Microsoft will officially end support for Windows Server 2003 on July 14, 2015. While many firms are working to migrate their applications and data off aging servers as quickly as possible, a fair number are not migrating for a variety of reasons including the financial cost.
Microsoft is not just ending Windows Server 2003 support, it is also ending support for System Center Endpoint Protection or Forefront Endpoint Protection on Windows Server 2003. Microsoft intends to stop sending updates to anti-malware definitions and the engine for Windows Server 2003. Microsoft said "we have found in our research that the effectiveness of anti-malware solutions on out-of-support operating systems is limited."
Just how many companies will this affect? Bit9, an endpoint security firm, estimates that there are currently nine million Windows Server 2003 installations worldwide, and about 2.7 million of them will still be deployed come July 14, meaning there will be 2.7 million unprotected servers on July 15 vulnerable to zero-day exploits.
Moreover, companies surveyed by Spiceworks, that weren't fully migrated yet plan to finish their migration in the next six to 12 months (12%), beyond the next 12 months (3%) or don't know if/when they will be done (10%).
"One of the top barriers to migration is the fact there is no immediate need, because if it's not broken don't fix it. There is some complacency there and people aren't paying attention to the risk. Some assume that they are behind a firewall and think since no one can get into their network they have a false sense of security," said Peter Tsai, content marketing manager with Spiceworks.
For firms that will not make the move by July, it falls on them to protect and harden their servers, especially if they are in a heavily regulated sector governed by rules like SOX, HIPAA, PCI, NERC and others. Then they face even greater challenges, because they will be on the hook for security breaches and data losses, and the government is likely to take a dim view of a company that didn't upgrade an obsolete server operating system because it couldn't afford it.
Microsoft won't completely ignore WS2003; it will still offer extended support for a hefty fee, much more than your current service contracts. Extended support is priced at $600 per server for the first year and increasing after that. With dozens or hundreds of servers in a company, that can run up into the six figures, at which point it would be cheaper to buy new servers with Server 2012 R2 on it. For that reason, Microsoft is actively encouraging migration and offering tools to help with the task.
The risk is not limited to the OS itself. With so much infrastructure built on Windows Server, databases, middleware, applications and other sensitive information can all be compromised by a single unpatched vulnerability. Windows Server 2003 doesn't have the compartmentalization of the later versions, so once an intruder gains access to the OS, they will pretty much have free reign to move around the system unrestricted.
Implications of not migrating off of Windows Server 2003
Failure to upgrade your systems can have a variety of consequences:
Hardware ills: If you are running Windows Server 2003, chances are very good that hardware is a decade old or older, which means it is long out of support from the vendor and also well past its recommended operational life. You run the risk of high failure rate, which could mean lost data, and good luck getting replacement parts. "A lot of people we know buy parts off eBay," said Tsai.
Operational costs: If you are running an eight to 12 year old server, then it's an old 32-bit server with barely any power management at all. Server vendors didn't get the power management religion until a few years later. Those old servers are inefficient and likely unvirtualized, and running at very low utilization. So in addition to being vulnerable they are also highly undesirable.
No compliance: Once support ends, your organization will likely fail to meet industry compliance standards such as HIPAA, PCI, SOX and Dodd-Frank, just to name a few. People in fields impacted by this regulation will likely shut you out and refuse interconnections.
Software compatibility issues: As mentioned previously, Windows Server 2003 is a 32-bit OS, and virtually everything is 64-bit now, from device drivers to apps. Companies are abandoning 32-bit apps for 64-bit apps. So don't expect to update your old apps.
Data breaches: All one needs to do is look at what the Home Depot and Target breaches did to those companies. That should be motivation enough to migrate. But those firms were big enough to recover. A smaller company might not be.
Apps are also affected
Microsoft is ending support for Windows Server, but the apps running on the server are just as much at risk. Maurice McMullin, product marketing manager with KEMP Technologies, which does WS2003 migrations, said there are two major risks to apps: it may not be maintained by the developer and a company may or not have the resource in house to maintain it.
"That creates a risk in and of itself. If the app falls over, who's there to support it? The implications are if they don't migrate, they are exposed on the app side and may not have the resources to fix it. The other thing is from external risks that may be discovered after support ends," he said.
Develop a plan anyway
Many companies not making the migration cite cost as the reason; either they can't afford it or they haven't got the budget this year but will later in the year or next year. If you are in such a scenario, you should still begin preparing for the eventual move and not wait until you have the money to begin planning. That way you have a plan ready for execution when the funds are there. Bit9 recommends several steps in the process:
Don't do it alone: A smooth transition to a new platform will require full buy-in and agreement from any and all impacted stakeholders. That means not just the IT department, but the business units impacted and the budgeting finance team.
Dedicate time for project scoping: The average migration project will take over 200 days to implement, from assessment, to migration, to debugging. You're not just copying files, there is much more to the migration. So find the potential pitfalls early on and not get tripped up during the migration.
Work within your budget: If you are not making the move for financial reasons, then you likely already have a good idea of your finances. You will need a clear picture of potential project risks, costs and buy-in for the necessary human resource requirements.
Set a realistic timeline: As said above, a migration takes on average 200 days. Some can be worse, others easier. Rushing will only make a mess. It will lead to mistakes, cost overruns and resource misallocation.
