Last call to upgrade Windows Server 2003

Security analysts and information technology leaders are warning the business community to migrate servers before Microsoft Corp. ends its support of the Windows Server 2003 platform. After July 14, 2015, Microsoft will no longer issue security patches for the platform, leaving businesses without convenient, timely remedies for security vulnerabilities.

"Vendor-supported operating systems and devices are a crucial part of any environment that aims to maintain a high level of security and compliance," said Steve Robb, Senior Vice President at ControlScan Inc., an Atlanta-based provider of data security and compliance solutions for small and midsized businesses. "The bad guys won't stop writing malicious code or looking for flaws, so when a vendor stops fixing those flaws within a given operating system, any instance of that system within an environment immediately introduces risk."

Unlike client operating systems such as Windows XP, Vista, 7, 8 and 10, most servers are uniquely configured according to organizational requirements, making maintenance more time consuming and complex. Servers generally store personal data and operation-critical information that make them attractive targets for cyber criminals. Additionally, many of these server platforms have public-facing views that could potentially expose them to backdoor attacks.

Four-step migration process

The Windows Server 2003 Migration Planning Assistant on the Microsoft website is designed to simplify and expedite the server upgrade process, summarized on the Microsoft website in the following four steps:

1. Discover: Microsoft recommends initiating a company-wide discovery process involving "each and every person on point for migration off of Windows Server 2003" to identify every application and workload associated with Windows Server 2003.

2. Assess: Defining a path forward for the new server environment may require companies to ask some hard questions, such as: "What new capabilities are business decision makers looking for? How much does your organization want to expand? Where does the business plan to grow geographically?"

3. Target: Microsoft suggests that some organizations will need to implement more than the minimum hardware required to run the Windows Server 2012 R2. Evaluating the server's load, responsiveness and hosted services will help each organization identify the necessary hardware to support its network, disk input/output, processor and memory resource infrastructure.

4. Migrate: For companies that require assistance in choosing an appropriate migration path, Microsoft and its certified partners offer consulting services. A variety of third-party services are available, including do-it-yourself tools.

New server platforms available

A majority of large organizations have already planned and executed enterprise-wide migration of their server platforms far in advance of the July deadline. Microsoft is encouraging small to midsized businesses to follow suit by migrating to Windows Server 2012 R2, Microsoft Azure or Office 365.

Microsoft warned that failure to upgrade existing Windows Server 2003 may result in the following four outcomes:

1. No updates or patches: Microsoft released 37 critical updates to Windows Server 2003/R2 in 2013 alone. When it ends support of that platform, no further updates or patches will be available.

2. No savings: Without a maintenance plan or manufacturer support, costs associated with maintaining, segmenting and monitoring legacy servers can add up quickly. "Staying put will likely cost more in the end," Microsoft stated.

3. No compliance: Organizations that remain on the outdated Windows 2003 platform may fail to meet industry-wide compliance standards and regulations. Noncompliance may result in a company being downgraded to a high-risk category, which would likely mean lost business and increased overhead.

4. No safe haven: "Without continued support from Microsoft, your virtualized and physical instances of Windows Server 2003/R2 will not pass a compliance audit," Microsoft warned, adding that Microsoft Small Business Server 2003 will also be affected.

It's not too late

"When client servers and operating systems have been around for 12 years, it eventually becomes too burdensome to keep them up to date," said Karl Sigler, Threat Intelligence Manager at Trustwave Holdings Inc. "Organizations that are still running Windows Server 2003 need to look at a migration plan."

Sigler has observed a variety of migration strategies among Trustwave's diversified global clientele, ranging from straight adoption of Windows Server 2012 to a "half-step to Windows 2008," to a wholesale swap-out from Windows to Linux operating systems.

Microsoft's decision to end the product life of Windows 2003 has been widely publicized for several years. However, Sigler said, "If you're just thinking about it this week, the good news is that there's still time to migrate and put up additional protections to mitigate risk."

If organizations are not able to upgrade their systems in the near term, Sigler recommended segmentation to keep Windows 2003 on its own network. Segmenting combined with continuous network monitoring and filtering will help to identify and contain any potential data security breaches.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.