Platform Security Briefing — Windows 7 and Windows Server 2008 reach end of support
Windows 7, Windows Server 2008, and 2008 R2 exited support on 14 January 2020; enterprises must migrate, enroll in ESU where required, and isolate legacy hosts to mitigate rising exploit risk.
Executive briefing: Microsoft ended support for Windows 7, Windows Server 2008, and Windows Server 2008 R2 on , ending free security updates and most support options. Organizations that retain these systems must purchase Extended Security Updates (ESU), migrate to supported platforms, or isolate legacy assets to reduce exposure to unpatched vulnerabilities.
Validated sources
- Microsoft product lifecycle for Windows 7 confirming end-of-support timing and ESU availability.
- Microsoft lifecycle for Windows Server 2008 detailing support end dates and upgrade paths.
- Server 2008 end-of-support guidance outlining migration and ESU activation requirements.
Control mappings
- CIS Controls v8 7.4 & 12.4: Require replacement of unsupported assets and network segmentation for systems that cannot be upgraded immediately.
- NIST SP 800-53 Rev.5 CM-8 & PL-2: Maintain accurate inventories with lifecycle plans and document exceptions for legacy systems with compensating controls.
- ISO/IEC 27001:2022 Annex A.5.36 & A.8.9: Demand lifecycle management and secure configuration for obsolete platforms, including change approvals for temporary ESU usage.
Implementation checklist
- Catalog all Windows 7 and Server 2008 hosts, owners, and business functions; classify them for migration, ESU enrollment, or retirement.
- Apply ESU keys and validate monthly patches on systems slated for temporary retention; monitor patch success and reboots via centralized tooling.
- Segment legacy systems with firewall rules and application allowlists; remove internet access where possible and enforce strict RDP controls.
- Plan migrations to Windows 10/11 or supported Server versions, including application compatibility testing and data migration steps.
- Create decommissioning runbooks for assets scheduled for retirement and ensure data sanitization meets organizational policy.
Compensating controls and governance
- Require executive approval for any system remaining on ESU; document business justification, compensating controls, and target exit dates.
- Deploy strict network segmentation, deny-all inbound policies, and application whitelisting on legacy systems; log and review any policy overrides.
- Use jump hosts with MFA for administrative access and capture full session recordings for legacy environments.
- Conduct quarterly vulnerability scans and penetration tests focused on legacy segments; keep remediation plans with accountable owners.
Assurance notes
- Track exception end dates and review compensating controls quarterly to avoid indefinite reliance on ESU or isolated legacy hosts.
- Maintain evidence of lifecycle decisions and security reviews in case of regulatory scrutiny after an incident on unsupported systems.
- Ensure configuration management databases reflect retirement or migration milestones so inventory metrics remain accurate.