Agree with some of the comments above, but just to contribute to keeping the thread on track for Phantom, it depends on what you're trying to achieve. The original post was regarding moving from XP in the
business environment, so I hope the following is taken constructively and not as a scare story - I'm just trying to share what I do on a daily basis within the security field at work.
In our business environment, we are
mandated to have systems that are sustainable and that are currently being supported by developers/manufacturers. Therefore maintaining an old OS, no matter whether that be a desktop OS, router/switch OS or Firewall OS, is not an option for us. We would fail annual penetration tests and lose accreditation status with various partners if we allowed those old OS's to exist. Since testing is also done internally, not just externally-inbound, it takes into account that a lot of threats come from social engineering and internally driven exploitation. If an exploit is found, it is recommended that it be 'plugged' or the risk mitigated, and 9 times out of 10, this vulnerability is due to an inefficient software patching/equipment hardening policy within the organisation, or a lapse in training staff in security awareness. Therefore it goes without saying in my above scenario that if the recommendation was to patch/harden, and no patches or extra hardening can be performed because of support issues, then there's little option but to change the whole system - or face the consequences.
Also the comment regarding the threat lessening once an OS is dead is only really valid for application within the home, and even then, I wouldn't trust that situation fully (since more scams are being issued every week to millions of users around the world).
Any company has data worth stealing, or has a reason to be exploited, be it for financial gain, or just reputational damage. With this in mind, even small companies have something to lose. Larger companies and government agencies are much more targetable, and with the news at the moment being rampant regarding the amount of companies who have a large amount of Win XP in their estate, it would be best to assume that in this particular instance any ICT administrators (Networks/Servers/Security/Desktops) would want to be on alert. It's always after an exploit has hit that people think of the damage and work involved in preventing another attack.
Of course we all know that in a home environment, if you're half clever you can mitigate a lot of the risk by your use of the system. It's also fair to say that you could go on indefinitely and not have an attack by chance or because your perimeter is secured to a decent level and you trust the users of the computers. But it's also fair to say that, usually, people only appreciate security issues after the fact. Since a business is also about making money and staying in business, you also want to maintain good assurance to your customers that you are keeping any data safe. Therefore it's not a great image to run on out of date systems, since it's an easy reason for customers to take their money elsewhere.
So my recommendation would be that in an enterprise environment, unless the unit is
completely locked down, and kept in a locked environment (used as a dumb terminal with no direct internet access/port forwarding and with only some sort of VNC/RDP access over a VPN for example), I'd recommend moving to at least Win7 rather than trying to keep an old XP system going. If the business is a one-man band with 2 desktops and a server, then this isn't going to be much of a problem anyway. If it's a larger organisation like my own, then moving away is a necessity.
If using it at home, of course, the worlds your oyster. I still have a full big-box XP Pro install that I stopped using in 2009 because of moving to Win 7 ultimate when it came out. If I ever need XP on a physical desktop for some reason, I wouldn't think twice about installing and using my spare licence, because the risk is low to me individually.
I hope this is helpful
