Body
Windows 7 has been out of support since January 2020. Leaving devices running an out-of-date operating system on our network increases the risk not only to the security of your personal, corporate, or research data but also to that of all other users’ data on the University network. Undocumented Windows 7 workstations will be blocked from accessing the University network starting Monday, July 5, 2021. Once blocked, devices located on campus will no longer be able to access the Internet and any systems on the University network that are protected by the firewall. This means that if you are using an undocumented Windows 7 workstation, you will not be able to remote-desktop to your device from home, or access the Internet, OneDrive files, or other Internet-dependent cloud applications on that device.
A documented workstation is one that has been added to our central computer inventory by installing Lansweeper Agent (LsAgent) on it. This allows us to securely retrieve information about this computer such as hardware specs, a list of software installed on this device, network configuration data, etc. This software does not give us the ability to remotely access your computer, does not interfere with any software already installed on your computer, and does not impact its performance. Please note that LsAgent should not be installed on personal computers that you use for work/school activities.
The block of undocumented devices with unsupported operating systems is implemented at the firewall and is not specific to any particular computer but rather applied across the board to all devices passing through the firewall that have unpatched known vulnerabilities associated with Windows XP, 7 and 8. These exemptions are implemented via device’s IP address.
Exemptions
We will be exempting all documented devices in a short term until they can either be upgraded, or have been determined to qualify for a long term exemption. Devices that cannot be upgraded to Windows 10 for valid reasons can be granted a long term exemption but are subject to these considerations and conditions:
- Device will have to be fully documented, meaning LsAgent must be running on and it will have an asset record in TeamDynamix CMDB.
- IP reservation will have to be created on DHCP server to ensure device’s IP address will not change in the future.
- Extended Windows 7 support will have to be purchased from Microsoft to ensure that device will be receiving critical security patches. If this is not possible, then device will not be allowed to have Internet connection and will be placed on an isolated network segment or disconnected from the network.
Additional measures may be implemented as required to maintain a sufficient level of security, such as but not limited to:
- Moving the device to a special network for at-risk computers.
- Assigning the device a non-routable IP address to prevent Internet-based attacks.
- Installation of a firewall certificate to improve detection of risks and threats.
- Authentication to the firewall in order to access the network or connect to the Internet.
- Use of up-to-date, licensed commercial anti-virus for protection from malware.