Windows 7 Compensating Controls Checklist

For a Windows 7 system to remain online on the Lab's intranet, users must complete the following Compensating Controls defined by Cyber Security. If you have any questions about security policy send an email to [email protected].

For your convenience, we have created a checklist of tasks to complete by the deadline. Please note that step 4 requires notifying the Help Desk for support. Allow adequate time to complete these steps as computers without these controls will be blocked on November 1, 2020.  If you require help, submit a ticket in a timely manner prior to the deadline by sending an email to [email protected] and requesting support.

Windows 7 Compensating Controls Checklist:

1. Complete the Windows 7 Exception Request

1. Enter a Windows 7 Exception Request (no longer accepted). This will allow your Windows 7 system to remain online while you complete the compensating controls.

2. Windows 7 computers must have a static IP address 

1. Computers must be configured with a static IP address. A static IP address can be requested via iprequest.lbl.gov.  Computers cannot change their IP address. This prevents Windows 7 computers from accidentally being exposed to the Internet. For help with configuring your static IP address, send an email to Help Desk.

3. Windows 7 computers must install the LBL Enterprise BigFix client
   BigFix is used to deploy the Windows 7 ESU license and provides the ability to make changes if needed to react to new threats in the environment.

1. Determine which BigFix mode - Active vs. Passive mode 

2. Download and install LBL BigFix from the software download page.  

4. Windows 7 Extended Service Updates (ESU) deployment

1. Ensure you have a backup of your system before proceeding with the installation of the Windows 7 ESU license.

2. If you are not already working with an IT Support Services engineer, users will need to submit a ticket by sending an email to Help Desk to request a Windows 7 ESU license. There is a cost for the license and additional configuration that is required. A project-activity ID will be required. The cost of the license for the first year is $53 per computer and will increase years two and three. Windows 7 will no longer be updated at that point and will be required to come off the network.

3. Once a help ticket is created, Endpoint Management will send Windows 7 ESU license information and request the following: 

1. DOE number. If no DOE number is available, provide a serial number.

2. Hostname of the computer

3. Schedule a date and time to deploy Windows 7 ESU software using BigFix. Windows 7 ESU prerequisites will be installed as part the software deployment.

4. The computer may reboot between 2-8 times at the scheduled date and time. Please provide adequate time to do this work.

5. Verify the ESU license is installed by running the command in terminal as an administrator: slmgr /dli. Successful installation will report back:

6. Run Check for Updates to ensure all updates are installed. 

5. Windows 7 Computers Security Posture
   Windows 7 Computers must be configured in one of two ways. Zero Access or Limited Access (Either way your Windows 7 system will not be used "as usual")

1. Zero Access

1. The firewall must be configured to block all incoming traffic. Windows 7 computers are not allowed to offer services on the network. This includes, but is not limited to, services such as file sharing (UDP137,138,TCP139,445), Any Remote Desktop access (RDP, VNC, TeamViewer or any other remote desktop software). A Windows 7 system in Zero Access configuration is only accessed from the local console and can only connect out to sites and services inside LBLNet address space. No Internet access will be allowed.

2. Limited Access

1. A Windows 7 system in Limited Access configuration must be on a private network, established behind a gateway computer. This would allow Remote Desktop access via a hop into the gateway system and another RDP hop into the Windows 7 system(s) on the private network. If file sharing is needed, the gateway system may have a file share configured and secured with either local or domain credentials and files may then be transferred out of the Windows 7 system to the gateway share and then accessed on the gateway from LBLNet. If a gateway computer is needed please Request a Computer. 

2. IT Support Services can provide consulting services with the gateway computer setup, i.e. configure the private network, firewall, file shares, gateway remote desktop, use of LastPass, etc.. To request these services, send an email to Help Desk. 

6. Windows 7 Computers must be removed from the LBL Active Directory (AD)

1. If computer is taken out of the domain, ensure the following:

1. Create a local account and migrate profile from the domain account to a local account to ensure all installed software can run and tasks can be performed. If your local account is shared by multiple people, password must be stored in  LastPass Password Manager.

2. Determine all domain resources needed and ensure connectivity to those resources after removal from AD. For example, can you mount network shares? A service account should be used to mount a network share. Service provider may already have a service account established with IDM. Check for existence of a service account with the service provider. If no service account available, one must be requested from IDM by sending an email to Help Desk. Please include AD resource information and service provider. Also note that the service account password will expire after 365 days and will require a reset. Service account passwords must be stored in LastPass Password Manager.

2. IT Support Services can provide the services necessary to make this possible. To request this service, please send an email to Help Desk.