Windows Server 2003 (WS2003) is one of the most widely used server platforms in Microsoft’s history, with 27.8 million licenses sold worldwide between 2003 and 2013, and a conservative estimate of nearly 8 million licenses still in active use. When Microsoft ends support for this popular operating system on July 14, 2015, the stakes for enterprises are higher than when support ended for Windows XP last April. According to Microsoft’s Support Policy FAQ, end of extended support for WS2003 means patches, hot fixes, or other support will no longer be available. For an estimated seven-digit figure investment, Microsoft will offer custom support agreements for organizations in the process of active migration (preferably to its Azure cloud). However, the extension is limited and does not include commitment to make fixes or provide other support. Furthermore, the cost of custom support is set to double in the second year, making it a viable option for only a very limited number of organizations.
What's The Risk?
Consensus from US-CERT, IDC, Gartner and other industry analysts is that there are four significant risks businesses need to assess if they choose to run WS2003 without Microsoft’s support. These are noted in US-Cert Alert TA14-310A:
- Cybersecurity Attacks – “Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.” In other words, systems running business-critical applications could be compromised and subject to data theft, unauthorized transactions, and may be used to host attacks launched against other systems in the environment.
- Migration Difficulties – “Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.” Also, applications and other software running WS2003 are not guaranteed to run correctly in the future. As applications are updated, they may be affected by defects in WS2003 that will no longer be corrected, making some features function incorrectly or not at all.
- Regulatory Non-Compliance – “Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.”
- Business Leadership Unaware of Risks – Although this risk is not specifically cited in US-CERT’s alert, IT teams and leadership, as well as the C-suite and boards of directors, may not be fully aware of the risks to the business. Underestimating the increased attack surface of WS2003 devices can cause disclosure problems if a breach occurs after end of extended support date, particularly if these risks are not well-documented and mitigated.
Document the Decision With Your Executive Leadership
An AppZero survey estimates that 22 percent (1.76 million) of WS2003 systems will not be migrated by July. There are many reasons for this, including complexity of legacy applications, lack of internal skills, costs of upgrading applications from a 16-bit architecture, cost of new hardware to take advantage of Windows Server 2012 capabilities, etc. If your organization is unable to upgrade or migrate its WS2003 systems, IT teams specifically should document this decision and get explicit IT leadership and senior executive acknowledgement that this is the agreed on course of action. This discussion should include a complete outline of the risks, impacts and limits of this decision in a format that can be understood by your business leaders. If you haven’t already done so, this is something to address immediately. This document will serve many purposes, not the least of which is to assure the proper risk posture disclosures have been made internally. Summary There are many factors that may contribute to the decision to run without Microsoft custom support post July 14, 2015. Increasingly, the senior executive teams, as well as some boards of directors, are being held responsible for the organization’s state of IT security and compliance within businesses – whether publicly or privately held. Therefore, the many systems still running WS2003 after the end-of-life deadline could introduce serious cybersecurity, compliance and business risks. Business leadership should understand and acknowledge these decisions, as well as the inherent risks, impacts and limits of this approach. An upcoming post in this three-part series will feature a checklist of practical tips to secure and harden your WS2003 systems. Title image header of Shutterstock.com
