Threats and solutions to the end of Windows Server 2003 support

end of windows server 2003 support

Generally, you haven’t moved away from Windows Server 2003 because a critical and extremely complex piece of internal software relies on it, or due to budget constraints. There are a few other reasons, but chances are that you are simply being negligent and putting your business at risk for the sake of saving a few £s. If you are ignoring the end-of-support warning due to financial concerns, then you are playing a dangerous game. In fact, if you are unfortunate, a savage enough attack could cripple your business or even put it under – and that’s not scare-mongering.

You will notice a few security vendors stating that they can protect you whilst you still run Windows Server 2003, but generally, this isn’t really the case as the weak link often comes in a process or a person. Also, if they were all so good we wouldn’t have any viruses or exploits, would we?

So, if you are in a difficult situation, where do the real threats lie?

  • The server faces the Internet directly, i.e. many hosting companies give a customer a server with a live Internet address (IP) on it. The customer then installs a software firewall on top of the Windows 2003 operating system.
  • The server indirectly faces the Internet, i.e. it’s connected through some sort of physical/virtual firewall, i.e. the server is acting as a web server, client portal, FTP server, etc. Even if the firewall has advanced intrusion prevention the risk is significant.
  • The server is not accessed from the outside world but initiates communications,e.g. it is a Terminal Server/Citrix server, proxy server, etc. The threat comes from the server hitting a website with malicious code and fires an exploit that compromises that server and the LAN/WAN it sits on.
  • The server sits on an open LAN with other network devices, such as PCs, laptops and other servers. Although these other machines may not be able to be infected – they can still potentially pass on ‘an infection’ to an unprotected Windows 2003 server.
  • The server has other devices plugged into it at times, i.e. USB storage devices. The risks are lower here but still real.

There are other risks but these are the main ones and the most significant. Over the coming months, the risks to Windows Server 2003 are going to be pretty large as hackers and the like hold back exploits until the support ends. The flames will burn brightly for say 6-9 months and then slowly taper off as the easy prey has been picked off and the bandits look for new pickings.

If you have left it too late to switch from Windows Server 2003 then what are the key things you can do to protect your environment?

  • Don’t connect it to the Internet directly or indirectly.
  • Segregate it via the normal LAN via a VLAN and/or a firewall device.
  • Any connections to it from internal pass through an intrusion protection firewall.
  • Don’t plug any external devices into it.
  • Plan to migrate services from Windows Server 2003.

The important thing to do is plan to protect services as soon as possible, then get your plan ready. Depending on the size of your environment, it’s unlikely to be a straightforward task, so you should probably start planning now or bring in a consultant quickly. You need to take a number of factors into account as a bare minimum. Here a few generic ones to get you thinking about the implications.

The implications

  • Will your existing hardware support new operating systems and/or software?
  • Do your IT staff need training to roll-out and manage the new operating systems and/or software?
  • How will you overcome any compatibility issues?
  • Will your other applications work on the new operating systems and/or software?
  • Will your 3rd party application vendors support their applications on a new platform?
  • How long will it take to test everything?
  • Will you need to train other employees to use the new operating systems and/or software?
  • What resource will you need to roll out the new operating systems and/or software?
  • How long will it take to roll the new software out?
  • What are your other options? Could you go thin-client? Could you go to the cloud?
  • What do you need to budget for?

If you’ve been avoiding a move due to expense then remember that everything can be turned into an OpEx. This does help financing and budgeting immensely. You can go for a fully managed cloud, your own private cloud, or simply replace servers and software in-house. You can also finance development work and consultancy and wrap it into a monthly payment.

Running Windows Server 2003 past the end of support will likely leave you open to regulatory issues. It will also leave you open to a lot of issues from an insurance perspective should a breach happen. Also, how about the embarrassment of your breach in the press? I know I’ve been quite strong in my views here on a bit here, but this has been on the radar for years, there is no excuse.

Not taking action now is simply like knowing the spare bedroom window won’t close properly. Chances are at some point someone’s coming through it.

Robert Rutherford – CEO of QuoStar

NEXT>> 8 security mistakes legal firms make

What is the cost of cloud computing?

Cloud - What is the cost of cloud computing?

One of the most commonly cited benefits of the cloud is its potential to reduce and optimise IT spend. With your data being stored in the provider’s data centre, you no longer require costly server equipment in-house, nor the cooling equipment, electricity bills and maintenance costs that come with it.

There are also no hardware or software upgrades to unexpectedly deal with and it’s commonly run on a per-user, per-month model – providing long-term cost savings too.

With cloud service providers regularly promoting all these benefits, and more, it can seem like a complete no-brainer. Surely every type of business should be adopting cloud!

Unfortunately, it’s not always the best fit for everyone, and one of the things you should be considering right now are the costs, and if your IT budget can cope with them?

What are the operating costs of cloud computing?

Cloud computing is a paradigm shift from using in-house infrastructure. With in-house infrastructure, you pay for the hardware and then can do whatever you want with it. With cloud infrastructure though, you get access to the hardware for ‘free’ but have to pay for anything and everything you do with it.

This includes paying for things you usually take for granted such as:

  • Data storage space
  • Disk read operations
  • Disk write operations
  • Sending data outside the server
  • Running applications on the server

This means cloud can end up as a service which snowballs in price as you use it for more and more functions.

The good news is that these prices only get out of hand if you choose the wrong provider or service. The bad news is that choosing the wrong provider is very easy if you don’t know exactly what you’re doing.

If the proper analysis is performed before a vendor or solution is chosen, the operating costs should typically be less, or at worst case the same as delivering a service internally. But even if direct cost savings are minimal, you still gain access to top-class infrastructure and systems without the associated capital expenditure, and without needing to hire, train and retain staff to manage such a system.

How to choose the right cloud vendor?

It’s a bit of a wild-west out there at the moment and unfortunately, the cloud gold rush means you have cowboys looking to make a quick buck or amateurs putting their customers at risk. If you know what you are doing and fully understand your requirements it’s easy to assess the market… but most people don’t have that knowledge and need a bit of help.

The most common issue we see when helping turn around cloud projects is that the business didn’t have sufficient in-house IT knowledge and bought a cloud service the word of a sales guy.

Lots of vendors in the market are trying to make businesses believe adopting the cloud is as simple as buying a new server or replacing desktop PCs. Not only is this a lie but it opens the door to a host of hidden costs down the line.

Where are the hidden costs likely to spring from?

Hidden and unnecessary costs come from a variety of places in a cloud project:

  • Misjudging the complexity and time involved in migration.
  • Overlooking the correct levels of security and resilience when deciding on a vendor or solution.
  • Believing that by choosing a cloud service, risk and management just vanish.
  • Service or relationships falling apart.
  • Pulling data from systems and keeping cloud systems talking to other solutions.
  • Massively over-specifying cloud solutions and forgetting you can scale your operations to only what you use.

How can CIOs guard against the hidden costs?

As always if you are undertaking any project of size then it’s all about the planning.  If you don’t feel 100% comfortable then pick up the phone and get an expert in. Even if it’s just for a day to sanity check everything. Too many CIOs are too proud to have their judgement double-checked, and this can prove costly – in many ways.

Want to get more from your current IT spend? We show you how. Optimise my IT spend.