There are 110 days left until July 14, 2015, the day Microsoft will end support for Windows Server 2003 (WS2K3.)
Be honest with me for a second. Did you actually know that date? You’re probably not alone if you didn’t. It appears that many IT professionals do not. It also appears that many organizations—with a total of about 9 million servers—are still running WS2K3. That’s a very big problem.
Servers, including domain controllers and Web servers, are where most organizations’ critical information resides. So, if organizations continue to run Windows Server 2003 after July 14, without implementing appropriate compensating controls, they are putting customer records, trade secrets, and other highly valuable data at risk. Cyber criminals, hacktivists and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines and loss of customer trust.
What happens after July 14? According to Microsoft: “After July 14, Microsoft will no longer issue security updates for any version of Windows Server 2003. If you are still running Windows Server 2003 in your datacenter, you need to take steps now to plan and execute a migration strategy to protect your infrastructure.”
This deadline must be taken seriously. However, based on the results of a recent survey conducted by Bit9 + Carbon Black, many organizations are not.
From the “Windows Server 2003 (WS2K3) End-of-Life Survey,” two key results jumped out at me:
1 – Nearly one in three enterprises (30 percent) plan to continue to run WS2K3 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected
My first though when I saw that result come in was: “Wow, that’s a lot.”
But why is that important? Continued operation of unsecured WS2K3 systems can leave organizations exposed to “zero-day forever scenarios”—where new zero-day vulnerabilities are discovered and exploited by attackers and no publicly available patch will ever be provided. This is of particular concern with WS2K3, since it lacks many of the more advanced memory protection features found in later Windows operating systems, making the impact of exposed vulnerabilities potentially more dangerous.
2 – More than half of enterprises (57 percent) do not know when the end of life deadline is
In the survey, we gave a multiple choice (with 5 options) and asked respondents to identify the month that WS2K3 end-of-life would occur. Thirty percent of organizations surveyed said “I do not know.” An additional combined 27 percent guessed incorrectly, choosing “May 2015,” “September 2015,” or “October 2015.”
There are 110 days left until the deadline. It takes about 200 days to migrate operating systems for an enterprise. More the half of organizations don’t even know what month support is ending. Do the math. The result is not good.
How does this relate to Windows XP end-of-life?
With the critical role servers play at any enterprise, WS2K3 end of life presents an even greater risk than last year’s Windows XP end of life. Microsoft cut support for XP in April 2014. That decision affected individual consumers and businesses alike. With WS2K3, consumers are not likely to be impacted directly, but business running unsupported operating systems will put customer records, classified company information, and other sensitive data at risk.
What can be done?
With 110 days left until the end-of-life deadline, organizations yet to upgrade must immediately aim to get their WS2K3 systems into a compliant state to eliminate financial, and potential legal, penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance.”
Effective compensating controls for organizations without an upgrade plan include: network isolation, application whitelisting, and continuous server monitoring.