The warnings have been issued; the time is at hand. As of July 14, 2015, Microsoft ceased support of Windows Server 2003 and Small Business Server 2003 operating systems. That means no more technical support, no more content updates, no more protection from any new security threats and, for many organizations, no way to pass compliance audits.
“If you are still running Windows Server 2003 in your datacenter after today, you could face security risks and potential compliance violations,” the company has warned.
Yet despite the alerts, such as the one issued last year by US Cert, and a full year to prepare since Microsoft’s initial end of support (EOS) announcement, there are still several million servers around the world running Windows Server 2003, “including some large companies with very familiar names,” said Ali Din, senior vice president and chief marketing officer for dinCloud.
Perhaps that’s not so surprising. Considering the amount of devices and applications that run on today’s networks, a full migration project can be a lot to stomach. IT departments at many small to mid-market enterprises are consumed with day-to-day operations, keeping up with competition, staying on top of emerging and “bring-your-own” technologies, and putting out fires; it’s no wonder a major migration project never seems to move far up the “to-do” list.
“They just don’t have the 200 days on average that is takes to do a migration,” said Din.
Unless, of course, something catches fire. Well, if the official EOS represents the embers, the kindling could be upcoming Windows Server security patches, warned Din.
As Windows Server 2012 gets adopted, followed by Server 2016, there are likely to be numerous security patches released, said Din. “If we look historically at prior versions being rolled out, such as Server 2008, there was a critical patch every two weeks,” he said. And as each patch is released, bad guys start working to reverse engineer those patches to figure out what type of gaps and holes exist in a system.
“It’s very likely some of those gaps and holes they find will also exist in 2003 or in Small Business Server,” warned Din, and it won’t take long to find those gaps in a now-unprotected operating system. In other words, even if an organization has upgraded major applications and workloads, while leaving as few as one server running Windows 2003, an attacker armed with information from a reverse-engineered patch still can infiltrate that network through this weakest link.
“All someone with mal-intention needs is one door to go through,” said Din.
Not that organizations are faced with an “all or nothing” scenario: full OS migration or susceptible network. There is a way to mitigate some of the risk while deferring some of the cost, complexity, and decision-making of a full move. Companies without the time or stomach for the big change, or those that hope to hold out for Windows Server 2016, can choose to place their entire server infrastructure on a provider’s virtual private data center, such as dinCloud’s dinServer service.
“So now at least someone’s monitoring and keeping an eye out if anything does try to penetrate through these security holes,” Din explained, citing the company’s partnership with ThreatSTOP, a provider of threat detection and monitoring. “You’re also likely moving to a bit more of a secure infrastructure.”
Indeed, for organizations considering a move to the cloud, Server 2003 EOS is a chance to rethink their IT strategies. After all, despite the apparent denial, with EOS, a move must be made. Companies that choose to transition their Windows 2003 systems to the cloud – along with the added security mechanisms and borrowed time – also stand to reap some of the other benefits typically associated with cloud computing, such as cost savings, increased flexibility, and protection against future EOS directives. When a firm is ready to make the leap to an updated server infrastructure – be it 2008, 2012, or 2016 – that business emerges with a network that is more agile, scalable, easier to manage, future-proof, and likely better protected.
Martin Vilaboy is editor-in-chief of ChannelVision magazine, a printed and online source for resellers and brokers of communications and IT products and services.