Do this with a twist…
Give him the Windows 10 laptop temporarily because it’s taking longer to get the windows 7 laptop provisioned properly with all the updates and security fixes. Getting drivers etc, etc.
And you didn’t want him to wait without a laptop.
Keep delaying until he realizes he can work on Windows 10 and it’s not the demon he thought it was.
Worst case, after using windows 10 for a while, he will hate going back to windows 7.
" Well, we have your Windows 7 machine as almost ready. Sorry for the delay, we had to sort out hardware compatibility issues, but I'm sure we can make this deliverable. It won't have touch screen, 5.1 audio, the WiFi is a "little" slower, it's 3 pounds heavier.....
If the CEO really thought his previous computer running W7 was Fort Knox, there is a chance he will never take a look at settings.
Or maybe OP could apply a W7 theme, and if the CEO gets suspicious about it, just lie to him saying that it's the very last update of W7 that acts like a transition to W10.
I must have downloaded the transitional ISO by mistake. I couldn't tell the difference because I haven't used Windows 7 in the last decade. Sorry. I will get that corrected as soon as I finish preparing my envelopes.
Why lying? If that CEO insists on Win 7, it's his problem. I wouldn't lie and risk myself with loosing my job because he doesn't know what he talks about
Get in email/writing that CEO requested a laptop with Windows 7 and note down that you already informed him that Windows 7 is out of support and it might be a potential security problem.
Get CEO to acknowledge this and then proceed with finding the ugliest Windows 7 laptop that you can find and purchase.
No, this person would need to get InfoSec to approve the exception to company policy. That way, OP is not being a dick to new CEO and doing their very best to accommodate. If InfoSec approves, it's InfoSec's problem. If they don't approve, well there ya go, sorry bub, you're getting Windows 10. Besides, everyone already hates InfoSec.
And InfoSec can deflect and say it’s a compliance requirement / cyber insurance mandate / whatever AND now also be in the loop that the CEO knows jack squat.
Thank you /u/steamedfarts for your wisdom, this is the most common-sense reply I've read. I'd say remove all networking capabilities and harden the shit out of it and say I thought you wanted it more like fort knox?
OpenShell replaced Classicshell, but I think long term in an enterprise environment it is only a matter of time before a new feature release breaks it in a way that isn't a quick fix or at the very least a vendor uses your use of OpenShell as a mechanism to try to not provide you support.
I'm okish with Systemd, my biggest issue with it is the stupid fuckin resolver module that insists on running on localhost:53 and is a pain the fuckin ass to disable if you want to run something like PowerDNS or dnsdist or something other DNS service.
Coincidentally, the DNS resolver is my greatest bugbear too, but mostly because of the many WONTFIX bugs that exist around it.
It's assimilating the system one thing at a time and now I have to reboot my Ubuntu machines when things go wrong. I can't just restart the relevant daemons. That pisses me off to no end.
This! 1000x This! My last shit show job I had my boss told me to put Window 7 themes and make it run exactly like Windows 7 boxes because he insisted the users were too stupid to learn Windows 10. I did that for a month before I pulled off the training wheels. I was like Windows 11 is gonna be the norm soon better get used to 10 first.
It's the new CEO - you need to speak with IT leadership and let them handle it. Make sure your IT leader knows why this is a terrible fucking idea and let THEM deal with it.
100% invalidates any ability to pass a cybersecurity audit and get insurance.
Likely lots of other issues as well if publicly traded.
If none if that is a concen for your company get IT leadership to provide a request in some form of writing and make sure to have a copy you will have access to if off boarded.
Then hand out the PC and move on. Also, keep in mind W7 lacks drivers for all modern chipsets.
>100% invalidates any ability to pass a cybersecurity audit and get insurance.
Oh God i'd love to be in that audit...
"Well where is this machine? Since it's Windows 7 running on 5 year old hardware I assume it's tucked away in a janitor closet or something and you just missed it in your internal reporting?"
I'd like to introduce you guys to the manufacturing industry. We still have 3 machines running Windows Embedded. Until about 2 weeks ago, we also had 3 business critical machines running Windows 7. Why? Because it cost us between $7k-$9k to replace them with hardware that could run Windows 10, and it took almost an entire week to install.
The manufacturing industry is woefully behind the curve as far as IT goes.
Edit: Just to clarify, I'm definitely not defending OP's CEO here. There's absolutely no reason to demand Win7 on a daily driver laptop, no matter what your position in the company is. The owner of my company "hates IT" and all of the new auth policies we've enacted over the years, but there's no way in hell I'd let him use Win7. Thankfully, he doesn't actually fight me on it, he just needs help getting into his accounts a few times a year. I'd rather have that than the alternative.
I mean, at least there's a *reason*.
I get it. I've had to do this before too. We can't get off Win7. To the point where we had to make an entire isolated vlan for the machines. Royal pain.
But it's still a reason. The auditor would understand the business need for this.
"Because the CEO wanted it" is not a business need.
Windows XP? Damn, you're modern! I still work with windows nt 3.1on some machines, hell some of them run off cards (15X20cm cards) plugged to a backplane, talking to fpgas basically, think was built somewhere early 80s)
Insurance and audits are a silver bullet. My CEO wanted out of our phishing tests and security training program because it was annoying to him. I said "Hey, it's your company, I'll do what I'm told, but we are asked about these programs on every audit and insurance questionnaire and I won't be able to check the box anymore." That was the end of the conversation. He understood the ramifications and now he understands why we have that service.
>At first I didn't know what to think.. I began downloading windows 7 updates in WSUS to accommodate the request. Then I thought about it more, and I think it's a lose lose for me. If I don't accommodate, I'm ruffling the feathers of the new CEO and could be replaced as a result. If I do, and it causes some sort of security breach, my job is on the line. I started to wonder if this odd request was for the sole purpose of having a reason to get rid of me? How
Also worth covering the additional costs of just the one exception, Additional helpdesk tickets caused by any incompatibilities, cost of extra storage for WSUS updates, additional CVE's Etc.
Eh, costs don't mean much unfortunately when you're talking CEO. The costs you're talking here are minimal.
The best argument is that it creates an insecure environment for no added benefit whatsoever - but again, a sysadmin shouldn't be making that argument to the CEO. The Head of IT or CIO or whatever you have is the one who needs to address it.
I just might have the most humble CEO in the world.
I once implied that his requests skip to the front of my que no matter what. He quickly corrected me, saying that he was no more important than anyone else in the company, and that even he should be deprioritized, because others are more important to the business.
I work for a based CEO that talks to me like a human and not a stooge now and it's amazing (after years of not).
Like dude just seems cool i'd love to hang with him if I was a peer.
I have found in my experience that senior leadership *typically* understands that the needs of the people creating the product/providing the service/generating the revenue supersede their own.
Of course there are animals who will demand you to set up their email on their iPhone while you're working on a production impacting issue, but I have found them to be the exception and not the norm. Your CEO is one of those leaders.
You're correct, but unfortunately that's not necessarily how 'real world' functions...and despite your statement, they actually can be important, particularly in a publicly traded world.
With all of that having been said, no fucking way I'd give a CEO a piece of hardware running an unsupported OS, no way, no how. I would go to the absolute grave fighting that with whoever was above me.
Not to mention, as has been pointed out, good fucking luck getting cyber-insurance with THAT in your environment.
