Many companies not migrating off of Windows Server 2003 cite cost as the reason; either they can't afford it or they haven't got the budget this year but will later in the year or next year. Whatever the reason, For firms that will not make the move by July, it falls on them to protect and harden their servers, especially if they are in a heavily regulated sector governed by rules like SOX, HIPAA, PCI, NERC and others.
For organization is among those not making the move but looking to limit potential exposure, there are some steps you can take. Mind you, there will eventually come a tipping point where you are spending more money to shore up your antiquated WS2003 servers than it would cost to migrate, so keep that in mind when considering the following:
Restricting and monitoring access to Server 2003 servers: Lock down services and limit access to the physical server, and make sure all logging is turned on to monitor for unusual activity or unauthorized access. "Lock it down and update what you can. Make sure permissions and user access is as limited as possible," said Peter Tsai, content marketing manager with Spiceworks, maker of IT management software.
Be aggressive with backups: You should be very active and aggressive in backing up your data for many reasons, not just because of potential compromise, but simply the fact that WS2003 won't be fixed in any way, and an unpatched bug could cause data loss or corruption. So make sure the server is regularly and thoroughly backed up if it is not already.
"If you have a customer staying on Server 2003 beyond the expiration date, there's no amount of calls to Microsoft you can make to get your problem fixed. So if you don't have a plan for failed hardware or failed OS, you're up a creek. At least a backup solution will allow you to restore from a device in case your others fail," said Jeff Denworth, senior vice president of marketing for CTERA, a cloud storage platform provider that is working with Server 2003 customers to migrate their backup solutions.
Also, be careful with your backup solutions because they may end up costing more than a Server 2003 migration. Denworth notes that Microsoft has a very nice storage appliance called StorSimple, but it costs $40,000. That's a cabinet's worth of servers.
Network isolation: Consider isolating your Server 2003 servers from central services. "Lock down everything as much as possible. Segment those machines from the rest of the network. Cut off any connection to the Internet unless it's absolutely necessary," said Tsai.
The caveat to this is that the server will only work in cases where the organization's applications do not need Internet access and/or access to other systems outside of an isolated network. So it will work for isolated departments or teams, but for email, domain, Web and other typical solutions, this method won't work very well.
Application whitelisting: Application whitelisting is a security model that says what apps may run, rather than the blacklisting method that says what apps are not allowed to run. Blacklisting is the method used in antivirus programs, and since blacklisting relies on knowing what the badware is in the first place, it's why your antivirus program updates two or three times a day and is still often behind the bad guys.
Application whitelisting is a very effective method for application control because only the permitted apps can run. By ensuring only trusted software is allowed to run on the server, application whitelisting will lock out zero-day exploits and other malware. However, McMullin notes it can be a problem is the app whitelisting if done by IP addresses and you have a mobile force, since IP addresses will change as they move.
Consider cloud backup: A cloud backup service requires no hardware to deploy. You can sign up with a provider and start uploading in five minutes and you have a sizable number to choose from. But you better shop around. Microsoft's Azure Backup Services just changed its pricing and now costs $20 for 1TB per month. Amazon S3 backup costs just three cents for 1TB per month.
Multi-layer security: Back in its day, Windows Server 2003 handled security issues, but security has since moved out of the OS layer and into discrete appliances, said Maurice McMullin, product marketing manager with KEMP Technologies, which does WS2003 migrations. "It would be good practice to have a network firewall and then a network application firewall. So that would mean the security workload is divorced from the server. The server would still have security functions to perform but the heavy lifting would be done by an external device," he said.
Companies such as Check Point, Fortinet and Palo Alto Networks offer complete, unified threat management systems. But Denworth notes that these are high-end systems, and "the cost there is arguably in excess of adequate security wrapped around an up-to-date Microsoft environment."
Get a veteran: At this point, there should be plenty of experienced consultants who can help with the migration, but make sure to check their experience at this. "Find someone who has done it before because you don't want to be a guinea pig for something like this," said McMullin.
Make a plan anyway
Even if you don't have a timeline for migrating off of WS2003, you should still begin preparing for the eventual move and not wait until you have the money to begin planning. That way you have a plan ready for execution when the funds are there. Endpoint security firm Bit9 recommends several steps in the process:
Don't do it alone: A smooth transition to a new platform will require full buy-in and agreement from any and all impacted stakeholders. That means not just the IT department, but the business units impacted and the budgeting finance team.
Dedicate time for project scoping: The average migration project will take over 200 days to implement, from assessment, to migration, to debugging. You're not just copying files, there is much more to the migration. So find the potential pitfalls early on and not get tripped up during the migration.
Work within your budget: If you are not making the move for financial reasons, then you likely already have a good idea of your finances. You will need a clear picture of potential project risks, costs and buy-in for the necessary human resource requirements.
Set a realistic timeline: As said above, a migration takes on average 200 days. Some can be worse, others easier. Rushing will only make a mess. It will lead to mistakes, cost overruns and resource misallocation.