Windows Server 2003: No Support, No Security?
What are your options, if any, for mitigating security risks of continuing to run Windows Server 2003 after Microsoft ends extended support in July?
July 14, 2015 is a date that should be at the forefront of your mind if your organization is one of the many still running applications on Microsoft Windows Server 2003.
That is when extended support for the operation system ends. After then there will be no security fixes or patches, and no updates to support new hardware. From July 15, you'll be on your own.
That's not strictly true, of course, because in theory there's the option to buy custom support from Microsoft. But that won't be practical for the vast majority of organizations because Microsoft has made it clear that such support is likely to cost companies hundreds of thousands of dollars, according to Richard Fichera, an analyst at Forrester Research.
"Microsoft is pricing this type of support to say that they don't want the business," he said. "For Microsoft it is an immense drain on resources, and in any case I would question where they will find the people to provide this type of support. One thing's for sure: It's not going to be the 'A team' supporting it."
Windows Server 2003 Vulnerabilities
So is it feasible to go it alone and stick with the venerable old operating system for the long term? There are a number of problems with doing so. Aside from the small matters of regulatory compliance and legal liability, the major issue is security.
Every time Microsoft issues a security update that fixes a vulnerability in later operating systems, hackers are sure to be checking to see if the same vulnerability exists in Windows Server 2003. If so they will be able to exploit it at their leisure, secure in the knowledge that Microsoft won't ever fix the problem.
So you should only consider continuing running Windows Server 2003 after very thoroughly assessing the risks, legal implications and possible consequences of doing so.
"Many people will be saying that they haven't had a breach in 12 years, so why should there be in the near future - so I think a substantial fraction of companies will keep running it," Fichera said. "But (Server) 2003 is not nearly as secure as 2008 or 2012, and I think the extinction point will be some time in the next couple of years."
Isolate Windows Server 2003 Risk
What precautions can companies who want to stick with Windows Server 2003 take? The answer is to adopt proven security practices for this type of situation - insofar as they exist at all. One tactic might be to isolate servers running 2003 on their own network segments as well as ensuring that they are protected by effective and well maintained firewalls and intrusion detection systems, Fichera said.
This may be practical if the application is truly a standalone system that is not connected to a separate database or other server and is only used by local users, but network isolation doesn't guarantee security. That's because it's still possible for machines to be infected by malware even when air-gapped - as the Iranians discovered to their cost with Stuxnet.
It's worth remembering that because of the extra security and network configuration measures that need to be taken, the cost of running a Windows Server 2003 machine are likely to increase. Last year Gartner estimated that the cost of supporting Windows Server 2003 would be in the region of $1,500 per server annually.
Another alternative is to run the application on a virtual machine, Fichera said. "There are definitely minor security benefits to virtualizing as it is easier to configure VLANs, but most of the security flaws are still there," he said.
Running the application in a Docker container isn't possible because Docker doesn't support Windows 2003, he added.
Another practical problem is one of hardware support. Physical servers have a finite lifespan, and it's likely to become increasingly difficult to find hardware which is supported by Windows Server 2003 to run the operating system. Virtualization provides a solution to this problem too, but smaller companies may lack the skillsets required to run a virtualized infrastructure.
Hard to Say Goodbye
Given that the end of support is just a few months away, why have so many companies not migrated away from Windows Server 2003 to a newer operating system already? The number of companies that are yet to do so is uncertain, but estimates of the number of instances of Windows Server 2003 either on physical or virtual machines range from around 9 million to as many as 24 million.
One reason may be that they didn't think that Microsoft was serious about ending support, but following the end-of-life of Windows XP few can still maintain that position.
A common problem that many companies face is finding the budget to migrate, Fichera said. "This is a big budget hit for someone who didn't have a migration built in to their budget."
There's also the common problem of a company identifying that they are running line-of-business applications on Windows Server 2003, but not knowing who inside the organization "owns" it or quite what it does. Often the person responsible for implementing the application no longer works for the organization, and the original ISV may no longer be in business.
"That means that the organization may not know the impact of taking the server down, and it may be that no one has the (administrator) rights to the application," Fichera said.
A final problem is getting the application to run on a newer operating system. In many cases the source code will not be available to inspect or modify, although in most cases Fichera said compatibility is unlikely to be an issue. "I would guess that most application code can be moved, but there are other problems. For example, PowerShell didn't exist in 2003, so the runbook will have to be changed."
The good news is that there are still a few months to go before support for Windows Server 2003 ends. And there are plenty of vendors who would be only too happy to sell you some new hardware and help you with your migration – if you have money to spend.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.