Compensating Controls for Unsupported or End of Life Operating Systems

As technology evolves, versions of operating systems inevitably reach their end of life support. The term End of Life (EOL) is when a manufacturer no longer supports a piece of hardware, operating system, application, service, and/or subscription.

Running unsupported versions poses a significant security risk, as these systems no longer receive security updates, leaving them vulnerable to exploits and threats. The University of Minnesota Information Security Policy requires that devices run supported operating systems and all devices used to access University data be patched/updated within 30 days of release from the vendor/open source community.

Why does End of Life (EOL) matter?

When technology reaches end of life, it often means that firmware, security patches, updates, or accessibility features are no longer provided and supported by the manufacturer.

  • Security – Without the latest security patches, IT resources and data that is processed and/or stored by EOL systems and hardware are at risk.
  • Cost - Costs may increase the time and resources required to maintain a device or piece of hardware.
  • Compatibility – Systems, hardware, and technology that have reached EOL are often not compatible with other modern software and systems.
  • Reliability -  Technology reaching EOL often becomes less reliable over time as manufacturers discontinue support and provide necessary security upgrades. Increased downtime and hands on fixes are often needed when running an EOL product.
  • Support - Technologists training and resources to provide support/assistance with issues in EOL products decreases with time.

If departments are unable to upgrade or retire an EOL life device due to security, compatibility, or reliability issues, an IT professional will need to request an Exception to the University Information Security Policy. Departments are highly encouraged to upgrade to a supported operating system, and will need to provide significant justification during the exception process.

EOL Compensating Controls for IT Professionals

The following compensating controls must be implemented to mitigate risks until a full upgrade or decommissioning can be completed. In the event a system becomes highly vulnerable to an unpatchable security risk or a compromise has been detected, the device will be disconnected from the network. An upgrade will be required regardless of exception status.

Expand all

Windows Server & Desktop Compensating Controls

  1. Network Segmentation
    • Isolate the unsupported systems from the rest of the network, allowing communication only with essential services. Desktops can simply be completely disconnected from the network.
    • Use Windows firewall rules to restrict inbound and outbound traffic to a minimum.
    • Implement VLANs and/or DMZs to further segregate these systems.
  2. Strict Access Controls
    • Limit access to only essential personnel.
      1. Communicate with impacted users to ensure they are aware they are using an EOL system and could experience reduced functionality.
    • Regularly review, update, and document access controls to ensure they reflect the current operational needs.
  3. Patching and Updates
    • Apply any available security patches and updates that were released before support ends.
    • Regularly apply security patches to any applications running on or interacting with these systems.
    • Apply out of band patches by vendors as soon as possible.
  4. Backup and Recovery
  5. Application Allow Listing
    • Implement application allow lists to control which applications are allowed to run on the unsupported systems.
    • Prevent unauthorized software from executing on these systems to reduce the risk of malware infections. Examples: Google Chrome or Microsoft Outlook.
  6. Endpoint Protection
    • Use University approved endpoint protection tools that are still supported and updated to monitor and protect the system.
  7. Data Encryption
    • Ensure that all sensitive data on these systems are encrypted at rest and in transit to comply with the Encryption Standard.
  8. Contact Application Vendor
    • If the reason for running an EOL operating system is due to a required legacy application, departments should contact the vendor to see if a newer version of the application is available. Departments should obtain a cost estimate from the vendor and have a documented business requirement for running an out of date application.

Linux Compensating Controls

  1. Network Segmentation
    • Isolate the unsupported systems from the rest of the network, allowing communication only with essential services.
    • Use iptables, nftables, or firewalld rules to restrict inbound and outbound traffic to a minimum.
    • Implement VLANs and/or DMZs to further segregate these systems.
  2. Strict Access Controls
    • Limit access to only essential personnel.
      1. Communicate with impacted users to ensure they are aware they are using an EOL system and could experience reduced functionality.
    • Regularly review and update access controls to ensure they reflect the current operational needs.
    • Disable root login over SSH and require key-based authentication.
    • Implement monitoring utilities like fail2ban or pam_tally2.
  3. Patching and Updates
    • Apply any available security patches and updates that were released before support ends.
    • Explore community-supported patches or backports if they exist.
    • Regularly apply security patches to any applications running on or interacting with these systems.
    • Apply out of band patches by vendors as soon as possible.
  4. Service and Kernel Hardening
    • Remove or disable unnecessary packages and services, especially compilers and development tools, to reduce the system's exposure.
    • Regularly audit installed packages with tools like rpm or apt.
    • Utilize Linux kernel security enhancements such as namespaces, cgroups, or kernel parameter hardening (sysctl).
  5. Backup and Recovery
  6. Application Allow Listing
    • Utilize utilities like AppArmor or SELinux to restrict applications and enforce mandatory access control (MAC) policies.
  7. Endpoint Protection
    • Use University approved endpoint protection tools that are still supported and updated to monitor and protect the system.
  8. Data Encryption
    • Ensure that all sensitive data on these systems is encrypted at rest and in transit to comply with the Encryption Standard.
  9. Contact Application Vendor?
    • If the reason for running an EOL operating system is due to a required legacy application, departments should contact the vendor to see if a newer version of the application is available. Departments should obtain a cost estimate from the vendor.
    • Investigate containerization (e.g., using Docker or Kubernetes) to run legacy applications on more secure, updated hosts.

