Windows Server 2003 and Windows Server 2003 R2 reach the end of their extended support on July 14, 2015. Windows Server 2003 is the equivalent of Windows XP in the server world; industry experts estimate that there are more than 10 million machines still running Windows Server 2003, with many of them using mission-critical services. Although the date has been heavily flagged by Microsoft, many organizations have no plans in place to prepare for Windows Server 2003 end of life. If something doesn't change, it will be déjà vu, the last minute scramble to migrate from XP repeating itself all over again.
In this tip, I will discuss the security issues that are likely to ensue after Windows Server 2003's end-of-life date, as well as the upgrade options enterprises have and why the time to start the transition is now.
Windows Server 2003 security: A problem waiting to happen
Once extended support for Windows Server 2003 ends, new security issues won't be fixed by Microsoft. This will leave machines vulnerable to attack; there are already several known serious vulnerabilities in Windows XP that will never be patched. This situation presents not only a huge security risk, but also a compliance nightmare as running end-of-life software is seen as a control failure by most compliance and regulatory standards.
To avoid such a scenario, IT administrators must begin the task of phasing out Windows Server 2003 now. However, it will be a more complicated process than it was for Windows XP, and there are choices that must be made that will affect infrastructure strategies for the foreseeable future.
It is also critical to note that organizations using hosted services will have no choice but to update their legacy software by next year, as providers will ultimately force them to upgrade from Windows Server 2003 so that they can continue to provide the support and security promised in their service-level agreements.
Upgrading Windows Server 2003: What's next?
Enterprises have a couple of upgrade options when it comes to retiring Windows Server 2003. They could completely change their operating systems to Linux or Unix, upgrade to Windows Server 2008 or upgrade their hardware and software to run Windows Server 2012.
Changing from Windows to a Unix-based OS won't realistically be an option for many enterprises, as their key applications will only run on a Windows machine. If all things were equal, Unix would be a preferable selection as it eliminates expensive Windows license fees and most versions are considered more secure than Windows platforms. But since application compatibility and a lack of in-house skills are likely the overriding issues, Unix won't be an option for most companies.
While Windows Server 2012 is the latest Microsoft server OS, it can't run 16-bit Windows-based applications, and 32-bit applications must be run in an emulator, making this option also unattractive because of compatibility issues. Enterprises already running 64-bit applications on Windows Server 2003 x64 Edition should consider upgrading their hardware and moving straight to Windows Server 2012.
This leaves Windows Server 2008 as the obvious choice for most enterprises. But, since Windows Server 2003 servers are likely to be running on old hardware, this upgrade route -- while cheaper short-term -- will probably just delay legacy hardware and software issues to a later date as both will need replacing prior to 2020 when Windows Server 2008 reaches the end of its extended support period.
Starting points: Preparing for the upgrade
Many Windows Server 2003 servers contain a complex bespoke build that run applications originally developed for a 32-bit operating system, so the migration tools used for the XP upgrade will be of less use for the Windows Server 2003 upgrade. So what should organizations do to prepare?
First, the rewriting of old applications needs to start now so the inevitable problems and errors can be sorted out. While it's a daunting task, it is also a great opportunity to not only improve security and stability, but also add much-needed new features to enterprise systems. Organizations should also contact vendors now regarding 64-bit versions of key application software. If vendors have no plans to offer application upgrades, it's time to start searching for replacements. Legacy software is always an attractive target for hackers, particularly if it is no longer supported by the original vendor. Rewriting applications and upgrading licenses and hardware may be complex, time-consuming and costly, but vulnerable systems and data could ultimately be even more expensive.
Those enterprises that cannot migrate before Windows Server 2003 end of life need to prioritize quickly and make a decision on which mitigation strategy best suits their environment. Security on Windows Server 2003 machines can be improved by deploying Microsoft's Enhanced Mitigation Experience Toolkit 4.0 (EMET), which allows administrators to apply a variety of mitigation technologies to applications and processes that don't use them natively. Additionally, enterprises should always use a network or host-based intrusion prevention system andmove services off to newer servers wherever possible.
As July 2015 approaches and there are still Windows Server 2003 servers running on the network, organizations must have plans ready to isolate them in the event of an attack. In most instances, administrators will be on their own when it comes to solving any problems. Microsoft will offer extended support, but it's an expense most enterprises won't want to incur. A privilege management product could help prevent new or unwanted programs or code from executing while virtual patching. A Web application firewall will also provide extra layers of defense when needed.
Running a secure IT infrastructure and meeting both legal and regulatory requirements will cost time and money. Enterprises can avoid wasting precious resources trying to protect old hardware and software by investing instead on planning server migration and upgrades. With enough lead time, migration can be done with the minimum of disruption to the business. This avoids the risk of a last-minute, frantic and problem-riddled migration, and will ensure continuity of service, support and security.
Don't let the fear of upgrading paralyze you; it's unlikely that your problem will be entirely unique. Plenty of administrators have already moved on from Windows Server 2003, so benefit from their experiences by reading about their challenges, pitfalls and inevitable problems -- and how they solved them -- on the many support forums out there.
Doing nothing is not an option. Enterprises must start planning their migration strategies now so as to avoid making hasty decisions once the reality of unsupported software has already disrupted operations.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).