Best security options to keep using Windows 7 Professional?

[Chevy-SS]

What are your 'best' security options suggestions to safely keep using Windows 7 Professional? This system (yeah, I know it's old) is on my primary computer. I've been using it for years and simply love the computer and Win 7 Pro. I have other computers running Win 10, but my Win 7 computer is my go-to computer for most all daily tasks. Plus, I have some software (fully licensed and legally purchased Adobe Suite, for instance) that would not survive an upgrade to Win 10.

I have ZERO problem paying an annual fee for a good product that will allow me to keep truckin' with Win 7. Is there anything out there??

Thanks

 

[kydsid]

Remove its internet access, seriously. You have other computers to go online with that will get security patches etc. Keep it for it's uses, adobe etc. I have a Windws 7 VM for exactly the same reason.

 

[SamirD]

There's a lot of options, some of them free, like reboot restorerx and time freez. I use both of these on my win7 machines and while not bullet proof, they do a mighty fine job.

The other option is to move to win7p embedded. The embedded write filter is pretty much bulletproof (like the write filter is on previous versions of embedded). The write filter helps to keep your win7 install at a 'known state' until you tell it you want it to change.

The third option is to use a virtual machine with a 'template' (or whatever the heck its called in whatever hypervisor you choose) for essentially the same situation as the previous two--a known state that will only change if you want it to.

The key to running older OSs that have the Internet as an attack vector is that automatic rollback to a 'known state' at every reboot, blowing away any bugs that are picked up when frolicking on the Internet. Microsoft introduced this concept with the 'steadystate' addon for xp, which eventually became windows embedded and then win iot. And the steadystate and embedded versions of these are quite bulletproof as they were/are used on corporate thin clients. I used steadystate to build some 'unbreakable' PCs for my elderly mom and dad who could 'gunk up the works' on any computer handed to them, and both the xp steadystate p4 machines outlived both of them (sadly). And I'm posting this post from a windows 7 embedded thin client connected to a win 10 iot thin client connected to an xp steadystate machine that's an old Dell 755 USFF. And with any reboot of any of these, they are restored to the same configuration when I initially set them up years ago (or at all as I pretty much leave the win 7 thin clients stock--iot is a bit funny as it still tries to do stuff even when locked down so it's not as bulletproof, but 7 and xp are). All in all, 'it just works' which is what I want, and it sounds like this could work for you too.

Feel free to ask me any questions.

 

[MrGuvernment]

Why can you not install your software on Win10? is the paid version you have not supported?

As noted above, a virtual machine may be and option if you need specific software to work. I use vmware workstaiton myself (linux as primary OS) and i get almost baremetal performance for anything i need windows for..

 

[SamirD]

Remove its internet access, seriously. You have other computers to go online with that will get security patches etc.

Considering that the most targeted OSes are always current ones, I don't think 'newer is always better'. No one is currently writing exploits for win9x and yet people are crying foul when one connects one of these machines straight to the Internet without a firewall. If no one is looking for a square egg, I doubt there's any fear in leaving one unguarded.

While win7 does still have some exposure due to the extended security updates that kept some of these machines operating in environments where they are good targets (point of sale machines, atms, etc), that support ended earlier this year and many of the environments migrated to win10 iot well before the support ran out, so the juicy targets are now on win 10 and no longer win 7, removing the incentive to develop exploits for 7. And because of this I think win7 is about to start the journey that xp and 9x is already on--a journey to becoming an orphaned OS that runs well and has few enemies.

When you think of the whole 'security patch' lifecycle, that's just a 'best practice' that's a bandaid solution for a problem that doesn't exist when there is a the lack of a payout. NAS units by synology and qnap are targeted all day long and have a regular patching framework because they are being targeted all day long. Meanwhile, older NAS units that worked primarily as just a NAS (hence their lack of popularity), have become completely overlooked even though they probably have a payload worth ransoming--but because these aren't 'popular' the 'shotgun approach' is not going to yield as many targets, hence less revenue. It's the same with the OS game.

If you want real security, the only way to do it is by using something like the old Lightweight Portable Security or TENS live cds to get online do your work and then disappear. Anything less is a target no matter how new (or old) it is.

 

[Chevy-SS]

There's a lot of options, some of them free, like reboot restorerx and time freez. I use both of these on my win7 machines and while not bullet proof, they do a mighty fine job.

