Next week, Microsoft will bid adieu to Windows Server 2003 when the software giant ceases support and halts security updates for all versions of the 12-year-old operating system. But many businesses have been slow to migrate away from the platform, which still resides on millions of machines and in data centers despite having multiple successors.
But as Trustwave Threat Intelligence Manager Karl Sigler explains, it's time to retire Server 2003. We sat down with Karl to ask him why companies have been slow to dispose of the operating system, what risks they face if they continue running the software and how they should strategize the upgrade process.
Q: Last year Microsoft retired Windows XP after more than a decade, and now Windows Server 2003 is heading out to pasture. What gives?
Well, just like Windows XP, Windows Server 2003 is now more than a decade old, and the software is feeling its age. It lacks a lot of the new features and protections built in to newer operating systems like Windows Server 2012. No vendor supports software forever, and at 12 years old, it's definitely time to for Server 2003 to be retired.
Q: Even though the end-of-support deadline is nearing - and there are newer options - have businesses been slow to scrap the software?
Upgrading and migrating is a very complex and often costly task. Large organizations may have dozens of these servers. Each one needs to be looked at carefully to make sure that both the existing hardware and software can support an upgrade. Some organizations don't even realize that they have these systems on their network. There's a chance that the admins that installed those systems (perhaps a decade ago) are no longer even with the organization. Sometimes there are also regulatory obligations that can prevent or hamper change or migration. All of these complexities are the reason why many organizations have put off the upgrade. The general feeling is "If it's still running, it's not broke and if it's not broke, why fix it?"
Q: Why is a platform like Windows Server 2003 so important to companies?
Windows Server 2003 is a robust server platform that can provide a number of network services from mail server to web server. With so many years on the market, it is also a well-known entity with which many IT professionals are comfortable.
Q: Is migrating from Windows Server 2003 going to be more challenging for businesses than it was to move away from XP?
In some ways yes - and in some ways no. Since XP is a client operating system like you'd find on a laptop or workstation, there are typically more of them in any organization than a server operating system like Server 2003. This generally means fewer machines that need migrating away from Server 2003 compared to XP.
However, servers are put in place to provide vital network services like a web or mail server. If a client workstation goes out for maintenance, it affects one user. If a server goes down for maintenance, it affects the entire network, possibly even an organization's entire customer base. This makes migration a very touchy and sensitive operation that doesn't allow for many errors.
Q: With Microsoft ending security updates on July 14, what risks do organizations face if they don't upgrade?
After Tuesday, Microsoft will stop issuing patches for Windows Server 2003. This won't have any immediate impact, but as new critical vulnerabilities are discovered after, Server 2003 won't receive those patches. As time moves forward, Server 2003 will start becoming more and more vulnerable to breaches.
Q: What must businesses do now to ensure their servers are protected?
Acquiring an up-to-date inventory of your network through a comprehensive scan is an important step so businesses will know exactly how many systems they have running Server 2003. I'll make a quick plug: Platforms such as Trustwave Managed Security Testing not only help with the inventory and identification of Server 2003 systems, but as vulnerabilities are discovered and go unpatched, it can enumerate them so you can set up specific external protections to help that "virtual patching" plan.
After identification, the best thing businesses can do is migrate away from Server 2003. If their current hardware doesn't support Server 2012, they may want to take a half-step to Server 2008 instead or even consider an alternate operating system like Linux as a replacement.
Q: If they just can't bear to bid farewell to Windows Server 2003, are there any options?
There are many reasons why businesses won't or can't upgrade. If your business falls into this category, there are a couple of things you can do aside from burying your head in the sand.
Make a plan now for segmentation. As more "critical" vulnerabilities are discovered and go unpatched, those servers will become more of a risk. Putting them on their own network segment can help limit the damage done by a breach. It's also important to shore up your preventive security controls with solutions like anti-malware filters and intrusion prevention systems. Anti-malware gateways can filter exploits before they even reach your servers. By blocking an exploit with a gateway device like a web application firewall or an email security gateway, you're not as dependent on the physical patches that Server 2003 will be missing. Network monitoring is also an important security step. By not upgrading Server 2003, your organization will be taking on more risk with every vulnerability that goes unpatched. Monitoring your network for anomalous or strange traffic with the help of a SIEM solution can be a crucial tool for identifying and containing a breach.
Q: Finally, what about a company's use of third-party providers, contractors and suppliers? They could be running Server 2003, and does that mean businesses need to nudge their partners to upgrade?
100 percent correct. Third-party vendors and cloud service providers could all be running Server 2003, potentially placing your own organization at risk even if you've migrated away from the platform. Security should always be a concern when outsourcing any IT service.