The end has finally arrived for Windows Server 2003 and Windows Server 2003 R2 (W2K3) as extended support ends...
on July 14, 2015.
Despite the Microsoft Windows Server 2003 end-of-life date being heavily flagged by Microsoft, many enterprises will still be running mission critical W2K3 servers well past this date. According to a recent survey from cybersecurity firm Bit9, there are 9 million W2K3 systems still in use and nearly 3 million of them are expected to miss the deadline this summer. The economic crisis has made many organizations delay IT investments, with under-resourced IT departments struggling just to manage day-to-day operations, let alone plan for a major migration.
But after July 15, Microsoft will no longer offer security updates, non-security hotfixes, free or paid assisted support options or online technical content updates for servers running Windows Server 2003. And though they won't suddenly stop working, new security issues won't be fixed by Microsoft, leaving machines vulnerable to attack. A zero-day, every day situation is not only a huge security risk, but also a compliance nightmare as running end-of-life software is seen as a control failure by most compliance and regulatory standards. This is a powerful argument to convince senior management to migrate away from the software before Windows Server 2003 end of life becomes official.
After Microsoft Windows Server 2003 end of life: First steps
The task of phasing out your Windows Server 2003 needs to begin as soon as possible as the protracted retirement of Windows XP has proven that planning is king. So conduct an inventory of all current W2K3 environments and the workloads they support using the free Microsoft Assessment and Planning Toolkit.
Next, appraise the level of work involved in migrating each application. Some applications can either be migrated to the cloud or to software as a service-based applications; for example, moving from Exchange to Office 365. While it may be necessary to use virtualization as a transitional tool for applications needing to be completely rebuilt, the rewriting of these applications needs to start now so inevitable problems and errors can be sorted out; a daunting task, but a great opportunity to improve security and stability, as well as add much needed new features.
Windows Server 2003 upgrade options
Other upgrade options need careful consideration too, such as a complete change of operating system to Linux or UNIX; a move to Windows Server 2008; an upgrade of hardware and software to run Windows Server 2012; or migrating systems to Microsoft Azure.
Changing from Windows to a Unix-based OS won't likely be an option for many as key applications will probably only run on a Windows machine and IT staff would require retraining.
Windows Server 2008 is already out of mainstream support and extended support ends in less than five years, so this upgrade route will just postpone aging hardware and software problems until a later date.
Windows Server 2012 is the latest Microsoft server OS, but it can't run 16-bit Windows-based applications, and 32-bit applications must be run in an emulator. Also, applications operating in kernel mode rather than user mode -- such as security applications, and some system utilities like backup and management agents -- would need to be upgraded.
Organizations opting for cloud services will have no choice but to update legacy software. For example, a Windows Server 2003 installation can't be re-hosted in a Microsoft Azure environment unless it's a 64-bit image, of which the vast majority aren't.
Security controls to use after Windows Server 2003 end of life
Microsoft calculates it takes at least a year for most companies to fully migrate mission critical software. Those who cannot accomplish this easily need to prioritize quickly and decide which mitigation strategy best suits their environment.
Security on W2K3 machines can be improved by deploying Microsoft's Enhanced Mitigation Experience Toolkit 5.2 (EMET), which allows administrators to retroactively apply various security mitigation technologies to selected applications to block attacks that exploit common attack vectors, such as buffer overflows and memory corruption. (Technologies making it more difficult for an attacker to exploit vulnerabilities in a software application are known as mitigation technologies.)
However, the security mitigation technologies EMET uses come with an application compatibility risk. Some applications rely on exactly the same behavior mitigations block, so it's important to thoroughly test EMET on all target computers before deploying it in a production environment. A graphical user interface is used to configure and observe the status of different running processes. This is useful when a process within a suite of applications is not compatible with a particular mitigation technology; simply turn that mitigation off for that process. One the advantages of using EMET is that proprietary in-house software doesn't need to be recompiled in setting various flags to enable both Data Execution Prevention and Mandatory Address Space Layout Randomization -- two important technologies in the battle against zero-day exploits.
Privilege management technology can help prevent new or unwanted programs or code from executing on W2K3 servers, while virtual patching and, if appropriate, a Web application firewall will provide additional layers of defense. Also, have plans in place on how to isolate W2K3 servers in the event of an attack. If you suspect a system has been compromised and want to take an in-depth look at exactly what is running on it, check out ESET's free SysInspector utility.
Migrating legacy software and applications is a time and resource consuming undertaking, but running unsupported software is a big risk as it's an attractive target for hackers; any vulnerabilities they find will remain exploitable.
The move from Windows Server 2003 is an opportunity for enterprises to upgrade servers and software, take advantage of hybrid or public cloud technology, and to benefit from next-generation technologies. Plenty of administrators have already moved on from Windows Server 2003, so profit from their experiences by reading about the challenges, pitfalls and inevitable problems they faced -- and how they solved them -- on the many support forums.
Doing nothing is no longer an option.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. He was also formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS). Mike has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.
Learn about the growing security risk of end-of-life software