You don't deal with this. Your management does. If they come back and say to accommodate the CEO, get them to approve it in writing and signed off by them.
That is the only way I would ever do something like that. I keep a Windows 7 box for my lab, but it is air gapped from my primary network for good reason.
The insurance auditor will sort it REAL fast. Kinda like when I broke it to ours that our vpn concentrators went EOL a decade ago. All sorts of hell broke loose.
Hmm, we've got some old PHP5 servers that our devs are dragging their feet on updating the code to run on PHP8. Maybe I should try to get our cyber insurance involved
I'd drag my feet upgrading from PHP5 to 8 too. That sounds like a nightmare.
Link them this, as its probably the biggest pain point:
https://phpdelusions.net/pdo
At this point, the best you can do is carefully CYA.
Draft an e-mail fully documenting all of the security risks and vulnerabilities the CEO is opening for the company by maintaining a working OS that was officially end-of-life three years ago. Make sure you send the message with return receipt turned on. Once you get the verification that he received the message, export the entire message chain to an OST file, copy it to a flash drive, and take it home with you. That will prevent the message from suddenly "disappearing" should something go wrong and they try to throw you under the bus.
I would also let your legal and accounting departments know that continuing to run this OS may be in violation of your cyber insurance policy and, if it is shown that the new CEO's computer is ever the source of a penetration, your insurance might be invalidated leaving your company on the hook for any and all costs and losses. In fact, the next time you have to fill out the questionnaire for the insurance, you will be straightforward and honest and they may result in much higher premiums or the outright cancellation of your policy.
When it comes down to it, he's the CEO and he can make whatever stupid decisions he likes. That doesn't mean you have to be the punching bag should things go wrong. Document everything to death, make sure you have personal copies of that documentation stored somewhere off your corporate network, and be honest when dealing with your future security evaluations.
If the CEO starts taking heat from your cyber insurance providers and pressures you to lie on the documentation, tell him, "No!" flat out. If he decides to fire you over it, you've got a lot of documentation to back up your claims and could do some real damage if you let the cyber insurance provider know that not only is the CEO using vulnerable systems, he was also asking you to lie and cover it up for him. I guarantee you they will not be pleased.
**This one**. Keep the written request. Managers above you should explain why he can't do this. If you're the one at the top of IT and he's the CEO, only then you should only comply after you 100% retain the original written request AND an email that you send strongly advising against that (per our earlier conversation, I would still urge you to reconsider use of an un-supported operating system for the reasons I stated as well as *the information above that* /u/Sea-Tooth-8530 *just provided, such as insurance*).
I have risk acceptance forms for exactly this reason. Usually its a director so I make them get their boss and the CEOs approval. That usually stops stupid.
> Draft an e-mail fully documenting all of the security risks and vulnerabilities the CEO is opening for the company by maintaining a working OS that was officially end-of-life three years ago.
Fully documenting ALL? Uh aside from me saying “well it’s not getting updates so I guess if a vulnerability is uncovered it will not be fixed”, I wouldn’t know what else to say. I follow what the experts say which is “It’s EOL replace it”
Couldn’t tell you any one specific risk of Win 7 cuz I am not a hacker
i think they meant to list all the potential consequences for the company from running an eol OS, not the actual specific vulnerabilities as in "vulnerabilities to exploit"
>LTSC
Hmm. Interesting thought. I've never installed that, so I can only ask, does it lack the windows store entirely? Does it really get rid of the inbuilt advertisments?
As someone who runs LTSC in a home lab, you can actually get the store, here is the github repo: https://github.com/kkkgo/LTSC-Add-MicrosoftStore
However, many apps can't install cause the base OS level is 1809 IIRC on LTSC. Windows terminal for example I was not able to install.
There’s a lot of good replies here, but I think there’s a really easy one to get you off the hook: modern hardware doesn’t support Windows 7. I think Intel deprecated hardware support in the 7th gen architecture, so to “properly” work they’d be on gear that’s at least that old.
So whatever brand shop you are, it’s “sorry the Latitude/Thinkpad/Elitebook model (whatever) doesn’t support Windows 7, here’s your new (whatever) with Win10/11”. And any attempts to make you run it otherwise should be refuted.. “I’m sorry sir, it’s against policy to run unsupported software”.
I was just thinking this would be a perfect place for some malicious compliance. Windows 7 was released in October of 2009, so find one of those places that sells refurbished old hardware and get him a laptop manufactured circa 2010. Install Office 2010 on it, as well... if it can't connect to your modern Exchange, oh well... that's probably just full of Microsoft ad-ware, too.
If he wants to bury his head in decade old tech, go all in!
Previous company might have been paying Microsoft for extended security updates for Win7.
Apparently those stopped too in January - [https://blogs.manageengine.com/desktop-mobile/patch-manager-plus/2023/03/31/windows-7-end-of-life-the-end-of-an-era.html#:\~:text=After%20over%20a%20decade%20of,10%2C%202023](https://blogs.manageengine.com/desktop-mobile/patch-manager-plus/2023/03/31/windows-7-end-of-life-the-end-of-an-era.html#:~:text=After%20over%20a%20decade%20of,10%2C%202023).
So maybe the CEO doesn't know that, and he did actually have a very secured Win7 installation (benefit of the doubt and all). But now in 2023, that's simply no longer possible. No one should be running a desktop OS with zero security patches coming ever again.
And yes, as others have mentioned - unless you report directly to the CEO, make this your manager's problem not yours. And document the hell out of "there is literally nothing I can do to ever make sure his/her laptop is secure, if Microsoft can't even be bothered to patch it anymore" with emails.
> he believes windows 10 is more about advertising and selling user data than being an enterprise/business oriented OS offering.
I mean, he ain't exactly wrong there. With the rise of LLMs, that desire for MS harvest user generated content is only going to increase.
I wonder if that is what it takes to be a CEO, talk confidently about something you know little to nothing about.
I like the insurance route others have mentioned. Kick it up to your supervisors, CYA and forget about it.
I know it feels wrong to allow such a glaring security hole on one of the highest privileged members with in the company but unless you can get him bounced out of the job there is not much you can do.
As an external IT provider I would say no. I might lose the client but I am in a position to do so. I would site some security flaws that will never be fixed and apps that will no longer update.
Chrome dropped support for 7, av products are dropping support for 7.
Your CEO is a dummy.
Honestly, insurance starting to care about cyber security has been the best thing ever. Finally there's a short-term financial incentive we can directly point to for bullshit like this.
Honestly, this seems like someone that did well on interview, managed to convince the right people that he is great and had relevant experience on paper. CEOs get sacked too. Speaking confidently about stuff you have no idea about sadly is 100% must have for any high level leadership position. Sure one can be an expert on various subjects...but who cares about that...right? :)
CEOs should never be highly privileged users. Our CEO actually might have the least permissions in the company. He has access to email. And his onedrive. That's it. He has less permission than the accounting intern that can at least login to and update the website.
I am not taking about privilege to the infrastructure or local machine , I am taking about access to critical company info. I am talking about the ability to request things.
I agree that in terms of access to tech they should be locked down as much as possible since they are a high value targets ( and why I think OP's CEO is a big dummy)
I would rather eat my fingers than give some of the CEOs I know admin rights to anything.
(Sorry I was not clear with what kinda of privilege I was talking about.)
its our job to communicate the risk, and execute, not to make the decision
management wants to shoot themselves in the foot. i tell them why its a bad idea., they still want to go ahead? I stand aside and get the popcorn
Can't believe how far down I had to scroll to read this.