The other option is to move to win7p embedded. The embedded write filter is pretty much bulletproof (like the write filter is on previous versions of embedded). The write filter helps to ........

Feel free to ask me any questions.

Thanks for this, very helpful. Three questions:

1) If I was to do the 'win7p embedded', is that something I can just add on to my existing system, or does this require a complete re-install of everything?

2) As I mentioned above, I have no problem paying for a really good service, it doesn't have to be free. Are there any high-quality, paid services that you can recommend?

3) And finally, would it be of any advantage to utilize VPN for browsing online?

Again, many thanks, Dave

 

[Chevy-SS]

Why can you not install your software on Win10? is the paid version you have not supported?

As noted above, a virtual machine may be and option if you need specific software to work. I use vmware workstaiton myself (linux as primary OS) and i get almost baremetal performance for anything i need windows for..

Well, just the Adobe Suite cost me over $1,000, but I own it. They have since discontinued that business model. Now all of their software is subscription based. And I can pretty much guarantee that if I upgrade my Win7 to Win10, my old Adobe license will no longer work, they will want to get me signed onto the subscription. I don't use Adobe enough to justify paying the monthly fee, but I do occasionally use it.

And I generally prefer Win7 over Win10. On the Win7 comp I'm not getting continuous updates, with many seeming to include annoying programs automatically installed, which I don't want to be bothered removing/disabling. I just like to be left alone........

 

[bluestang]

Which Adobe Suite version? I have CS6 running on some Win 10 PCs. Originally installed on Win 7 and upgrade to Win 10 later on.

I would use Malwarebytes Premium for some good Active Protection on it though.

 

[MrGuvernment]

Well, just the Adobe Suite cost me over $1,000, but I own it. They have since discontinued that business model. Now all of their software is subscription based. And I can pretty much guarantee that if I upgrade my Win7 to Win10, my old Adobe license will no longer work, they will want to get me signed onto the subscription. I don't use Adobe enough to justify paying the monthly fee, but I do occasionally use it.

And I generally prefer Win7 over Win10. On the Win7 comp I'm not getting continuous updates, with many seeming to include annoying programs automatically installed, which I don't want to be bothered removing/disabling. I just like to be left alone........

Upgrading your OS does not force your Adobe to switch to a subscription service at all. It is just a matter of if Adobe products from your suite work under Windows 10 is all.

You could fire up a VirtualBox Vm with a windows 10 ISO from MS and install it to confirm if it works or not.

Also, If you did go the Windows 10 route, do a clean install, not an upgrade.

 

[Chevy-SS]

Upgrading your OS does not force your Adobe to switch to a subscription service at all. It is just a matter of if Adobe products from your suite work under Windows 10 is all.....

Thus you've identified two possible deal-killing issues. I would not be surprised if my licensing agreement (about 12 years old, CS5) would not work as you say. And then there's the whole compatibility issue with Win10..... not taking the chances, it's too much headache. But thanks anyway.

 

[MrGuvernment]

Reading Adobe community forums, CS5 works fine on Windows 10, as well reddit
https://www.reddit.com/r/Windows10/comments/457beq/installing_adobe_cs5_on_windows_10/

 

[Chevy-SS]

Yeah, well, the powers-that-be said I wouldn't catch COVID if I got the vaccine. And they said I couldn't spread it if I got the vaccine. And they said masks worked....... wrong on all points. You catch my drift.

I'm a stubborn old codger, and I live by: "if it ain't broke, don't fix it".

I actually just ordered a spare 2TB SSD, onto which I will clone my existing SSD, to have a complete spare on hand, just in case. Plus I am really good at regularly backing up all my important files.

Again, many thanks

 

[modi123]

Yeah, well, the powers-that-be said I wouldn't catch COVID if I got the vaccine. And they said I couldn't spread it if I got the vaccine. And they said masks worked....... wrong on all points. You catch my drift.

Your best bet - remove it from networked abilities. Isolate the box or put it all in a VM.

 

[bluestang]

You can always spring for a yearly Pro subscription to 0patch for the ESU for W7, but that is ending if it hasn't already.

Just clone your existing drive to VM and upgrade it to W10 to test. Just make sure Adobe CC isn't installed and doesn't get installed by CS5 somehow.

