Joni de Szendeffy is a realist. The director of information technology for the Payson Unified School District knows that on April 8, Microsoft will cease extended product support for its Windows XP operating system, leaving roughly 1,200 PCs in the central Arizona district of 2,500 students to face the world unpatched and potentially vulnerable.
But de Szendeffy also is an optimist. Her department is flush with its first-ever, board-approved IT budget and has a five-year plan to upgrade much of the district's infrastructure. Just last year, she replaced PUSD's 20-year-old network router. And frankly, upgrading the district's server farm, where systems range in age from 9 to 16 years, is just as big a priority as migrating PCs to a modern — and supported — OS.
"Between the filtering we do and the anti-virus systems we run, I think we'll be OK running XP for a while," de Szendeffy says. "We don't want to do it for years, but we should be OK long enough to get a virtual desktop infrastructure in place."
Make no mistake: Replacing all XP systems is part of the district's $2.5 million infrastructure modernization plan. For starters, de Szendeffy will replace PUSD's existing server farm with leased HP blade servers. As the new servers come online, her staff will virtualize most of the district's desktop environment on Windows 7, repurposing the newest PCs to function as dumb terminals and replacing the oldest computers (some of which are 18 years old) with thin clients.
"There's no way I can have everything replaced by that April date," she says. "If it becomes a problem, we'll have to fast-track the desktop virtualization, starting with our labs and moving to the classrooms."
PUSD has experienced the same budgetary constraints that many K–12 districts have faced. Arizona recently slashed education funding by 26 percent and eliminated capital funding for four years. When it comes to acquiring computing resources — whether for administration or classroom learning — PUSD and many districts like it have purchased refurbished PCs.
"We'd buy about 1,200 refurbished computers each year because it's all we could afford," says Bob Walton, information technology officer for Worcester Public Schools, a district of 50 sites serving 25,000 students in Worcester, Mass. "The problem is they come with Windows XP."
That's a problem because, according to the Microsoft Support Lifecycle program, which the company introduced in 2002 to provide at least 10 years of support for its major OS and productivity products, Windows XP won't receive any support — including security updates — past April 8.
This was news to the school board when de Szendeffy outlined the situation in March 2013. At that point, PUSD had been buying refurbished XP machines for five years. "They knew we were behind the times," she says, "but they had no idea how bad it was."
31% The share of desktop PCs still running Windows XP as of December 2013
The board eventually approved de Szendeffy's plan, triggering a formal request for proposals in November. Deployment may not begin until early 2014, putting PUSD in the position of temporarily living with Windows XP beyond the cutoff date.
Walton didn't want to risk that possibility, however, and began his funding push two years ago. His district owns 7,400 PCs, 80 percent of which still run Windows XP. "This is a huge problem — not on the scale of Y2K, but there should be some concern on that level," he says.
To emphasize the point to his board, Walton convened a committee of IT professionals from local businesses and higher education to examine the district's needs. Its top concern: the end of Windows XP support. "We realized we needed to address the issue this fiscal year," Walton continues. "If we didn't get the school committee to approve the extra funds by May 2013, we would be behind the eight ball come April 2014."
It helped that Worcester had experienced XP vulnerabilities firsthand. The district had installed an XP-based appliance on its network solely to stream its educational channel. It turned off Microsoft Windows Update to keep the appliance functioning 24/7.
So there it sat — unpatched — until the appliance stopped working because it had been infected by a worm. "I told the school committee that if we don't address our XP problem, we could come in on April 9 and have almost 7,000 nonfunctional computers," Walton says.
Like PUSD, Worcester will lease its new systems, turning desktop computing into an operational expense rather than a capital one. Its board approved a five-year, $5.9 million plan covering new PCs, installation and Microsoft software licensing. The district will receive about 1,500 Windows 7–based PCs per month through March 2014. Walton says that while Windows 7 is a proven technology, Windows 8 is "too much of a leap."
"At the end of the lease, we'll either enter a new lease or look at different technology," he explains. "Technology changes quickly. We may be looking at tablets or laptops or something that hasn't been invented yet."
Meanwhile, as PUSD plans to virtualize its desktops, it's also rolling out tablets to students in grades K–5 and Chromebooks in grades 6–12. "Ultimately, most of the classroom PCs will be eliminated," de Szendeffy says.
As part of the process, PUSD is reviewing and testing all of the software running on its PCs. The IT department already has discovered high-performance lab computers that can't be virtualized. Plus, the review helps determine capacity and map applications to server blades. For example, blades serving desktop users who require video-based curricula will likely handle half the users that other blades will, according to de Szendeffy.
"Careful planning is critical," says Kurt Gazow, manager of information technology for Evergreen Public Schools in Vancouver, Wash., which has 6,000 PCs at more than 30 sites running Windows XP. "We'll be utilizing a diverse test group to ensure we keep the impact of any configuration problems small."
Gazow says his group is gathering feedback from across the district in order to test and tweak its software image, general settings, group policies, logins and more. "Once the core solution set has been tested and documented, we will begin the deployment process," he says. He acknowledges, however, that it might take them until after April 8 to complete the job.
PUSD's de Szendeffy is in the same boat. She says her district completely left Windows 98 in the rearview mirror just a couple of years ago and didn't experience major problems. With so much on her plate, she must constantly assess risk. For example, implementing Gigabit Ethernet to support the virtual desktop infrastructure also is part of the modernization plan.
"I have to concentrate on where I feel the most vulnerability, and right now it's at the server level," she explains. "I'm keeping my fingers crossed that XP will remain stable the way 98 was stable."
Why the rush to replace Windows XP systems with something more modern? Because hackers might be waiting in the wings.
"There's a concern that hackers are holding back on vulnerabilities they've found in Windows XP until support ends," says Michael Silver, research vice president for Gartner's client and mobile computing group. "Every time Microsoft fixes something in Windows Vista, 7 or 8 after support ends for XP, it could provide a potential roadmap for what's still wrong with Windows XP."
Bob Walton, information technology officer for Worcester (Mass.) Public Schools, is similarly concerned. "People have become complacent about viruses, spam and malware," he says. "We haven't seen any huge attacks lately. Hackers are holding back on exploits for XP because if you release an exploit now, Microsoft will still patch it. So why waste it?"
Silver estimates that on April 9, the day after Microsoft ends support for Windows XP, as many as 25 percent of enterprise PCs will still be running Windows XP. "That figure will decline sharply by the end of 2014," he says.
He advises organizations not only to anticipate application compatibility issues,
but also to approach migrating to a new OS as an opportunity to clean out unused or unnecessary software, which could leave open holes for hackers to exploit.
"Keep in mind that just because a program is unauthorized doesn't mean it's not important or business-related to some user," Silver warns.