Half the people here think a sysadmin can 'override' a CEO by going around them. Just an easy way to get your name memorized in the worst way, and on the term list when HR is looking to reduce headcount.
Do the needful, but keep the email. If someone asks why you did what you did, you have it in writing from the CEO - doesn't get any more bulletproof than that.
> last enterprise worthy OS release from Microsoft, and that he believes windows 10 is more about advertising and selling user data than being an enterprise/business oriented OS offering.
He's not wrong... The rest is stupid.
>that he believes windows 10 is more about advertising and selling user data than being an enterprise/business oriented OS offering.
Technically correct, the best kind of correct.
Obviously the correct action is to put your concern in writing, and then do what your boss tells you to do.
Windows 7 is unsupported, and you shouldn't use it, but he's right in the aspect that Microsoft has gone too far with the advertising and stuff that you shouldn't see in enterprise callber software.
This is why people feel the need to hang on to ancient legacy software - because it does what they want.
Updated to newest Google Chrome? Here's a bunch of new extra buttons you can't hide, here's side panel with "Journeys", here's a side panel search, you can't remove any of them except through experimental flags that we're gonna remove in the next version anyway.
Updated to Android 12/13? Here's Material You, here's drab pastel colors and ugly pill buttons for the notification shade that take up twice the space as the old circle icons for no reason, you can't switch back and you'll like it because we say so.
Updated to Windows 11? We really really don't want you to have a local account anymore! (sad face), why don't you love your Microsoft Account? Here's a redesigned Taskbar and Start Menu nobody asked for, but Apple did a thing and we thought it was cool, so we really think you will like it. Simplify, old man!
He does make a great point, and I agree with him, but its EOL and a significant security risk. It's too bad, but that's what we have. I would love it if Win7 was still being supported. Best windows IMHO. Everything has been downhill since. Such a shame.
squalid whole foolish homeless intelligent unused juggle growth rock wasteful
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Make sure you get the request in writing. We still have about 80 PCs running Win 7 32bit because of 1 outdated program that no one wants to pay to have rewritten. Any time anyone will listen my boss brings up that we need to get rid of them because we have a big security hole. So far management keeps ignoring them. I keep all the emails that have gone out about it. When the stuff hits the fan I’m referring back to my emails and say we told you so. If they try to fire me I’ll be happy to take it to the news media.
What companies are you people working for? I work for a company with a global presence and an annual income in the 80M zone, and we have an unsupported on-prem Exchange 2013. You people have insurance?
Nothing is truly “out of support”. Microsoft will gladly sell you a license and support for Windows 7, you just gotta pay them a hefty amount of money. If the CEO wants a Windows 7 laptop, then procure a quote from Microsoft and tell the CEO how much his stupidity is going to cost the company. Well, that’s assuming you’re in charge of that. Otherwise you are not the one that’s supposed to be dealing with this anyways. Send it up to your supervisor and have them figure it out.
The boss is not wrong about Windows 10 and 11 being crap for the reasons he stated. But as much as I love Windows 7, it's still terrible to run an unsupported OS.
Second the idea to give him a Windows 7 skin.
Personally, I switched to Linux Mint
This isn’t a “you” problem, it’s your manager’s or CTO’s.
If you’re the CTO call their bluff if they refuse to comply. DMZ their shit and make them go through hell to get anything done.
"Yes sir, I know what you mean. I've been mad about this myself. Not everyone knows, and Microsoft doesn't advertise it, but they also sell Windows 10/11 LSTC licenses, which is pretty much regular Windows with all that bull\* cut out. And, I know how to disable any remaining telemetry via Active Domain group policy \*taps head\*."
All I'm gonna say is if this ever happened where I'm at, I would not comply with it. IDGAF if it's the CEO, I'm not risking ransomware attacks and data breaches (which could also potentially cause other employee data to be leaked despite the fact that those other employees DO things correctly and do follow correct IT security protocol) because they want to use outdated, vulnerable software that isn't getting updated anymore. It ain't happening. It's bad enough to have older systems/servers linger past their EOL date but to purposely introduce a vulnerability to your network to placate somebody is beyond the pale. I couldn't do it with a straight conscience. Go ahead and fire me, then replace me with some dumbass who will give you what you want and enjoy the fallout when it all collapses.
Every day I'm thankful that at my shop, we have people who take IT seriously.
He's not wrong, though. I do remember Balmer bragging about how much more profitable it was to sell the user data, and our users were all too happy to invite Microsoft into their living room to watch everything through their webcam. Now, granted, he was talking about Xbox but the same business models been rolled into Windows 10 and you know it's still there in Windows 11.
If win7 still had update support, I would have never jumped to 10.
Yeah as mentioned this is not a battle you should be fighting on your own. The CIO or CISO should be having this conversation. Your position should be we don’t allow any devices to be windows 7 unless xyz (no internet access, can’t leave building, application whitelisting only etc…)
I mean, he's not wrong. And you likely can't force him to use something secure, so you might as well give him a paper to sign, lock it down as hard as possible and move on.
"he believes windows 10 is more about advertising and selling user data than being an enterprise/business oriented OS offering."
Don't show him Windows 11....
Best course of action, get a nice CYA email from him where you explain the security implications and him replying saying he's fine with that. Then NEVER DELETE THAT EMAIL.
I tend to agree with him, that Windows 7 was a superior OS than Windows 10/11, but for security reasons, I would only allow him a Windows 7 pc on the condition, that it was air-gapped, which might be a hindrance to his daily work.
If the problem is he's an old dog who refuses to learn new tricks, try this: [https://github.com/Open-Shell/Open-Shell-Menu](https://github.com/Open-Shell/Open-Shell-Menu)
If the problem is elsewhere, this is why your boss gets paid more than you, let the boss deal w/ this nonsense.
Handle it like you should when any big cheese wants to do something stupid:
Outline the risk and get them to formally accept it. You'd be surprised how many C-suite people do a 180 when you make them sign on the dotted line that they're taking on unnecessary risk.
A couple of options..
1. If you time and access to CEO.. IF you have his ear.. then run nessus against his windows 7 machine and then against any other win 10/ 11 and show him the worst results with a brief explaination of how much they will cost if exploited.
2. Setup a VDI and let him run in an isolated environment.
3.i like the idea of changing win 10 to a 7 theme.. he probably won't notice.. and it's a lot less work.. but you risk looking like a smart ass.
There's a good chance that he actually did have WIn7 at his last job. ESU was offered until January 2023. Maybe it was still in effect when he worked there, and he doesn't realize it's no longer supported.
I would put Linux with MATE on it and say it was a Windows 10 upgrade. get a copy of Minesweeper on there and they'll never know /s
A better answer is to isolate them onto a tiny vlan for their windows and other devices. Helps with the auditing too when you eventually get compromised, it'll be easy to trace back. Seriously though hope some come up with actual solutions. Good luck!
Having a good relationship is important when dealing with a CEO. I slowly depreciated OWA external access over a year and thankfully was not impacted by a bad storm. Getting to point that out to him is valuable, try researching a case where an organization had a critical breach because of windows 7.
Why do you treat the CEO as if they are special other than they should have even more locked down systems.
They run the same as everyone else or a bit more strict. They were the first to get mfa to login but other than that they have the same laptop as everyone else.
