Custom vulnerability signature for identifying Windows XP clients
Effective April 8, 2014, Microsoft formally dropped support for the Windows XP operating system. This support moratorium means Microsoft will no longer provide software updates for Windows XP. These software updates frequently fix security vulnerabilities that could lead to a system compromise if left unaddressed. While most enterprises have standardized on newer versions of Windows, there often remains a sizable installed base of Windows XP. Many enterprises may not be aware of how many remnant Windows XP devices are in their network environment.
This custom signature may be used to identify Windows XP hosts based on their web application activity. It looks in HTTP request headers for a User-Agent field that contains the Windows platform identifier string. The default action of this signature is to alert. However, this can easily be overridden to using the "drop" or "reset-client" action in order to block Windows XP hosts from using web applications through the Palo Alto Networks security platform.
Step 1: Create a custom vulnerability object in Objects > Custom Objects > Vulnerability
Step 2: Add a Standard signature type
Step 3: Choose the Transaction scope and add an And Condition
Step 4: Select the Pattern Match operator, the http-req-headers context, and define the following match pattern:
User-Agent:.+Windows NT 5\.|User-Agent:.+Windows XP
Step 5: Done!
This signature can then be included in a Vulnerability Protection profile and applied to rule in your security policy. If Windows XP hosts initiate any web applications through the firewall, informational alerts will be displayed in the Threat logs. A custom report can then be created that will summarize the unique source addresses that have triggered this vulnerability signature.
Note: Microsoft utilizes the "Windows NT 5.2" platform identifier in the User-Agent header for both Windows XP x64 Edition and Windows Server 2003. There is no way to differentiate between these two platforms using this method of identification. If you wish to exempt both platforms from identification, change the pattern match string to the following:
|User-Agent:.+Windows NT 5\.1|User-Agent:.+Windows XP|
- Support for Windows XP for Enterprise Business is ending
- Microsoft Support Lifecycle Policy FAQ
- Understanding user-agent strings (Internet Explorer)
- Palo Alto Networks Will Continue to Protect Windows XP-based Systems
Credit: Special thanks to Arthur Chilipweli of Solutionary for devising this method of identification and sharing his regex pattern.