 

[SamirD]

Thanks for this, very helpful. Three questions:

1) If I was to do the 'win7p embedded', is that something I can just add on to my existing system, or does this require a complete re-install of everything?

2) As I mentioned above, I have no problem paying for a really good service, it doesn't have to be free. Are there any high-quality, paid services that you can recommend?

3) And finally, would it be of any advantage to utilize VPN for browsing online?

Again, many thanks, Dave

You're welcome. Some answers:

• No, it would need to be a complete reinstall.
• The same companies that make those free solutions have paid ones. Another paid-only one is deep freeze.
• Absolutely not. The idea that a VPN is somehow going to help security is one of the biggest snake oil scams this century. You are basically only redirecting the end of the 'pipe' that's your Internet, so it's completely useless against today's phishing and deep fake scams which are the hardest to detect, and pretty much useless against anything else too since I don't know of a single scam that's just using someone's location.

For safe browsing online, regardless of browser or OS, you need a couple of things:

• A browser that doesn't try to take advantage of you, which all the current versions of every browser fail in this regard since they are 'free'. Firefox by default wants to crypto-mine on your system, chrome wants to make sure it has access to your data, etc, etc. Now, you can turn this stuff off if you go through every setting almost every time, and you'll need to do this every time there's a force-fed 'update' too so it's an endless game of whack a mole. I've found older versions of browsers are much better at not being so scammy (like ff52 esr which I'm using on this xp steadystate system), and unless you're trying to do something insane like banking online (I think any access to large sums of money online is totally insane in this wild wild west internet climate), ff52 does well enough for access to almost anything else. You can also do what I did for my dad as he could even mess up ffesr--have a known good working version of a browser and have it copied to a working copy at each boot. It only took 30 seconds on his p4, so it shouldn't even take a second on today's nvme ssd systems.
• An os that is 'clean'. If you are accessing anything critical--banking, nuclear plant operating panels, etc--you need a known 'clean' state in your OS as well. This was the point of the Air Force's Lightweight Portable Security and TENS live cds, and while dated, they are still pretty good at this. Their browsers are a bit dated, but they are also a known 'clean' starting point.
• Air gap to any real-data. The whole way the bad people work is they want access to the data. Well, if your OS and browser don't have access to any data, a compromise won't get very far. Again, this was a big premise in Lightweight Portable Security where local and network drives could not even be mounted. No access, no breech.

Now, this level of safety isn't very practical if you're having to do this all the time, so if you concentrate on the first and use something like LPS or TENS for critical stuff, you can get by with some inconvenience while arguably a better chance at safety than a VPN or a modern OS.[/list]

 

[SamirD]

I'm a stubborn old codger, and I live by: "if it ain't broke, don't fix it".

I actually just ordered a spare 2TB SSD, onto which I will clone my existing SSD, to have a complete spare on hand, just in case.

I guess I'm getting into that category as well since I'm a very big proponent of not trying to fix stuff that isn't broken.

One solution for sure is cloning. I actually have a cloned image of the initial setup of the xp steadystates as well as all the others. If I suspect anything funny, I simply reimage the system and blow away any bad stuff. If you did this more frequently, say daily or weekly, that will keep you in good shape as well. The only caution would be to not make new images regular and use those for restoration with a much older and known 'safe' image as you could image the baddies and then they're stuck in your image that you're using for restoration.

But all this is simply related to online work. If you have newer systems, you can also just rdp into them when you need something on your win7 and then copy the file/etc to the win7 system. This is what I do when I need drivers when setting up my systems pre-image--they don't touch the network until they are configured and imaged--then they can touch the network.

 

[Chevy-SS]

You're welcome. Some answers:

• No, it would need to be a complete reinstall.
• The same companies that make those free solutions have paid ones. Another paid-only one is deep freeze.
• Absolutely not. The idea that a VPN is somehow going to help security is one of the biggest snake oil scams this century. You are basically only redirecting the end of the 'pipe' that's your Internet, so it's completely useless against today's phishing and deep fake scams which are the hardest to detect, and pretty much useless against anything else too since I don't know of a single scam that's just using someone's location.

...................

Samir, many thanks, great info. I am definitely gonna look deeper into those companies you mention for the paid security.