Support Status for Operating Systems and Lifecycle Management

Key for Support Status for Operating Systems and Lifecycle Management table:

  • Testing - This platform is not yet supported by UMN OIT.
  • Active - This platform is currently supported by UMN OIT. New machines will be built with this platform unless otherwise requested.
  • Containment / “Phasing Out” - This platform is currently supported by UMN OIT but no new machines will be built with this platform. Platforms in containment will receive security updates and patches for the UMN OIT supported software components. UMN OIT will not provide new software or major revisions to existing software for these platforms. UMN OIT is actively working to migrate assets away from this platform. Platforms go into this status automatically 6 months before the UMN OIT End of Support Date. Platforms may be placed in this status before that time.
  • EOL - This platform is no longer supported by UMN OIT. Software support will be dropped from any asset running this platform. Other levels of support may be dropped as circumstances warrant. A valid reason is required to maintain an asset running this platform past the End of UMN OIT date. All exceptions must be logged and periodically reviewed.

Expand all

Windows

Support Status for Windows Operating Systems and Lifecycle Management

The below table provides key information for support of Windows operating systems and lifecycle management.
System UMN Support Status Vendor Release Date Latest UMN EOL Date Latest Vendor EOL Date
Windows 11 Active 20-Sep-2022 23H2: 10-Nov-2026 22H2: 8-Oct-2024 23H2: 10-Nov-2026 22H2: 8-Oct-2024
Windows 10 Active 18-Oct-2022 14-Oct-2025 22H2: 14-Oct-2025
Windows 8 EOL 26-Oct-2012 10-Jan-2023 10-Jan-2023
Windows 7 EOL 22-Oct-2009 14-Jan-2020 14-Jan-2020

Windows Server

Support Status for Windows Server Operating Systems and Lifecycle Management

The below table provides key information for support of Windows Server systems and lifecycle management.
System UMN Support Status Vendor Release Date Latest UMN EOL Date Latest Vendor EOL Date
Windows Server 2025 Active 01-Nov-2024 10-Oct-2034 10-Oct-2034
Windows Server 2022 Active 18-Aug-2021 14-Oct-2031 14-Oct-2031
Windows Server 2019 Active 13-Nov-2018 9-Jan-2029 9-Jan-2029
Windows Server 2016 Containment 26-Sep-2016 11-Jan-2027 11-Jan-2027
Windows Server 2012 EOL 4-Sep-2012 10-Oct-2023 10-Oct-2023

RHEL (Red Hat Enterprise Linux)

Support Status for RHEL Operating Systems and Lifecycle Management

The below table provides key information for support of RHEL systems and lifecycle management.
System UMN Support Status Vendor Release Date Latest UMN EOL Date Latest Vendor EOL Date
RHEL 9 Active 18-May-2022 31-May-2027 31-May-2027
RHEL 7 EOL (End Of Life) 10-Jun-2014 30-Jun-2025 30-Jun-2024

Debian

Support Status for Debian Operating Systems and Lifecycle Management

The below table provides key information for support of Debian operating systems and lifecycle management.
System UMN Support Status Vendor Release Date Latest UMN EOL Date Latest Vendor EOL Date
Debian 12 Active 6-Oct-2023 LTS: 30-Jun-2028 LTS: 30-Jun-2028
Debian 11 Containment 14-Aug-2021 LTS: 31-Aug-2026 LTS: 31-Aug-2026
Debian 10 Containment 6-Jul-2019 ELTS: 30-Jun-2027 LTS: 30-Jun-2024
Debian 8 EOL 25-Apr-2015 ELTS: 30-Jun-2025 LTS: 30-Jun-2020

MacOS

Support Status for Mac Operating Systems and Lifecycle Management

The below table provides key information for support of Mac operating systems and lifecycle management.
System UMN Support Status Vendor Release Date Latest UMN EOL Date Latest Vendor EOL Date
MacOS Sequoia (15) Active N/A N/A N/A
MacOS Sonoma (14) Active N/A N/A N/A
MacOS Ventura (13) Containment N/A N/A N/A

Additional Resources


More information regarding operating system and software status can be found at:

Get Help

For assistance with implementing these controls or for guidance on upgrading unsupported systems, contact Technology Help.

Intended Audiences

IT Staff and Partners