It’s the end of Windows Server 2003 as we know it. Do you feel fine? asks Johna Till Johnson
Unless you’ve been living under a server rack for the past three years, you’ll be aware that on 14 July Windows Server 2003 reaches its end-of-life. Microsoft will no longer provide general support, bug fixes, or security patches for the OS. The company will no longer even report on security flaws in WS 2003, and will cease to update or support the endpoint security tools offered for it.If you’re among the estimated near two-thirds of organizations (according to App Zero) that still have WS 2003 in your enterprise, it’s not too late to take action. You have more options than you may realize, but it’s imperative to tackle the problem now.There are three main issues that will hit on 15 July. First is security; unsupported WS 2003 machines will create a huge vulnerability in your enterprise. As of early June, there have been 25 documented WS 2003 vulnerabilities in 2015, compared with 26 in total in 2014. These range from denial of service (DoS) vulnerabilities to buffer overflow to code-execution issues. So far, they’ve been patched, but that’s not going to happen going forward.And hackers know it: they’re already going into high gear locating vulnerable servers.
“We’ve seen an uptick in scans, of hackers trying to take inventory to find out who’s running these systems,” says Chris Strand, senior director of compliance and governance at endpoint and server security firm Bit9 + Carbon Black. So the chances are extremely high that your systems will be hit in the 30 days immediately post end-of-life.
But it gets worse. The second major issue is compliance. Virtually every organization is subject to regulation – such as PCI, HIPAA, or Dodd-Frank – and most regulations require vulnerabilities to be patched within 30 days of discovery, something that’s not possible if patch updates aren’t happening.
“We’ve seen an uptick in scans, of hackers trying to take inventory to find out who’s running these systems”Chris Strand, Bit9 + Carbon Black
Moreover, if an organization is running outdated or unsupported software, it can be subject to additional fines and penalties. So regardless of whether your systems are actually compromised, you’ll fail your next compliance audit.
Finally, there’s the issue of cost. The cost of supporting an obsolete OS is high and will keep on rising, based on everything from the extra work required to keep the system running to the outmoded hardware it’s likely running on. And for enterprises large enough to negotiate a custom support agreement (CSA) with Microsoft, fees can be exorbitant, starting at $1500 per server per year, and compounding annually. (And note that CSAs are only available to organizations that already have a remediation plan in place).
Supporting the WS 2003 operating environment will continue to be a slow drain on your resources, consuming time and effort you could have devoted to something else. The bottom line is that inaction is both dangerous and expensive. This is one deadline you can’t afford to ignore.
What’s The Plan, Stan?
There are several remediation strategies for the WS 2003 end-of-life issues. The most obvious fix is to migrate applications off it. But to where? One option, of course, is to migrate to later OSs, most likely WS 2012.
read the suggested solutions and other further copy here.