Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/6/2017
10:30 AM
Kenny Covington
Kenny Covington
Commentary
50%
50%

Advice for Windows Migrations: Automate as Much as Possible

The security lessons Riverside Health System learned when moving to Windows 7 will help it quickly move to Windows 10.

The recent news that the WannaCry virus had impaired the UK's National Health Service's ability to provide care for its tens of millions of patients was scary for all of us working in IT. As a systems administrator for more than 20 years at nonprofit US healthcare provider Riverside Health System, I felt sympathetic.

When reports emerged suggesting that the vulnerability exploited by the hackers was caused by the NHS running Windows XP, I identified in a whole new way. Although Riverside migrated from Windows XP some time ago, it was a challenging process and had a steep learning curve. Riverside isn't on the scale of the NHS (we have about 9,500 machines now, mostly Windows), but all healthcare providers will face similar challenges.

Fortunately for us, and unlike many other healthcare providers, we could take solace in knowing that 90% of our environment was already protected through our normal monthly patch cycle, because we've automated that process. The remaining 10% for which we had to take special measures are those "problem children" unable to receive a patch because of their own technical faults. This is something we're hoping we can remedy as we move to Windows 10.

Riverside completed its Windows 7 migration a couple of years ago. However, if there's a lesson in last month's unfortunate events, it's that none of us should rest on our laurels. The more up-to-date your software, patches, and operating system are, the better. WannaCry is a loud wake-up call reminding us that we all need to stay current. As a result, we're planning to accelerate our move to Windows 10.

Key Lesson
When we started our Windows 7 migration, we did it the old-fashioned, manual way, running a master image (also known as a golden image) for Windows 7 that we provided to our techs. It was a very hands-on approach — each tech had time to build one, maybe two per day, if he or she was lucky — and we had about 4,800 devices to update. We had tons of different makes and models of hardware that hadn't been standardized. It quickly became clear to managers that they were going to have to hire more than $600,000 worth of labor to come in and do the process if we wanted it done within two to three years.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

The other option was automation. We thought we could leverage Microsoft's Configuration Manager, but it would not allow us to propagate such a large image across the T1 network. Then we decided to research third-party vendors that offer automation. In the end, we went with 1E, whose peer-to-peer technology suited our needs. Automation proved key for ensuring that machines could be migrated quickly but consistently to Windows 7: each individual machine has a lot of unique data on it, so it was great to use the migration tools, back up the data on a local machine on the subnet, capture everything, and then restore it cleanly. In the end, 1E's tools helped us compress our Windows 7 upgrade from the two to three years we expected down to one year.

The Road to Windows 10
As we ready ourselves for Windows 10, we face a similarly challenging environment: lots of unique data on the machine, the question of where and how you store it, and how you get these packages across the network quickly. We still have our automation infrastructure in place to deal with these problems. But there are other lessons we're looking to carry over, too, as well as some new challenges we will face.

One difference with Windows 10 concerns its high-speed release cadence. As the WannaCry attack reminds us, from a security point of view, you want to not only be using the latest OS but the latest version of it, and patched as much as possible. In addition, we're planning to migrate swiftly, to avoid having several different flavors of Windows 10 at the same time. Automation will help.

Another challenge for us is that we're looking to go to a 64-bit operating system across the board. With the last migration, to simplify the migration process we stayed with the same OS processor architecture type on each device for compatibility reasons. If the PC was a 64-bit XP machine, then it got 64-bit Windows 7, and if it had a 32-bit system, it got 32-bit Windows 7. We've had vendor applications that absolutely will not run in one version or another. Without an operating systems deployment migration process that allows us to quickly rebuild those machines, that, too, would be a very big undertaking.

We begin our Windows 10 migration very soon. Despite all the challenges and changes,  although consultants told us Windows migrations typically take several years, we believe we can do it in one (or even faster) with automation. Accelerating the move not only improves our security posture but also helps us continue to give our end users and medical professionals a consistent experience — something they've come to value from our IT team.

Related Content:

Kenny Covington, System Administrator for Riverside Health System, based in Newport News, Virginia, has been a member of the information system staff for over 21 years. He originally was hired as a PC technician at age 16 and has been involved with the endpoint side of the IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alicialynch
50%
50%
Alicialynch,
User Rank: Apprentice
6/7/2017 | 7:32:10 PM
Other migration tools
There are a number of alternatives to crappy free tools. Ive worked for places that used the free tool from MS, which was a disaster. Ive heard good reports from other techs about the tool from Tranxition. Heat software also has one as part of their DSM tool..
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The State of Email Security and Protection
Mike Flouton, Vice President of Email Security at Barracuda Networks,  11/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18881
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
CVE-2019-18882
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
CVE-2019-18873
PUBLISHED: 2019-11-12
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the pa...
CVE-2019-18874
PUBLISHED: 2019-11-12
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.