S 4.424 Secure use of older software under Windows 7
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator, Head of IT
Windows 7 has some compatibility issues with some software written for Windows systems. In order to be able to use the software nevertheless, there are three tools:
- compatibility mode for individual executable files
- Application Compatibility Toolkit (ACT)
- Windows XP mode
If software incompatible with Windows 7 is to be used, it is very important to not to relax the security of the entire system for the benefit of being able to execute the software. Therefore, only those settings actually required in order to execute the older software should be adapted. In order to identify and document the required settings, an isolated test environment must be used. The test environment must consist of at least one Windows 7 computer and, if necessary, one Windows XP computer. The person commissioned with this task should have received training as to how to adapt and deploy Windows 7 clients.
However, the support agreements of the software manufacturer should be checked beforehand. If Windows 7 support for software is denied, even if the software could be executed in the Windows 7 compatibility mode, the software can be tested in the VirtualPC XP mode (hereafter called XP mode). The XP mode is available as a free additional pack in Windows 7 Professional and higher. It is implemented by the VirtualPC software imaging a client and a virtual image of the hard disk with a licensed Windows-XP installation.
The XP mode can also be used if the software cannot be executed in Windows 7 despite the adaptations described below. If possible, the software should, however, be operated directly in Windows 7 or it should remain in the existing Windows XP environment. The virtualisation software allows for new attack vectors and does not contain any administration, security, and monitoring tools. The predefined Windows-XP installation requires a separate risk analysis in connection with the used software, as well as the corresponding implementation of S 3.9 Client under Windows XP.
Whether the software can be executed within a user session without administrator authorisation and with active User Account Control (see S 4.340 Use of Windows User Account Control UAC in Windows Vista and higher) must be determined within the test environment. If older hardware is to be used, its drivers require testing. The tests must comprise the executability of the software and drivers, the installation options, and any existing updating mechanisms.
Program Compatibility Assistant (PCA)
If older software is to be executed on the Windows 7 computer, the Program Compatibility Assistant (PCA) must be started initially (in Control Panel | All Control Panel Elements | Troubleshooting | Programs). This assistant obtains information and so-called compatibility fixes from the System Compatibility Database and applies individual compatibility modes to program files already known to the System Compatibility Database. The administrator can have unknown program files analysed and can then assign these to the available predefined compatibility modes. The System Compatibility Database is provided with new information and fixes by the Windows Update function. Updating the information and compatibility fixes may be of a security-relevant nature and should therefore always be performed.
For the analysis and the fixes of the PCA to be functional, the PCA functions must be permitted. By default, this is the case and can be set in the administrative templates in the group policies snap-in: Computer Configuration | Windows Components | Application Compatibility. The following setting is required for the analysis in particular: Computer Configuration | System | Troubleshooting and Diagnostics | Configure Scenario Execution Level | Detection, Troubleshooting.
Application Compatibility Toolkit (ACT)
If the PCA is insufficient, the software must be installed on the Windows XP test computer together with the Application Compatibility Toolkit (ACT). If the Windows license is present, the ACT is available as a free additional pack and contains wizards and tools. The administrator can use the wizards to analyse the system while the software is started. Along with the wizards, the Standard User Analyser tool should also be used. It allows for interactive analysis by means of a graphical interface.
The analysis results of the tested software indicate the system accesses that would result in errors on a Windows 7 computer. There are two approaches for troubleshooting:
- The appropriate settings can be performed on the Windows 7 test computer based on the analysis results or
- the System Compatibility Database of the Windows 7 test computer is expanded with the help of the command line command sdbinst and the Compatibility Administrator tool from the ACT.
The first approach is suitable to remedy a large number of the errors. For example, authorisations can be set, installation paths and work directories can be edited, UAC manifests can be created, system privileges and authorisations and additional user accounts with advanced authorisations can be used.
Authorisations regarding system folders and keys within the registry database must by no means be edited. Authorisations within the program folder should only be edited in a very targeted manner and must be tested for compatibility with the Windows Resource Protection (WRP) and the security zones of Windows 7. Furthermore, no authorisations regarding those folders and registration keys affected by UAC virtualisation (see S 4.338 Use of Windows Vista and Windows 7 File and Registry Virtualization) or diverted by the WoW64 emulation mode (concerns the 64 bit versions of Windows only) should be edited.
The Compatibility Administrator is required for the latter approach. This tool contains a number of delivered compatibility fixes. The exact procedure can be found in the manufacturer's documentation, for instance at http://technet.microsoft.com/de-de/library/dd835539.aspx. Updated compatibility fixes are made available by Microsoft or can also be programmed individually.
