosec@uoguelph.ca) or the CCS Help Centre (IThelp@uoguelph.ca or Ext.58888). 

CCS Information Security
https://infosec.uoguelph.ca