Endpoint security firm Bit9 estimates that there are currently nine million Windows Server 2003 installations worldwide, and about 2.7 million of them will still be deployed on July 14 when Microsoft officially ends support, meaning there will be 2.7 million unprotected servers on July 15 vulnerable to zero-day exploits.
Moreover, companies surveyed by Spiceworks, that weren't fully migrated yet plan to finish their migration in the next six to 12 months (12%), beyond the next 12 months (3%) or don't know if/when they will be done (10%).
Microsoft is not just ending Windows Server 2003 support; it is also ending support for System Center Endpoint Protection or Forefront Endpoint Protection on Windows Server 2003. Microsoft intends to stop sending updates to anti-malware definitions and the engine for Windows Server 2003. Microsoft said "we have found in our research that the effectiveness of anti-malware solutions on out-of-support operating systems is limited."
For firms that will not make the move by July, it falls on them to protect and harden their servers, especially if they are in a heavily regulated sector governed by rules like SOX, HIPAA, PCI, NERC and others. Then they face even greater challenges, because they will be on the hook for security breaches and data losses, and the government is likely to take a dim view of a company that didn't upgrade an obsolete server operating system because it couldn't afford it.
The risk is not limited to the OS itself. With so much infrastructure built on Windows Server, databases, middleware, applications and other sensitive information can all be compromised by a single unpatched vulnerability. Windows Server 2003 doesn't have the compartmentalization of the later versions, so once an intruder gains access to the OS, they will pretty much have free reign to move around the system unrestricted.
And the apps running on the server are just as much at risk. Maurice McMullin, product marketing manager with KEMP Technologies, which does WS2003 migrations, said there are two major risks to apps: it may not be maintained by the developer and a company may or not have the resource in house to maintain it.
"That creates a risk in and of itself. If the app falls over, who's there to support it? The implications are if they don't migrate, they are exposed on the app side and may not have the resources to fix it. The other thing is from external risks that may be discovered after support ends," he said.