Windows Server 2003 support: the last 100 days
There are now just over 100 days left until 14 July, when Microsoft will end support for Windows Server 2003. That means no more patches at all, just like with Windows XP last year.
And a lot of people still do not seem to know.
After 14 July, “Microsoft will no longer issue security updates for any version of Windows Server 2003. If you are still running Windows Server 2003 in your data centre, you need to take steps now to plan and execute a migration strategy to protect your infrastructure.” That comes right from the company.
Bit9, an endpoint security firm, recently posted the results of its “Windows Server 2003 (WS2K3) End-of-Life Survey,” and the findings were not pretty. There were two glaring results from the survey:
- Nearly one in three enterprises (30%) plan to continue to run Server 2003 after the 14 July deadline, leaving an estimated 2.7 million servers unprotected.
- More than half of enterprises surveyed (57%) do not know when the end-of-life deadline is. In the survey, Bit9 gave respondents a multiple choice question asking the month when Server 2003 end-of-life would occur. Thirty percent of organisations surveyed said “I do not know,” and another 27% guessed wrong.
Now, we all remember the predictions of Armageddon when Windows XP hit its end of life. I contributed a little to that hysteria. It turns out it never happened. XP has been in rapid decline, and the end of life accelerated that process. The bad guys go where the numbers are, and Windows 7 has the numbers.
But with Server 2003, migrations are nowhere near as quick as they are with desktops. At this point, even if you started a migration you probably would not complete it in time. Bit9 says a migration would take at least 200 days, while other experts give more high-low room due to the variances in the apps, complexity, and so forth.
This means that millions of Windows servers holding sensitive data will be unpatched. Bit9’s mission is security, so it was most concerned about this.
“Servers, including domain controllers and Web servers, are where most organisations’ critical information resides. So, if organisations continue to run Windows Server 2003 after 14 July, without implementing appropriate compensating controls, they are putting customer records, trade secrets, and other highly valuable data at risk. Cybercriminals, hacktivists, and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines, and loss of customer trust,” the company wrote on its blog post.
A bit alarmist? Perhaps, but it is their job to sound the alarms.
With 100 days left, Bit9 says organisations yet to upgrade must immediately aim to get their Server 2003 systems into a compliant state to eliminate both financial and legal penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance. Effective compensating controls for organisations without an upgrade plan include network isolation, application whitelisting, and continuous server monitoring.
Andy Patrizio, IDG News Service