For organizations not making the move but cognizant of the potential exposure, there are some steps you can take. Mind you, there will eventually come a tipping point where you are spending more money to shore up your antiquated WS2003 servers than it would cost to migrate, so keep that in mind when considering the following:
Restricting and monitoring access to Server 2003 servers
Lock down services and limit access to the physical server, and make sure all logging is turned on to monitor for unusual activity or unauthorized access. "Lock it down and update what you can. Make sure permissions and user access is as limited as possible," said Tsai.
Be aggressive with backups
You should be very active and aggressive in backing up your data for many reasons, not just because of potential compromise, but simply the fact that WS2003 won't be fixed in any way, and an unpatched bug could cause data loss or corruption. So make sure the server is regularly and thoroughly backed up if it is not already.
"If you have a customer staying on Server 2003 beyond the expiration date, there's no amount of calls to Microsoft you can make to get your problem fixed. So if you don't have a plan for failed hardware or failed OS, you're up a creek. At least a backup solution will allow you to restore from a device in case your others fail," said Jeff Denworth, senior vice president of marketing for CTERA, a cloud storage platform provider that is working with Server 2003 customers to migrate their backup solutions.
Also, be careful with your backup solutions because they may end up costing more than a Server 2003 migration. Denworth notes that Microsoft has a very nice storage appliance called StorSimple, but it costs $40,000. That's a cabinet's worth of servers.
Consider isolating your Server 2003 servers from central services. "Lock down everything as much as possible. Segment those machines from the rest of the network. Cut off any connection to the Internet unless it's absolutely necessary," said Tsai.
The caveat to this is that the server will only work in cases where the organization's applications do not need Internet access and/or access to other systems outside of an isolated network. So it will work for isolated departments or teams, but for email, domain, Web and other typical solutions, this method won't work very well.
Application whitelisting is a security model that says what apps may run, rather than the blacklisting method that says what apps are not allowed to run. Blacklisting is the method used in antivirus programs, and since blacklisting relies on knowing what the badware is in the first place, it's why your antivirus program updates two or three times a day and is still often behind the bad guys.
Application whitelisting is a very effective method for application control because only the permitted apps can run. By ensuring only trusted software is allowed to run on the server, application whitelisting will lock out zero-day exploits and other malware. However, McMullin notes it can be a problem is the app whitelisting if done by IP addresses and you have a mobile force, since IP addresses will change as they move.
Consider cloud backup
A cloud backup service requires no hardware to deploy. You can sign up with a provider and start uploading in five minutes and you have a sizable number to choose from. But you better shop around. Microsoft's Azure Backup Services just changed its pricing and now costs $20 for 1TB per month. Amazon S3 backup costs just three cents for 1TB per month.
Back in its day, Windows Server 2003 handled security issues, but security has since moved out of the OS layer and into discrete appliances, said McMullin. "It would be good practice to have a network firewall and then a network application firewall. So that would mean the security workload is divorced from the server. The server would still have security functions to perform but the heavy lifting would be done by an external device," he said.
Companies such as Check Point, Fortinet and Palo Alto Networks offer complete, unified threat management systems. But Denworth notes that these are high-end systems, and "the cost there is arguably in excess of adequate security wrapped around an up-to-date Microsoft environment."
Get a veteran
At this point, there should be plenty of experienced consultants who can help with the migration, but make sure to check their experience at this. "Find someone who has done it before because you don't want to be a guinea pig for something like this," said McMullin.
Microsoft is abandoning the OS but not the people who use it. It has prepared an entire site for Windows Server 2003 End of Service, all of which is dedicated to helping you plan your migration. Microsoft lays this out in a four-step migration process, which involves:
Discover: Discover and catalogue all the software and workloads that are running on Windows Server 2003/R2 at present. The site has a Microsoft Assessment and Planning toolkit you can download, which works with System Center to examine your infrastructure and identify all of the servers and apps running on them.
Assess: Now you have a list of servers and apps, it's time to categorize your apps and workloads by type, importance and complexity. This could mean having to rearchitect your infrastructure around Windows Server 2012 and System Center 2012, which have changed radically since Server 2012. It also means reimaging your Active Directory, network infrastructure and file server/storage options.
Target: This is where you the destination for each application and workload. Because of the variety of apps and workloads, Microsoft offers a number of free software trials to test out your apps and workloads. They include:
Windows Server 2012 R2 - System Center 2012 R2 - Microsoft Azure - SQL Server 2014 - Office 365
All come with 30 day free trials. "Those trials are really important. Use those 30 days to work on compatibility with all the apps, and make sure that when it's in your test environment that everything is stable and meets your needs," said Tsai.
Migrate: This is where you build a migration plan, either to do on your own or with a partner. AppZero is probably the best-known of the Server 2003 migration consultancies and has a working agreement with Microsoft. There are other companies and services firms, like HP's services group, formerly EDS. Microsoft offers a Migration Planning Assistant which covers all four steps and has official training courses to help you with the migration.
Other Microsoft resources
Microsoft Virtual Academy: A massive collection of free study resources from Microsoft MVPs and other experts, including videos, slide decks and self-assessments. There are whole sections on migrating to Windows Server 2012 and Azure.
Windows Server 2003 Roles Migration Process: This is a very large printable poster that you can stick on a wall and use it to visualize and track the whole process.
Microsoft Deployment Toolkit: This is a collection of processes and practices, assistance tools and guidance for automating new desktop and server deployments.