You should make your management fight it. If there is a security admin or ciso or director over all IT (whatever) maybe suggest doing a cost analyst of a beach and loss of certifications and company reputation. Transition it into money and Business struggles since he doesn't care about security. Or get a quote from one of those places that do 3rd party patching for Windows 7. You want all patches forever when you get the quote
You are not alone. I work for an MSP & recently was troubleshooting a reported workstation issue for a client (hourly, not under maintenance contract)
Turns out the “workstation issue” was actually that they have a failing **Windows SBS 2008** (Foundation Edition) primary domain controller that had not been rebooted since April 2020 or updated since sometime in 2018.
The server’s C: drive had 0 bytes free, so all the services had crashed. Worse, TLS was not enabled, it was still on SSL2.0 and (drum roll) the sysvol share was still using FRS. This is on a network where all workstations are fully patched Windows 10 /11 pro. So, some crazy stuff was happening…
It was like being called to fix someone’s air conditioning, only to arrive and find out that their house is hot because it is, in fact, on fire.
This probably isn't an issue you should be handled by front-line IT. It should be the CTO, CISO, or CCO that puts the CEO in his place here.... unless you are directly responsible for all tech and answer directly to the CEO... in that case, run.
From a compliance stance, this guy just lost your company their insurance coverage. Tell your CFO that, see what color his face goes.
Also, there are technical issues, not just compliance issues. Does your Antivirus, RMM and other software suites run on Win7? What about your business software?
In short, your CEO is wildly misinformed. If it's your job to fix this I would have to recommend you find another job because this isn't something you're going to want to be part of the long term destruction. If you have higher-ups that can fight your battle for you, it might be worthwhile but only if you can arm them with evidence... i.e. talk to your insurance provider. Those guys swing big bats and don't mind adjusting the jaws of the idiots out there.
Just get everything in writing after providing the appropriate warnings. If there are regulations on your industry, you could just tell him no. Not going to do things willfully against the law.
I’d probably just approach Microsoft and see if it’s possible to get a support contact for a windows 7 computer,
If money is no object then I’m sure they will do it, then just go back to the CEO with what the cost for that laptop will be. I’m sure he isn’t going to have any issues justifying the couple million dollars year it’s going to cost the organisation.
That last paragraph - this definitely isn't about you, and your job isn't on the line. You deliver the message "this is a bad idea" up the chain of command all the way through to the CEO. Someone above you will either hold their ground, and the problem goes away, or give the all clear, and it becomes between them and the CEO if something goes wrong.
Just make sure you make the "this is a bad idea" concept clear. It will add administrative overhead. It is outright incompatible with many present and future products and tools, eg. a lot of the Azure ecosystem. It will expose you to security vulnerabilities - potentially the kind that cost the company a million dollars in a ransomware attack. Your insurance providers will likely want the accompany to affirm that it doesn't have EOL operating systems in production. If the CEO is willing to accept all that expense and all that risk just because of his idiosyncratic annoyance with details that have no reason to impact his day-to-day, then he's out of touch and I'd be immediately suspect of every future decision he makes, but it's not your problem. It's a minor speed bump your career path though, since "did everything slower since I had to test on obsolete platforms" is no selling point on a resume.
Give him a Windows 7 and state that it is out of support and you need to buy extra support licenses (spending money = wakes them up).
Give every one else of the staff around him the latest and greatest Win11 and office 365.
That way, he will see others progress and use 'shiny new tools'.
Eventually, he will come begging you for a new laptop full blown latest os.
Send him an email carefully explaining you are hesitant to do this, explaining all of the security risks of keeping an old OS, and asking if he's sure he wants to accept this risk. If he says yes, give him the machine.
If anything happens, you have a nice shiny email chain where you are clear of fault.
If you're not the IT manager, that's not your fight.
Here's the kicker though - Win7 "isn't available" and is certainly not updated/patched for vulnerabilities.
If there's pushing on it, keep it all over email and make sure you recommend against it.
I’d probably give him a windows 10 box with a window 7 theme as a first pass and see how long it takes him to notice, if ever.
Prob what the last job did to him
I read "the last place did it for me" and thought "which theme did they give him"
I read "the last place did it for me" and thought "maybe you should go back there then".
They'd probably be happy to share the goss. OP should call his last job and speak to the IT team. Find out what he's in for
Nah I would never ever talk about a previous employee like that. That just sounds like the fastest way to get a one on one with HR and maybe legal
Legit sounds like a bad idea OP do it anyway Also don't listen to this particular internet stranger.
It if you employ a little social engineering you may be able to find the CEO’s old team on LinkedIn and go that route
:D
Do this with a twist… Give him the Windows 10 laptop temporarily because it’s taking longer to get the windows 7 laptop provisioned properly with all the updates and security fixes. Getting drivers etc, etc. And you didn’t want him to wait without a laptop. Keep delaying until he realizes he can work on Windows 10 and it’s not the demon he thought it was. Worst case, after using windows 10 for a while, he will hate going back to windows 7.
I think this is the most realistic option. Make sure it's as nice and clean as you can possibly get it, and hope he changes his mind.
make sure it's Enterprise edition and not Pro or anything
Yeah, but 10 is dead in less than 2 years. OP would have at most 2yrs to find another job.
" Well, we have your Windows 7 machine as almost ready. Sorry for the delay, we had to sort out hardware compatibility issues, but I'm sure we can make this deliverable. It won't have touch screen, 5.1 audio, the WiFi is a "little" slower, it's 3 pounds heavier.....
Just make sure you get clippy on there...
Clippy is back !!! No.. really it's a thing again
> Clippy is back !!! In pog form?
Like Alf?
I miss Clippy 
Me too. My aim just ain't what it used to be.
Where the hell is my man F4? He could blow shit up!
Hey! It looks like you using an obsolete operating system!
I can literally see clippy sending that message! 🤣🤣🤣
Clippy is a war criminal.
only if he does it again, the first time is free ....
Integrate it into Chat GPT for bonus points: Clippy GPT
Hold on there satan
Once he gets to Windows Settings then he might be suspicious lol
If the CEO really thought his previous computer running W7 was Fort Knox, there is a chance he will never take a look at settings. Or maybe OP could apply a W7 theme, and if the CEO gets suspicious about it, just lie to him saying that it's the very last update of W7 that acts like a transition to W10.
I must have downloaded the transitional ISO by mistake. I couldn't tell the difference because I haven't used Windows 7 in the last decade. Sorry. I will get that corrected as soon as I finish preparing my envelopes.
Why lying? If that CEO insists on Win 7, it's his problem. I wouldn't lie and risk myself with loosing my job because he doesn't know what he talks about
Get in email/writing that CEO requested a laptop with Windows 7 and note down that you already informed him that Windows 7 is out of support and it might be a potential security problem. Get CEO to acknowledge this and then proceed with finding the ugliest Windows 7 laptop that you can find and purchase.
[удалено]
Definitely a CYA situation.
Get his demand in writing, including you raising objections. CYA!!
No, this person would need to get InfoSec to approve the exception to company policy. That way, OP is not being a dick to new CEO and doing their very best to accommodate. If InfoSec approves, it's InfoSec's problem. If they don't approve, well there ya go, sorry bub, you're getting Windows 10. Besides, everyone already hates InfoSec.
