Threats and solutions to the end of Windows Server 2003 support

/ IT Security Services
June 22nd, 2015

end of windows server 2003 support

Generally, you haven’t moved away from Windows Server 2003 because a critical and extremely complex piece of internal software relies on it, or due to budget constraints. There are a few other reasons, but chances are that you are simply being negligent and putting your business at risk for the sake of saving a few £s. If you are ignoring the end-of-support warning due to financial concerns, then you are playing a dangerous game. In fact, if you are unfortunate, a savage enough attack could cripple your business or even put it under – and that’s not scare-mongering.

You will notice a few security vendors stating that they can protect you whilst you still run Windows Server 2003, but generally, this isn’t really the case as the weak link often comes in a process or a person. Also, if they were all so good we wouldn’t have any viruses or exploits, would we?

So, if you are in a difficult situation, where do the real threats lie?

  • The server faces the Internet directly, i.e. many hosting companies give a customer a server with a live Internet address (IP) on it. The customer then installs a software firewall on top of the Windows 2003 operating system.
  • The server indirectly faces the Internet, i.e. it’s connected through some sort of physical/virtual firewall, i.e. the server is acting as a web server, client portal, FTP server, etc. Even if the firewall has advanced intrusion prevention the risk is significant.
  • The server is not accessed from the outside world but initiates communications,e.g. it is a Terminal Server/Citrix server, proxy server, etc. The threat comes from the server hitting a website with malicious code and fires an exploit that compromises that server and the LAN/WAN it sits on.
  • The server sits on an open LAN with other network devices, such as PCs, laptops and other servers. Although these other machines may not be able to be infected – they can still potentially pass on ‘an infection’ to an unprotected Windows 2003 server.
  • The server has other devices plugged into it at times, i.e. USB storage devices. The risks are lower here but still real.

There are other risks but these are the main ones and the most significant. Over the coming months, the risks to Windows Server 2003 are going to be pretty large as hackers and the like hold back exploits until the support ends. The flames will burn brightly for say 6-9 months and then slowly taper off as the easy prey has been picked off and the bandits look for new pickings.

If you have left it too late to switch from Windows Server 2003 then what are the key things you can do to protect your environment?

  • Don’t connect it to the Internet directly or indirectly.
  • Segregate it via the normal LAN via a VLAN and/or a firewall device.
  • Any connections to it from internal pass through an intrusion protection firewall.
  • Don’t plug any external devices into it.
  • Plan to migrate services from Windows Server 2003.

The important thing to do is plan to protect services as soon as possible, then get your plan ready. Depending on the size of your environment, it’s unlikely to be a straightforward task, so you should probably start planning now or bring in a consultant quickly. You need to take a number of factors into account as a bare minimum. Here a few generic ones to get you thinking about the implications.

The implications

  • Will your existing hardware support new operating systems and/or software?
  • Do your IT staff need training to roll-out and manage the new operating systems and/or software?
  • How will you overcome any compatibility issues?
  • Will your other applications work on the new operating systems and/or software?
  • Will your 3rd party application vendors support their applications on a new platform?
  • How long will it take to test everything?
  • Will you need to train other employees to use the new operating systems and/or software?
  • What resource will you need to roll out the new operating systems and/or software?
  • How long will it take to roll the new software out?
  • What are your other options? Could you go thin-client? Could you go to the cloud?
  • What do you need to budget for?

If you’ve been avoiding a move due to expense then remember that everything can be turned into an OpEx. This does help financing and budgeting immensely. You can go for a fully managed cloud, your own private cloud, or simply replace servers and software in-house. You can also finance development work and consultancy and wrap it into a monthly payment.

Running Windows Server 2003 past the end of support will likely leave you open to regulatory issues. It will also leave you open to a lot of issues from an insurance perspective should a breach happen. Also, how about the embarrassment of your breach in the press? I know I’ve been quite strong in my views here on a bit here, but this has been on the radar for years, there is no excuse.

Not taking action now is simply like knowing the spare bedroom window won’t close properly. Chances are at some point someone’s coming through it.

Robert Rutherford – CEO of QuoStar

NEXT>> 8 security mistakes legal firms make