Eighteen percent of businesses are still running Windows Sever 2003, the server operating system for which Microsoft ended support one year ago last week, according to a new survey. And more than half are still operating at least one instance of the antiquated platform.
The further removed we are from end-of-life, the more vulnerable your business becomes to attacks that take advantage of outdated servers no longer receiving security updates (and the applications and software that run on them). With Windows Server 2016 on the horizon - and Windows Server 2012 now well broken in - there is no time like the present to upgrade.
Information security typically boils down to a company's appetite and management of risk. One of the key considerations to establishing a risk profile is to understand your vulnerability status.
But if you're willing to bite the bullet and accept the risk posed by running unsupported servers - or if you remain paralyzed by the cost and complexity of transitioning to a newer version - you should ensure you are taking the precautions below.
This will not only help with the inventory and identification of Server 2003 systems, but as vulnerabilities are discovered and go unpatched, it can enumerate them so you can set up specific external protections to help that "virtual patching" plan.
Anti-malware gateways can filter exploits before they even reach your servers. By blocking an exploit with a gateway device like a web application firewall or a web or email security gateway, you're not as dependent on the physical patches that Server 2003 will be missing.
Network monitoring is also an important security step. By not upgrading Server 2003, your organization will be taking on more risk with every vulnerability that goes unpatched. Monitoring your network for anomalous or strange traffic with the help of a SIEM solution can be a crucial tool for identifying and containing a breach.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.