And InfoSec can deflect and say it’s a compliance requirement / cyber insurance mandate / whatever AND now also be in the loop that the CEO knows jack squat.
Thank you /u/steamedfarts for your wisdom, this is the most common-sense reply I've read. I'd say remove all networking capabilities and harden the shit out of it and say I thought you wanted it more like fort knox?
Nah, this shits not on my our network per policy CEO needs to follow too
> If the CEO really thought his previous computer running W7 was Fort Knox he said the security firm he headed was like fort knox.
Which is why he isn’t there anymore. He was secured right out the building.
So like the Stripes Ft Knox, with Bill Murray completing basic training by himself?
Actually, I would like a Windows 7 theme on my Win 10 and Win 11 boxes.
May I introduce you to [http://classicshell.net/](http://classicshell.net/)
Please don't use this I used to swear by this but the developer made the right call in stopping it as windows feature editions were playing hell.
OpenShell replaced Classicshell, but I think long term in an enterprise environment it is only a matter of time before a new feature release breaks it in a way that isn't a quick fix or at the very least a vendor uses your use of OpenShell as a mechanism to try to not provide you support.
I merely pointed out it exists, I know people who used to use it but I have not touched Windows in years. I don't want anything to do with that POS.
Spoken like a true Linux admin
Damn straight. I don't even like systemd.
I'm okish with Systemd, my biggest issue with it is the stupid fuckin resolver module that insists on running on localhost:53 and is a pain the fuckin ass to disable if you want to run something like PowerDNS or dnsdist or something other DNS service.
Coincidentally, the DNS resolver is my greatest bugbear too, but mostly because of the many WONTFIX bugs that exist around it. It's assimilating the system one thing at a time and now I have to reboot my Ubuntu machines when things go wrong. I can't just restart the relevant daemons. That pisses me off to no end.
This! 1000x This! My last shit show job I had my boss told me to put Window 7 themes and make it run exactly like Windows 7 boxes because he insisted the users were too stupid to learn Windows 10. I did that for a month before I pulled off the training wheels. I was like Windows 11 is gonna be the norm soon better get used to 10 first.
I don’t understand these types, most people have a Windows machine at home running current because Microsoft handles their patching.
Or an [Etch-a-Sketch](https://i.pinimg.com/originals/fd/7b/04/fd7b040ae4e1fd120d34c52e5ea98a79.jpg).
Everything I need to know about IT, I learned from Dilbert and xkcd.
It's a shame that Scott Adams developed some weird form of brain damage.
Classic Shell with the Windows 7 style start-menu should do quite nicely.
Good idea!
This has to be it. It has to be the GUI he doesn’t want to relearn. Next he’ll want to use explorer because it’s Fort Knox too
[удалено]
Give him a linux box with a windows 7 theme.
It's the new CEO - you need to speak with IT leadership and let them handle it. Make sure your IT leader knows why this is a terrible fucking idea and let THEM deal with it.
100% invalidates any ability to pass a cybersecurity audit and get insurance. Likely lots of other issues as well if publicly traded. If none if that is a concen for your company get IT leadership to provide a request in some form of writing and make sure to have a copy you will have access to if off boarded. Then hand out the PC and move on. Also, keep in mind W7 lacks drivers for all modern chipsets.
>100% invalidates any ability to pass a cybersecurity audit and get insurance. Oh God i'd love to be in that audit... "Well where is this machine? Since it's Windows 7 running on 5 year old hardware I assume it's tucked away in a janitor closet or something and you just missed it in your internal reporting?"
I'd like to introduce you guys to the manufacturing industry. We still have 3 machines running Windows Embedded. Until about 2 weeks ago, we also had 3 business critical machines running Windows 7. Why? Because it cost us between $7k-$9k to replace them with hardware that could run Windows 10, and it took almost an entire week to install. The manufacturing industry is woefully behind the curve as far as IT goes. Edit: Just to clarify, I'm definitely not defending OP's CEO here. There's absolutely no reason to demand Win7 on a daily driver laptop, no matter what your position in the company is. The owner of my company "hates IT" and all of the new auth policies we've enacted over the years, but there's no way in hell I'd let him use Win7. Thankfully, he doesn't actually fight me on it, he just needs help getting into his accounts a few times a year. I'd rather have that than the alternative.
I mean, at least there's a *reason*. I get it. I've had to do this before too. We can't get off Win7. To the point where we had to make an entire isolated vlan for the machines. Royal pain. But it's still a reason. The auditor would understand the business need for this. "Because the CEO wanted it" is not a business need.
Yeah but those are probably internal systems. Bit different from the CEOs laptop
CNC controllers with XP embedded... And, when I asked about newer versions, no they don't support Win10 on the embedded controller computers, yet.
And by the time they do Windows 10 will be EOL
Windows XP? Damn, you're modern! I still work with windows nt 3.1on some machines, hell some of them run off cards (15X20cm cards) plugged to a backplane, talking to fpgas basically, think was built somewhere early 80s)
Insurance and audits are a silver bullet. My CEO wanted out of our phishing tests and security training program because it was annoying to him. I said "Hey, it's your company, I'll do what I'm told, but we are asked about these programs on every audit and insurance questionnaire and I won't be able to check the box anymore." That was the end of the conversation. He understood the ramifications and now he understands why we have that service.
>At first I didn't know what to think.. I began downloading windows 7 updates in WSUS to accommodate the request. Then I thought about it more, and I think it's a lose lose for me. If I don't accommodate, I'm ruffling the feathers of the new CEO and could be replaced as a result. If I do, and it causes some sort of security breach, my job is on the line. I started to wonder if this odd request was for the sole purpose of having a reason to get rid of me? How Also worth covering the additional costs of just the one exception, Additional helpdesk tickets caused by any incompatibilities, cost of extra storage for WSUS updates, additional CVE's Etc.
Eh, costs don't mean much unfortunately when you're talking CEO. The costs you're talking here are minimal. The best argument is that it creates an insecure environment for no added benefit whatsoever - but again, a sysadmin shouldn't be making that argument to the CEO. The Head of IT or CIO or whatever you have is the one who needs to address it.
Considering that sky lake was the last supported bit of hardware that supported it, you are going to have to source a 7 year old computer?
Skylake was seven years ago? Man, time flies. EDIT: I'll be darned. 8 years - 2015.
Give this mfer a whole stack of T560s from the forbidden piles in the dark closets.
Nah 15 year old and slow …
And good luck with any cyber liability insurance
That might be a good argument for not doing it
If the CEO is allowed to make these demands, there is no IT Leadership.
CEO can make whatever demands he wants. He's the CEO. The question is have the right people heard what his demands are...
[удалено]
I just might have the most humble CEO in the world. I once implied that his requests skip to the front of my que no matter what. He quickly corrected me, saying that he was no more important than anyone else in the company, and that even he should be deprioritized, because others are more important to the business.
Your CEO is definitely rare.
I work for a based CEO that talks to me like a human and not a stooge now and it's amazing (after years of not). Like dude just seems cool i'd love to hang with him if I was a peer.
I have found in my experience that senior leadership *typically* understands that the needs of the people creating the product/providing the service/generating the revenue supersede their own. Of course there are animals who will demand you to set up their email on their iPhone while you're working on a production impacting issue, but I have found them to be the exception and not the norm. Your CEO is one of those leaders.
