This means we need to choose: bite the bullet and migrate those Apps to current platforms (x64, UAC etc) or replace them with well written Apps.

In an ideal world we would push Vendors hard enough to fix their CRAPplications or convince the customer to replace them. This depends on the Vendor’s cooperation though and IT should be in control to enforce it. Sadly this isn’t always the reality. The difficulty is often that the business sees the App from a functional point of view where it might work brilliantly.

I guess we’ll always have some legacy applications around for whatever reasons…
We need to make a choice: do we deliver those Apps from non-supported platforms? Or do we apply mitigations, shims or even patches so we can deliver them from supported platforms?

Either way we’ll be on our own because we don’t have vendor support for the Apps or no Vendor support for the OS. As IT, do you really want to be responsible for an OS that no longer gets security updates?? That’s a big risk for your whole environment! I’d rather run an App no longer supported by the Vendor but on a secured and supported OS.

As an extra argument for that choice: I am assuming that if we did have proper vendor support, they would fix the App in the first place. If they didn’t, what’s their support actually worth?

So my personal choice is to run the App on a supported platform, even if this means we need to apply (serious) mitigations.