Blog
Threats and solutions to the end of Windows Server 2003 support
June 22nd, 2015
Generally, you haven’t moved away from Windows Server 2003 because a critical and extremely complex piece of internal software relies on it, or due to budget constraints. There are a few other reasons, but chances are that you are simply being negligent and putting your business at risk for the sake of saving a few £s. If you are ignoring the end-of-support warning due to financial concerns, then you are playing a dangerous game. In fact, if you are unfortunate, a savage enough attack could cripple your business or even put it under – and that’s not scare-mongering.
You will notice a few security vendors stating that they can protect you whilst you still run Windows Server 2003, but generally, this isn’t really the case as the weak link often comes in a process or a person. Also, if they were all so good we wouldn’t have any viruses or exploits, would we?
So, if you are in a difficult situation, where do the real threats lie?
- The server faces the Internet directly, i.e. many hosting companies give a customer a server with a live Internet address (IP) on it. The customer then installs a software firewall on top of the Windows 2003 operating system.
- The server indirectly faces the Internet, i.e. it’s connected through some sort of physical/virtual firewall, i.e. the server is acting as a web server, client portal, FTP server, etc. Even if the firewall has advanced intrusion prevention the risk is significant.
- The server is not accessed from the outside world but initiates communications,e.g. it is a Terminal Server/Citrix server, proxy server, etc. The threat comes from the server hitting a website with malicious code and fires an exploit that compromises that server and the LAN/WAN it sits on.
- The server sits on an open LAN with other network devices, such as PCs, laptops and other servers. Although these other machines may not be able to be infected – they can still potentially pass on ‘an infection’ to an unprotected Windows 2003 server.
- The server has other devices plugged into it at times, i.e. USB storage devices. The risks are lower here but still real.
There are other risks but these are the main ones and the most significant. Over the coming months, the risks to Windows Server 2003 are going to be pretty large as hackers and the like hold back exploits until the support ends. The flames will burn brightly for say 6-9 months and then slowly taper off as the easy prey has been picked off and the bandits look for new pickings.
If you have left it too late to switch from Windows Server 2003 then what are the key things you can do to protect your environment?
- Don’t connect it to the Internet directly or indirectly.
- Segregate it via the normal LAN via a VLAN and/or a firewall device.
- Any connections to it from internal pass through an intrusion protection firewall.
- Don’t plug any external devices into it.
- Plan to migrate services from Windows Server 2003.
The important thing to do is plan to protect services as soon as possible, then get your plan ready. Depending on the size of your environment, it’s unlikely to be a straightforward task, so you should probably start planning now or bring in a consultant quickly. You need to take a number of factors into account as a bare minimum. Here a few generic ones to get you thinking about the implications.
The implications
- Will your existing hardware support new operating systems and/or software?
- Do your IT staff need training to roll-out and manage the new operating systems and/or software?
- How will you overcome any compatibility issues?
- Will your other applications work on the new operating systems and/or software?
- Will your 3rd party application vendors support their applications on a new platform?
- How long will it take to test everything?
- Will you need to train other employees to use the new operating systems and/or software?
- What resource will you need to roll out the new operating systems and/or software?
- How long will it take to roll the new software out?
- What are your other options? Could you go thin-client? Could you go to the cloud?
- What do you need to budget for?
If you’ve been avoiding a move due to expense then remember that everything can be turned into an OpEx. This does help financing and budgeting immensely. You can go for a fully managed cloud, your own private cloud, or simply replace servers and software in-house. You can also finance development work and consultancy and wrap it into a monthly payment.
Running Windows Server 2003 past the end of support will likely leave you open to regulatory issues. It will also leave you open to a lot of issues from an insurance perspective should a breach happen. Also, how about the embarrassment of your breach in the press? I know I’ve been quite strong in my views here on a bit here, but this has been on the radar for years, there is no excuse.
Not taking action now is simply like knowing the spare bedroom window won’t close properly. Chances are at some point someone’s coming through it.
Robert Rutherford – CEO of QuoStar
NEXT>> 8 security mistakes legal firms make
Using Microsoft Teams to manage the return to work and meet government COVID-19 guidance
With the UK government continuing their phased return to normality, many businesses are now planning how they will manage the return to work process for their employees. Thousands of office workers, such as those in financial services, recruitment and law, have been working remotely since the lockdown announcement on Monday 23rd March. Now, these restrictions […]
What is Delve? | 7 benefits of Delve for businesses
What is Delve? Delve is a file hub, collaboration space and enterprise social network built using the Microsoft Graph and included in Office 365. When trying to boil down a complex piece of software into its core functions, sometimes words fail to convey enough information. So if that previous description didn’t mean anything to, here’s […]
2015 technology predictions vs. 2015 reality
Another year has passed, and now we’ve already come to the end of the first full week of January 2016. As we’re back into the swing of things here in the office, I thought now was a great time to review the technology predictions we made for 2015 and see how they fared. After 20 years in […]