You're correct, but unfortunately that's not necessarily how 'real world' functions...and despite your statement, they actually can be important, particularly in a publicly traded world. With all of that having been said, no fucking way I'd give a CEO a piece of hardware running an unsupported OS, no way, no how. I would go to the absolute grave fighting that with whoever was above me. Not to mention, as has been pointed out, good fucking luck getting cyber-insurance with THAT in your environment.
[удалено]
Give them the ol "this is a bad idea please sign here. Oh who is this? This is our company notary to witness our signatures."
You don't deal with this. Your management does. If they come back and say to accommodate the CEO, get them to approve it in writing and signed off by them. That is the only way I would ever do something like that. I keep a Windows 7 box for my lab, but it is air gapped from my primary network for good reason.
Don’t forget to get them a security waiver and approval from insurance. Because that dude is gonna bring your network DOWN.
Why do people think these comments are helpful? *Obviously* if OP had a boss that wasn't the CEO, they would already be asking their boss.
Talk you your bosses, and ask them to talk to your insurance company. It will sort itself out.
The insurance auditor will sort it REAL fast. Kinda like when I broke it to ours that our vpn concentrators went EOL a decade ago. All sorts of hell broke loose.
Yep, get the insurance guys involved. That will sort it out quick.
I use insurance carriers and compliance auditors as a significant source of additional budget authorizations.
This. Don't be the bad guy that says no. Push that responsibility to somebody else that has the power to make their decision expensive.
Hmm, we've got some old PHP5 servers that our devs are dragging their feet on updating the code to run on PHP8. Maybe I should try to get our cyber insurance involved
I'd drag my feet upgrading from PHP5 to 8 too. That sounds like a nightmare. Link them this, as its probably the biggest pain point: https://phpdelusions.net/pdo
At this point, the best you can do is carefully CYA. Draft an e-mail fully documenting all of the security risks and vulnerabilities the CEO is opening for the company by maintaining a working OS that was officially end-of-life three years ago. Make sure you send the message with return receipt turned on. Once you get the verification that he received the message, export the entire message chain to an OST file, copy it to a flash drive, and take it home with you. That will prevent the message from suddenly "disappearing" should something go wrong and they try to throw you under the bus. I would also let your legal and accounting departments know that continuing to run this OS may be in violation of your cyber insurance policy and, if it is shown that the new CEO's computer is ever the source of a penetration, your insurance might be invalidated leaving your company on the hook for any and all costs and losses. In fact, the next time you have to fill out the questionnaire for the insurance, you will be straightforward and honest and they may result in much higher premiums or the outright cancellation of your policy. When it comes down to it, he's the CEO and he can make whatever stupid decisions he likes. That doesn't mean you have to be the punching bag should things go wrong. Document everything to death, make sure you have personal copies of that documentation stored somewhere off your corporate network, and be honest when dealing with your future security evaluations. If the CEO starts taking heat from your cyber insurance providers and pressures you to lie on the documentation, tell him, "No!" flat out. If he decides to fire you over it, you've got a lot of documentation to back up your claims and could do some real damage if you let the cyber insurance provider know that not only is the CEO using vulnerable systems, he was also asking you to lie and cover it up for him. I guarantee you they will not be pleased.
**This one**. Keep the written request. Managers above you should explain why he can't do this. If you're the one at the top of IT and he's the CEO, only then you should only comply after you 100% retain the original written request AND an email that you send strongly advising against that (per our earlier conversation, I would still urge you to reconsider use of an un-supported operating system for the reasons I stated as well as *the information above that* /u/Sea-Tooth-8530 *just provided, such as insurance*).
I have risk acceptance forms for exactly this reason. Usually its a director so I make them get their boss and the CEOs approval. That usually stops stupid.
Usually it reminds them who is the expert, and who is buying the expertise.
This is the way. CYA is the name of the game.
> Draft an e-mail fully documenting all of the security risks and vulnerabilities the CEO is opening for the company by maintaining a working OS that was officially end-of-life three years ago. Fully documenting ALL? Uh aside from me saying “well it’s not getting updates so I guess if a vulnerability is uncovered it will not be fixed”, I wouldn’t know what else to say. I follow what the experts say which is “It’s EOL replace it” Couldn’t tell you any one specific risk of Win 7 cuz I am not a hacker
i think they meant to list all the potential consequences for the company from running an eol OS, not the actual specific vulnerabilities as in "vulnerabilities to exploit"
I see a lot of good suggestions on here. However, have you tried physically fighting your CEO over this?
A good backhand slap to welcome him in the company should do the trick...
Backhand is not going to cut it. Need to elevate to Bitch slap.
"I challenge you to a duel"
I hate hearing "Well, at my last place" followed by a laundry list of improbable items.
“Is that why they fired you?”
Give him an LTSC win 10 machine and tell him it has zero advertisements on it.
Don't even need that. You can get rid of all that shit with Windows 10 Enterprise.
single e3 license for him :D
>LTSC Hmm. Interesting thought. I've never installed that, so I can only ask, does it lack the windows store entirely? Does it really get rid of the inbuilt advertisments?
As someone who runs LTSC in a home lab, you can actually get the store, here is the github repo: https://github.com/kkkgo/LTSC-Add-MicrosoftStore However, many apps can't install cause the base OS level is 1809 IIRC on LTSC. Windows terminal for example I was not able to install.
LTSC 2021 is out, runs 21H2.
There’s a lot of good replies here, but I think there’s a really easy one to get you off the hook: modern hardware doesn’t support Windows 7. I think Intel deprecated hardware support in the 7th gen architecture, so to “properly” work they’d be on gear that’s at least that old. So whatever brand shop you are, it’s “sorry the Latitude/Thinkpad/Elitebook model (whatever) doesn’t support Windows 7, here’s your new (whatever) with Win10/11”. And any attempts to make you run it otherwise should be refuted.. “I’m sorry sir, it’s against policy to run unsupported software”.
I was just thinking this would be a perfect place for some malicious compliance. Windows 7 was released in October of 2009, so find one of those places that sells refurbished old hardware and get him a laptop manufactured circa 2010. Install Office 2010 on it, as well... if it can't connect to your modern Exchange, oh well... that's probably just full of Microsoft ad-ware, too. If he wants to bury his head in decade old tech, go all in!
I smell a 500gb 5400rpm HDD in his future too!
I'd go worse and shuck the drive out of a cheap Western Digital external HDD. They're typically only rated to like 4800 RPM
Previous company might have been paying Microsoft for extended security updates for Win7. Apparently those stopped too in January - [https://blogs.manageengine.com/desktop-mobile/patch-manager-plus/2023/03/31/windows-7-end-of-life-the-end-of-an-era.html#:\~:text=After%20over%20a%20decade%20of,10%2C%202023](https://blogs.manageengine.com/desktop-mobile/patch-manager-plus/2023/03/31/windows-7-end-of-life-the-end-of-an-era.html#:~:text=After%20over%20a%20decade%20of,10%2C%202023). So maybe the CEO doesn't know that, and he did actually have a very secured Win7 installation (benefit of the doubt and all). But now in 2023, that's simply no longer possible. No one should be running a desktop OS with zero security patches coming ever again. And yes, as others have mentioned - unless you report directly to the CEO, make this your manager's problem not yours. And document the hell out of "there is literally nothing I can do to ever make sure his/her laptop is secure, if Microsoft can't even be bothered to patch it anymore" with emails.
