Denys Rudyi - Fotolia
The clock is ticking on the post for Windows Server 2003 end-of-life (EOL) timeline, meaning the risks only grow from here. This EOL was inevitable and a known event as Microsoft ended mainstream support of non-security fixes in July 2010, but many organizations still have not completed upgrades necessary to avoid risks.
There are no firm numbers regarding how many systems or organizations still run Server 2003. The general statistics are not comforting but are, at least, moving in the right direction. In March 2015, endpoint security firm Bit9 ran a survey and found that 30% of enterprises planned to continue running Server 2003 after the EOL deadline of July 14, which ends extended support for the platform. Even more troubling in that survey was that 57% of respondents didn't know when the EOL deadline was.
In June, Softchoice analyzed more than 900,000 servers at 200 enterprises to find that 21% of servers still ran Windows Server 2003. This marked an 11% decrease year-over-year.
Data center analytics company CloudPhysics found similar numbers in its analysis with 18% of servers still running Server 2003, but it is unclear how these numbers extrapolate and what it means overall. In May 2015, IDC estimated that 1.5 million licensed installations of Windows Server 2003 still existed globally.
Analysts believe this only amounts to a few machines per organization with very few businesses running large amounts of Windows Server 2003 machines. Karl Sigler, threat intelligence manager for Trustwave, cited a recent Microsoft-sponsored survey by Spiceworks that found 61% of businesses were still running at least one instance of Windows Server 2003 on their networks.
The danger of the impending deadline is real, said Sigler, but doesn't necessarily mean an organization will automatically be at risk on July 15.
"If you're running Server 2003 and can't upgrade for some reason -- and there are a lot of reasons people aren't able to upgrade -- there's not going to be any immediate effect," Sigler said. "It's going to be sort of a slow draw. As critical patches are released in the Patch Tuesday cycle moving forward, the security gap is going to get greater and greater."
According to Sigler, the real risk is where the system admin may not know that there is a Server 2003 machine on the network because the administrators who set up the systems are no longer with the company.
"One of the first things that a vulnerability scan will do is bring up those systems," Sigler said, "and knowing what you have is the first step in securing what you have. Organizations need to begin with running vulnerability scans and performing risk assessments on a month-to-month or quarter-to-quarter basis."
Once the admin knows the risk posture associated with any end-of-life machines on the network, there are a number of ways to mitigate risks including upgrading, migrating to the cloud, or isolating the machine, but each machine will take time to secure.
"Initial testing and planning for downtime will give a clear estimate of the length of the actual upgrade process," Sigler said. "It could take as little as a day or two, but depending on complexity, could take weeks. Many people will underestimate the time needed, but in general, it should take less than one month per machine."
Upgrading or securing unsupported systems is a necessity, said experts, despite the cost of doing so. JK Lialias, director of data center security at Intel Security, noted that companies may delay upgrading because it would necessitate a new compliance audit for those under regulatory scrutiny.
"As you're upgrading to a new environment and you're under compliance regulation, then you're going to have to do the documentation over again," Lialias said. "Costs for upgrading or migrating will vary from scenario to scenario, because not only will there be the hardware investment, but costs for new applications being upgraded from a 32-bit to a 64-bit environment."
On the other side, organizations need to understand the cost of keeping a Windows Server 2003 system on the network, which can include purchasing extended support from Microsoft, which can be expensive and not a full solution, or proving there are "compensating controls in place," according to Lialias.
"What many people are doing to maintain compliance in that Windows Server 2003 environment is deploying application control and whitelisting as a compensation control to antivirus," Lialias said. "Or they can show they have integrity management to show how you keep track of the changes made in the environment. But maintaining compliance doesn't necessarily mean you're maintaining the best security for that environment."
There is no way to know how many critical fixes will be coming on Patch Tuesdays from Microsoft, Sigler said, and risk will depend on the placement of the machine on the network. But, while there is no way to know how quickly Server 2003 machines will be put at risk, it will only get worse from here.
"There have been two critical vulnerabilities in Server 2003 in just the past three months," Sigler said. "If that trend continues, that's a serious issue. Those are remote code execution vulnerabilities, and if there's an exploit to that, it's about 10 seconds to a breach if the server is publically accessible."
Learn more about Windows Server 2003 end-of-life migration options