My backup SSD will be here tomorrow, so cloning will be the first step in my march to Win7 security.

I would even attempt some of the other things you mention, but honestly, quite a bit of it is over my head, and I'm afraid I'd make things worse rather than better!

Again, much appreciated for your time and thoughtful answers.....................

 

[SamirD]

Samir, many thanks, great info. I am definitely gonna look deeper into those companies you mention for the paid security.

My backup SSD will be here tomorrow, so cloning will be the first step in my march to Win7 security.

I would even attempt some of the other things you mention, but honestly, quite a bit of it is over my head, and I'm afraid I'd make things worse rather than better!

Again, much appreciated for your time and thoughtful answers.....................

You're welcome! I'd love to hear your experiences with them too as I still do like win7 for several situations and have seen reboot restore and time freez get messed up at times.

For cloning, I love the clonezilla live cd for making and restoring images. Just boot it and you're ready to go.

Virtual machines are something I haven't personally messed with either so I know how you feel. Yet, I think they can end up being the ultimate solution since you can have a win7 machine exactly how you want it each time on the fly. It's actually what I want to migrate all our physical hardware to since we have the server hardware--I just have to play with proxmox and make vhds of all our existing systems so that we can just launch the same 'on the fly' on proxmox. And then because they're virtualized and we have a ton of ram, we can run so many more instances than what we currently do on baremetal. If I had the time to play with it all, I will probably realize I should have taken the time years ago to set it all up.

 

[Vengance_01]

Honestly....

Run it as a VM, keep it DCed from public internet and shut it down when not in use

 

[Vengance_01]

in fact there are tools that can take the current machine and convert it to a VM. Plenty of free tools to do this

 

[SamirD]

in fact there are tools that can take the current machine and convert it to a VM. Plenty of free tools to do this

Links? Would help me a lot.

 

[bluestang]

Links? Would help me a lot.

Microsoft has one I've used...

https://learn.microsoft.com/en-us/sysinternals/downloads/disk2vhd

Plus some backup softwares have some sort of backup to VM thingy...Paragon does I know. Had to do this recently for an old W2K Server that had legacy software installed to a VirtualBox VM lol

 

[Vengance_01]

Links? Would help me a lot.

https://www.vladan.fr/starwind-v2v-converter-and-p2v-migrator-as-a-hypervisor-switch/

 

[jlbenedict]

I am a believer that the fear mongering on using Windows 7 is overblown.

(but lets put it to the test... i'll fire up a Windows 7 VM and see if it will become compromised.. .the way people talk about Windows 7 now.. it should blow up as soon as I turned it on and connect it to the internet )

 

[SamirD]

Microsoft has one I've used...

https://learn.microsoft.com/en-us/sysinternals/downloads/disk2vhd

Plus some backup softwares have some sort of backup to VM thingy...Paragon does I know. Had to do this recently for an old W2K Server that had legacy software installed to a VirtualBox VM lol

https://www.vladan.fr/starwind-v2v-converter-and-p2v-migrator-as-a-hypervisor-switch/

Thank you both for the links! Learned a lot from them both!

 

[SamirD]

I am a believer that the fear mongering on using Windows 7 is overblown.

(but lets put it to the test... i'll fire up a Windows 7 VM and see if it will become compromised.. .the way people talk about Windows 7 now.. it should blow up as soon as I turned it on and connect it to the internet )

I thought it was at the level of xp in terms of exploits but when looking at cvedetails on it and comparing it to 8 and 10 and xp, it's still got a fairly good number of people aiming for it. Nevertheless, the payload they're looking for is critical infrastructure, banking, government, or a nuclear plant. Still, the exploits come the same way, so there is a risk. Hence why I have moved to a 'toaster' OS workflow years ago. My OSes are designed to just erase themselves at each reboot anyways.

As far as the challenge, also add xp and 98se while you're at it!! I'd love to see what get hits first out of the 3.

 

[pendragon1]

wouldnt a vm still have the host os' protection in place?

 

[SamirD]

wouldnt a vm still have the host os' protection in place?

Yep, but it's generally just a NAT just like a router is so I think it's a fair test.