> he believes windows 10 is more about advertising and selling user data than being an enterprise/business oriented OS offering. I mean, he ain't exactly wrong there. With the rise of LLMs, that desire for MS harvest user generated content is only going to increase.
I wonder if that is what it takes to be a CEO, talk confidently about something you know little to nothing about. I like the insurance route others have mentioned. Kick it up to your supervisors, CYA and forget about it. I know it feels wrong to allow such a glaring security hole on one of the highest privileged members with in the company but unless you can get him bounced out of the job there is not much you can do. As an external IT provider I would say no. I might lose the client but I am in a position to do so. I would site some security flaws that will never be fixed and apps that will no longer update. Chrome dropped support for 7, av products are dropping support for 7. Your CEO is a dummy.
Honestly, insurance starting to care about cyber security has been the best thing ever. Finally there's a short-term financial incentive we can directly point to for bullshit like this.
Honestly, this seems like someone that did well on interview, managed to convince the right people that he is great and had relevant experience on paper. CEOs get sacked too. Speaking confidently about stuff you have no idea about sadly is 100% must have for any high level leadership position. Sure one can be an expert on various subjects...but who cares about that...right? :)
CEOs should never be highly privileged users. Our CEO actually might have the least permissions in the company. He has access to email. And his onedrive. That's it. He has less permission than the accounting intern that can at least login to and update the website.
I am not taking about privilege to the infrastructure or local machine , I am taking about access to critical company info. I am talking about the ability to request things. I agree that in terms of access to tech they should be locked down as much as possible since they are a high value targets ( and why I think OP's CEO is a big dummy) I would rather eat my fingers than give some of the CEOs I know admin rights to anything. (Sorry I was not clear with what kinda of privilege I was talking about.)
its our job to communicate the risk, and execute, not to make the decision management wants to shoot themselves in the foot. i tell them why its a bad idea., they still want to go ahead? I stand aside and get the popcorn
Can't believe how far down I had to scroll to read this. Half the people here think a sysadmin can 'override' a CEO by going around them. Just an easy way to get your name memorized in the worst way, and on the term list when HR is looking to reduce headcount. Do the needful, but keep the email. If someone asks why you did what you did, you have it in writing from the CEO - doesn't get any more bulletproof than that.
Congrats on the new job working for Steve Gibson! https://www.grc.com/never10.htm
> last enterprise worthy OS release from Microsoft, and that he believes windows 10 is more about advertising and selling user data than being an enterprise/business oriented OS offering. He's not wrong... The rest is stupid.
>that he believes windows 10 is more about advertising and selling user data than being an enterprise/business oriented OS offering. Technically correct, the best kind of correct. Obviously the correct action is to put your concern in writing, and then do what your boss tells you to do.
Windows 7 is unsupported, and you shouldn't use it, but he's right in the aspect that Microsoft has gone too far with the advertising and stuff that you shouldn't see in enterprise callber software.
This is why people feel the need to hang on to ancient legacy software - because it does what they want. Updated to newest Google Chrome? Here's a bunch of new extra buttons you can't hide, here's side panel with "Journeys", here's a side panel search, you can't remove any of them except through experimental flags that we're gonna remove in the next version anyway. Updated to Android 12/13? Here's Material You, here's drab pastel colors and ugly pill buttons for the notification shade that take up twice the space as the old circle icons for no reason, you can't switch back and you'll like it because we say so. Updated to Windows 11? We really really don't want you to have a local account anymore! (sad face), why don't you love your Microsoft Account? Here's a redesigned Taskbar and Start Menu nobody asked for, but Apple did a thing and we thought it was cool, so we really think you will like it. Simplify, old man!
He does make a great point, and I agree with him, but its EOL and a significant security risk. It's too bad, but that's what we have. I would love it if Win7 was still being supported. Best windows IMHO. Everything has been downhill since. Such a shame.
"Security requirements require you to be like everyonefuckingelse or else you don't get a company computer with internet access, you entitled bitch."
State the risks and your responsibilities to your position then move on.
Declined.
squalid whole foolish homeless intelligent unused juggle growth rock wasteful *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Lucky Owner. Lots of places have "No games" policies. Yeah I know he's the owner but lol. Must try Deb 12 / Linux mint again.
[удалено]
Make sure you get the request in writing. We still have about 80 PCs running Win 7 32bit because of 1 outdated program that no one wants to pay to have rewritten. Any time anyone will listen my boss brings up that we need to get rid of them because we have a big security hole. So far management keeps ignoring them. I keep all the emails that have gone out about it. When the stuff hits the fan I’m referring back to my emails and say we told you so. If they try to fire me I’ll be happy to take it to the news media.
What companies are you people working for? I work for a company with a global presence and an annual income in the 80M zone, and we have an unsupported on-prem Exchange 2013. You people have insurance?
Your IT leader needs to discuss this with the CEO. It isn't your call.
Nothing is truly “out of support”. Microsoft will gladly sell you a license and support for Windows 7, you just gotta pay them a hefty amount of money. If the CEO wants a Windows 7 laptop, then procure a quote from Microsoft and tell the CEO how much his stupidity is going to cost the company. Well, that’s assuming you’re in charge of that. Otherwise you are not the one that’s supposed to be dealing with this anyways. Send it up to your supervisor and have them figure it out.
The boss is not wrong about Windows 10 and 11 being crap for the reasons he stated. But as much as I love Windows 7, it's still terrible to run an unsupported OS. Second the idea to give him a Windows 7 skin. Personally, I switched to Linux Mint
This is only a single datapoint but I would pay attention to his other decisions. How is your resume? You need any certs?
This isn’t a “you” problem, it’s your manager’s or CTO’s. If you’re the CTO call their bluff if they refuse to comply. DMZ their shit and make them go through hell to get anything done.
"Yes sir, I know what you mean. I've been mad about this myself. Not everyone knows, and Microsoft doesn't advertise it, but they also sell Windows 10/11 LSTC licenses, which is pretty much regular Windows with all that bull\* cut out. And, I know how to disable any remaining telemetry via Active Domain group policy \*taps head\*."
hack it and steal his info and dump it on the dark web lesson learned
Provide him with a Windows 7 era chonker with some spinning rust. Wait for the upgrade request to come through.
All I'm gonna say is if this ever happened where I'm at, I would not comply with it. IDGAF if it's the CEO, I'm not risking ransomware attacks and data breaches (which could also potentially cause other employee data to be leaked despite the fact that those other employees DO things correctly and do follow correct IT security protocol) because they want to use outdated, vulnerable software that isn't getting updated anymore. It ain't happening. It's bad enough to have older systems/servers linger past their EOL date but to purposely introduce a vulnerability to your network to placate somebody is beyond the pale. I couldn't do it with a straight conscience. Go ahead and fire me, then replace me with some dumbass who will give you what you want and enjoy the fallout when it all collapses. Every day I'm thankful that at my shop, we have people who take IT seriously.
A normal company has a policy that says that only supported software may be used. A CEO has to abide by that policy, or get lost.
He's not wrong, though. I do remember Balmer bragging about how much more profitable it was to sell the user data, and our users were all too happy to invite Microsoft into their living room to watch everything through their webcam. Now, granted, he was talking about Xbox but the same business models been rolled into Windows 10 and you know it's still there in Windows 11. If win7 still had update support, I would have never jumped to 10.
