CISOs have learned to resist the siren call of vendors when they issue new versions of software, understanding that added capabilities have to be needed to justify the expense.
However, there’s a point when venerable applications have to be cast aside. But it appears that organizations are still taking chances by running hardware with Windows Server 2003, although Microsoft will stop issuing security patches next week.
In April, integration firm Avanade — which is partly owned by Microsoft — issued a study showing that half of Canadian firms still had at least one server running the OS, and there’s no reason to believe that number is in single digits now.
That doesn’t mean they are running critical systems in production, but it’s still a risk.
So here’s a reminder: The last critical security patches will be issued July 14. Do something, because every day after that the odds increase an attacker will take advantage of vulnerabilities — as they did when support ended for Windows XP.
“There’s not going to be an immediate risk,” Karl Sigler, threat intelligence manager, Trustwave said in an interview Wednesday. But, he added, “it’s going to be a slow crawl towards insecurity. Every month that goes by where critical vulnerabilities are discovered they are going to go unpatched.”
Microsoft [Nasdaq: MSFT] will continue support for the OS — for a fee: US$600 per server in the first year.
There are at least three things CISOs should do, Sigler advises, if there are still WinServer 2003 systems in their environments:
–upgrade to Windows Server 2012 R2;
–upgrade to WinServer 2008 — remembering that support ends in five years;
–segregate WinServer 2003 machines onto their own network, and make sure traffic going to those systems is being monitored and filtered by an IPS or gateway.
Other options include shifting workloads to virtualized environments running a newer server OS or to a cloud/hosted provider, or dropping older applications in favour of a SaaS app.
In a report sponsored by Microsoft research firm IDC noted that moving to a more recent version of Windows 2003 will allow IT to take advantage of IPv6, modern virtualization software with Hyper-V, comprehensive management with System Center 2012 R2, and improved product SKU options that help make it easier to deploy and manage Windows Server. In addition, customers can take advantage of newer Windows licensing terms, including gaining access to datacenter SKUs, which give customers per-socket licensing terms/costs in exchange for unlimited virtualization rights.
Interestingly, Sigler believes that the odds of a WinServer 2003 installation still online is more likely with larger firms than smaller ones because “server sprawl gets out of hand … a lot of systems get lost in the shuffle.”
It’s true smaller firms have tighter IT budgets and might want to keep systems going as long as possible. But Sigler believes these organizations have a better handle on their systems so are less likely to be running an older OS.