 

[jlbenedict]

Yep, but it's generally just a NAT just like a router is so I think it's a fair test.

assuming a VM is just like a stand alone computer running Windows 7... except for the protection in place of running on a type-1 hypervisor


I just setup a VM on my vsphere cluster, running on ESXi 7.03..
Windows 7 Professional... fully patched with all important updates.. no optional updates...
Turn off firewall.. no Defender, or antivirus...
Installed last version of Brave that would install on Win7 ..

It's fired up! Lets roll lol

 

[GoldenTiger]

assuming a VM is just like a stand alone computer running Windows 7... except for the protection in place of running on a type-1 hypervisor


I just setup a VM on my vsphere cluster, running on ESXi 7.03..
Windows 7 Professional... fully patched with all important updates.. no optional updates...
Turn off firewall.. no Defender, or antivirus...
Installed last version of Brave that would install on Win7 ..

It's fired up! Lets roll lol

Now use it for web browsing too!

 

[Chevy-SS]

You guys are talking Greek to me now, haha.......... "....VM on my vsphere cluster, running on ESXi 7.03.."

Anyway, one more question for you tech-heads: I now have two spare SSD's that I am using as backup only. These are clones of my original Win7 Pro setup, which I will be refreshing every month or so. I backup my personal files every few days. It's actually quite comforting to have these SSD clones sitting on my shelf.

My question is: if and when I actually do update to Win 10 (or newer) for my main computer, can I plug in one of these clones as an extra drive, and would I be able to run the programs installed on it?

Thanks gents

 

[mnewxcv]

You guys are talking Greek to me now, haha.......... "....VM on my vsphere cluster, running on ESXi 7.03.."

Anyway, one more question for you tech-heads: I now have two spare SSD's that I am using as backup only. These are clones of my original Win7 Pro setup, which I will be refreshing every month or so. I backup my personal files every few days. It's actually quite comforting to have these SSD clones sitting on my shelf.

My question is: if and when I actually do update to Win 10 (or newer) for my main computer, can I plug in one of these clones as an extra drive, and would I be able to run the programs installed on it?

Thanks gents

You can upgrade to win10 from 7 without losing your programs and files. Since you already have full backups, say try it and see for yourself. Running programs from a full backup drive on another system usually will not work since licenses are tied to the install, and the way most programs work, the depend on data in certain folders written to the os drive (like appdata and other hidden folders).

 

[pendragon1]

can I plug in one of these clones as an extra drive, and would I be able to run the programs installed on it?

depends on the program. if it needs registry entries or files in a system folder, probably not.

 

[Chevy-SS]

You can upgrade to win10 from 7 without losing your programs and files. Since you already have full backups, say try it and see for yourself. Running programs from a full backup drive on another system usually will not work since licenses are tied to the install, and the way most programs work, the depend on data in certain folders written to the os drive (like appdata and other hidden folders).

Thank you, good idea about trying the Win10 upgrade.
Any idea on the best place to get Win10?
If you were in my shoes, would you bother? I'm a tad reticent to upgrade, being as Win7 Pro works perfect for me.
Plus, I worry that Microsoft would automatically disable my Win7 Pro, so if I tried to revert back to Win7 after trying out the Win10 upgrade, I might not be able to. Microsoft is pretty darned sneaky, haha.

depends on the program. if it needs registry entries or files in a system folder, probably not.

Gracias!

 

[jlbenedict]

Any idea on the best place to get Win10?

"Get" as in just the ISO installers?

Here - https://massgrave.dev/genuine-installation-media.html

 

[mnewxcv]

"Get" as in just the ISO installers?

Here - https://massgrave.dev/genuine-installation-media.html

Or

https://www.microsoft.com/en-us/software-download/windows10

 

[pendragon1]

this one ^^^

 

[GoldenTiger]

Or

https://www.microsoft.com/en-us/software-download/windows10

This. Don't get it from some Warez site as linked before. Get it directly from Microsoft.

 

[sram]

This is an interesting thread. I'm glad I found it. I wish they never replaced windows 7.

 

[Meeho]

IMO ignore the FUD and continue to use your Windows 7 without much fuss. Make sure you have an up to date browser and email client, good firewall, regular data and system backups, and a good antivirus (like Eset NOD32, Kaspersky...). Basically the same stuff you should do anyway.

Ideally, move to Linux and use Windows in a VM for programs that absolutely can't run on Linux with any method.