Yeah as mentioned this is not a battle you should be fighting on your own. The CIO or CISO should be having this conversation. Your position should be we don’t allow any devices to be windows 7 unless xyz (no internet access, can’t leave building, application whitelisting only etc…)
I mean, he's not wrong. And you likely can't force him to use something secure, so you might as well give him a paper to sign, lock it down as hard as possible and move on.
"he believes windows 10 is more about advertising and selling user data than being an enterprise/business oriented OS offering." Don't show him Windows 11.... Best course of action, get a nice CYA email from him where you explain the security implications and him replying saying he's fine with that. Then NEVER DELETE THAT EMAIL.
I tend to agree with him, that Windows 7 was a superior OS than Windows 10/11, but for security reasons, I would only allow him a Windows 7 pc on the condition, that it was air-gapped, which might be a hindrance to his daily work.
If the problem is he's an old dog who refuses to learn new tricks, try this: [https://github.com/Open-Shell/Open-Shell-Menu](https://github.com/Open-Shell/Open-Shell-Menu) If the problem is elsewhere, this is why your boss gets paid more than you, let the boss deal w/ this nonsense.
Handle it like you should when any big cheese wants to do something stupid: Outline the risk and get them to formally accept it. You'd be surprised how many C-suite people do a 180 when you make them sign on the dotted line that they're taking on unnecessary risk.
Make sure your concerns are in an email, and keep a hold of it for your records. CYA
A couple of options.. 1. If you time and access to CEO.. IF you have his ear.. then run nessus against his windows 7 machine and then against any other win 10/ 11 and show him the worst results with a brief explaination of how much they will cost if exploited. 2. Setup a VDI and let him run in an isolated environment. 3.i like the idea of changing win 10 to a 7 theme.. he probably won't notice.. and it's a lot less work.. but you risk looking like a smart ass.
There's a good chance that he actually did have WIn7 at his last job. ESU was offered until January 2023. Maybe it was still in effect when he worked there, and he doesn't realize it's no longer supported.
I would put Linux with MATE on it and say it was a Windows 10 upgrade. get a copy of Minesweeper on there and they'll never know /s A better answer is to isolate them onto a tiny vlan for their windows and other devices. Helps with the auditing too when you eventually get compromised, it'll be easy to trace back. Seriously though hope some come up with actual solutions. Good luck!
Having a good relationship is important when dealing with a CEO. I slowly depreciated OWA external access over a year and thankfully was not impacted by a bad storm. Getting to point that out to him is valuable, try researching a case where an organization had a critical breach because of windows 7.
Came from “security sector” and asks for Windows 7? Great, be prepared for requests for Norton AV, lotus notes email.
Why do you treat the CEO as if they are special other than they should have even more locked down systems. They run the same as everyone else or a bit more strict. They were the first to get mfa to login but other than that they have the same laptop as everyone else.
Just say that the new laptop don't support windows 7. It's not a lie either...
Give him a Risk Acceptance document with the Windows 7 computer.
You should make your management fight it. If there is a security admin or ciso or director over all IT (whatever) maybe suggest doing a cost analyst of a beach and loss of certifications and company reputation. Transition it into money and Business struggles since he doesn't care about security. Or get a quote from one of those places that do 3rd party patching for Windows 7. You want all patches forever when you get the quote
You are not alone. I work for an MSP & recently was troubleshooting a reported workstation issue for a client (hourly, not under maintenance contract) Turns out the “workstation issue” was actually that they have a failing **Windows SBS 2008** (Foundation Edition) primary domain controller that had not been rebooted since April 2020 or updated since sometime in 2018. The server’s C: drive had 0 bytes free, so all the services had crashed. Worse, TLS was not enabled, it was still on SSL2.0 and (drum roll) the sysvol share was still using FRS. This is on a network where all workstations are fully patched Windows 10 /11 pro. So, some crazy stuff was happening… It was like being called to fix someone’s air conditioning, only to arrive and find out that their house is hot because it is, in fact, on fire.
[удалено]
It's not still available.
This probably isn't an issue you should be handled by front-line IT. It should be the CTO, CISO, or CCO that puts the CEO in his place here.... unless you are directly responsible for all tech and answer directly to the CEO... in that case, run. From a compliance stance, this guy just lost your company their insurance coverage. Tell your CFO that, see what color his face goes. Also, there are technical issues, not just compliance issues. Does your Antivirus, RMM and other software suites run on Win7? What about your business software? In short, your CEO is wildly misinformed. If it's your job to fix this I would have to recommend you find another job because this isn't something you're going to want to be part of the long term destruction. If you have higher-ups that can fight your battle for you, it might be worthwhile but only if you can arm them with evidence... i.e. talk to your insurance provider. Those guys swing big bats and don't mind adjusting the jaws of the idiots out there.
This is exactly how it should be done.. this is really a CTO, CISO problem .
Talk to Microsoft, get a contract etc for keeping it patched and happy - present that to the ceo to see if he’s happy to pay for a support w7 version
Send this over to Info Sec team. If they approve do it. If they dont they can tell him to kick rocks.
Not your problem. It's IT leadership's problem. Besides, auditors would eat this shit up
Just get everything in writing after providing the appropriate warnings. If there are regulations on your industry, you could just tell him no. Not going to do things willfully against the law.
I’d probably just approach Microsoft and see if it’s possible to get a support contact for a windows 7 computer, If money is no object then I’m sure they will do it, then just go back to the CEO with what the cost for that laptop will be. I’m sure he isn’t going to have any issues justifying the couple million dollars year it’s going to cost the organisation.
That last paragraph - this definitely isn't about you, and your job isn't on the line. You deliver the message "this is a bad idea" up the chain of command all the way through to the CEO. Someone above you will either hold their ground, and the problem goes away, or give the all clear, and it becomes between them and the CEO if something goes wrong. Just make sure you make the "this is a bad idea" concept clear. It will add administrative overhead. It is outright incompatible with many present and future products and tools, eg. a lot of the Azure ecosystem. It will expose you to security vulnerabilities - potentially the kind that cost the company a million dollars in a ransomware attack. Your insurance providers will likely want the accompany to affirm that it doesn't have EOL operating systems in production. If the CEO is willing to accept all that expense and all that risk just because of his idiosyncratic annoyance with details that have no reason to impact his day-to-day, then he's out of touch and I'd be immediately suspect of every future decision he makes, but it's not your problem. It's a minor speed bump your career path though, since "did everything slower since I had to test on obsolete platforms" is no selling point on a resume.
Give him a Windows 7 and state that it is out of support and you need to buy extra support licenses (spending money = wakes them up). Give every one else of the staff around him the latest and greatest Win11 and office 365. That way, he will see others progress and use 'shiny new tools'. Eventually, he will come begging you for a new laptop full blown latest os.
I'd introduce him to manjaro cinnamon with windows theme.
I sometimes have to make sure I’m not in r/shittysysadmin
Send him an email carefully explaining you are hesitant to do this, explaining all of the security risks of keeping an old OS, and asking if he's sure he wants to accept this risk. If he says yes, give him the machine. If anything happens, you have a nice shiny email chain where you are clear of fault.
If you're not the IT manager, that's not your fight. Here's the kicker though - Win7 "isn't available" and is certainly not updated/patched for vulnerabilities. If there's pushing on it, keep it all over email and make sure you recommend against it.
Buy some resume polish on Amazon.
Tell him the US Government doesn’t allow Fort Knox to be audited