If certain manual adaptations contradict the security policy for Windows 7, using the Compatibility Administrator tool and/or the VirtualPC XP mode should be tested. Should there be any doubt, exceptions must be considered and documented or different options for isolating the incompatible software must be taken into consideration.
The compatibility adaptations must be documented for each software. The following table shows an example.
| Analysed fields | Severity | Adaptation | Compatibility fix |
|---|---|---|---|
| Denies start due to incorrect Windows version | High | - | Compatibility mode of the PCA |
| .ini file cannot be written | High | Adaptation of the UAC virtualisation by the PCA | - |
| Program module "Invoice" does not start | is of no use | - | - |
VirtualPC XP mode
If PCA and ACT are insufficient, the XP mode can be installed on the Windows 7 test computer. Then, the incompatible software is installed to the virtual Windows XP system. In Microsoft VirtualPC | Windows XP Mode Applications, the Windows 7 start menu automatically displays a start icon for the software once it was installed for all users in the XP mode. When the software is started, the XP mode executes the program in a virtual Windows XP environment in the background and shows the program window on the Windows 7 interface. Alternatively, the user can also have an entire Windows XP window displayed by selecting Windows XP-Mode. Once started, the virtual Windows XP environment remains loaded until Windows 7 is shut down. The connection to the virtual system is established by the Remote Desktop service also connecting the clipboard, sound output, printer drivers, smartcards, etc. Network communication and access to data storage media and ports are performed by the VirtualPC software in the background. Devices without USB or serial port cannot be used.
Within the test environment, software and drivers should be checked for their compatibility regarding network communication, hardware support, data storage media access, and remote desktop support. Installation and updating mechanisms must be checked as well. Furthermore, the boot time and the execution speed of the software must be tested, as well as the availability of the remaining Windows applications. A suitable shut down method for the XP mode must be selected and tested particularly carefully. If the XP mode is shut down inappropriately, the software installation or the data of the current session may be damaged.
If a data backup solution is used for the Windows 7 client, this solution must be tested using VirtualPC and it must be able to backup changes to the virtual instance.
After having installed the XP mode on the computer, the settings for the virtual environment can be opened at Start | Microsoft VirtualPC | selecting the icon for Windows Virtual PC | in the context menu of Windows XP-Mode and the entry Settings.
Restrictions for the XP mode
When using VirtualPC, the modules S 3.4 Virtualisation and S 3.9 Client under Windows XP must be applied. Furthermore, the Windows 7 safeguards are still applicable, if relevant, for instance using complex passwords, securing the network communication, or using BitLocker.
The XP mode must be isolated as far as possible from the superior Windows 7 system. The following basic principles must be taken into consideration:
- The XP mode should not be used as an alternative desktop system in production. Users should not use any components or software of the XP system that do not belong to the application scenario of the older software.
- Data isolation: do not store any user data within the virtual Windows XP system.
- Network isolation: do not allow for any unlimited network communication of the virtual Windows XP system.
Regarding the first item, a ban on using virtualised software without approval should be defined and S 2.32 Establishment of a restricted user environment should be taken into consideration for the virtual Windows XP system, if necessary.
In order to save user data, the drives of the host computer connected to VirtualPC should be used. The drives of the virtual operating system should not be used. If the software generates session data and log files requiring protection, these must be saved outside of the virtual Windows XP system on a daily basis, for instance by a shut-down script within the Windows XP system or with the help of data backup software compatible with VirtualPC.
Due to the network isolation, no direct access to the network adapters of the computer must be set (at Windows XP-Mode | Settings | Network). Only the access types Offline, Internal Network and Jointly Used Network (NAT) are admissible. Furthermore, an incoming and an outgoing rule should be created for the program file %SystemRoot%\System32\vpc.exe in the Windows firewall blocking network traffic. Exceptions must be configured for the rules in order to enable communication for the required applications within the virtual XP system in a targeted manner.
Provision of the compatibility settings on productive clients
The test result should be documented and incorporated into a provisioning concept for the use of older software. (see also S 2.324 Planning the introduction of Windows XP, Vista and Windows 7).
Using the manufacturer's documentation
The manufacturer's documentation for PCA and ACT is available from Microsoft Technet distribution or on the internet at:
http://technet.microsoft.com/de-de/library/dd835539.aspx
The documentation of the test results should contain the corresponding parts of the manufacturer's documentation.
Review questions:
- Did a clarification of warranty and manufacturer support for using old applications in Windows 7 take place?
- Were the compatibility adaptations of old applications to Windows 7 documented completely?
- Is the XP mode isolated from the superior Windows 7 system?
- Is the data of the application executed in XP mode stored outside of the virtual XP system in Windows 7?