Despite warnings, majority of firms still run some Windows Server 2003

Enterprises are still heavily dependent on Windows Server 2003 even though there were plenty of warnings that support is coming to an end on July 14 -- and this opens them up to security, compliance and operational risks.

According to a June report covering 200 enterprise data centers totaling more than 90,000 servers, only 7 percent of enterprises were completely free of Windows Server 2003, according to Softchoice, a technology services company.

During the first half of 2015, 21 percent of servers scanned were still running on that operating system, down from 32 percent in 2014 and 43 percent the year before that.

[ ALSO ON CSO: Windows vulnerability can compromise credentials ]

Data center analytics company CloudPhysics reported similar results a week ago, finding that 18 percent of all Windows server virtual machines are still running on Windows Server 2003. The company looked at thousands of virtualized data centers around the globe.

At this rate, CloudPhysics predicted it will be 2018 before the number of these servers is down to a statistically insignificant level.

According to IDC analyst Al Gillen, virtualization allowed companies to stick with older operating systems for longer because they no longer had to upgrade each time they replaced their hardware.

Virtualized servers don't require updated network or display drivers -- the hypervisor abstracts the physical servers and everything connected to them.

"This has been a boon for customers who previously had to face continuous updates to keep current on both servers and system software," he said. But it also helped contribute to an estimated 3 million new Windows Server 2003 installations in 2014.

In May, another IDC brief estimated that there were 1.5 million licensed installations of Windows Server 2003 around the world.

Another survey of more than 1,300 IT managers at companies of all sizes by Spiceworks showed that only 14 percent of IT managers who had Windows Server 2003 have completed the migration. The majority, 76 percent, have either migrated partially or were still in the planning stages as of January of this year, when the survey was conducted.

And 8 percent said they don't have any plans to upgrade, even though 85 percent of those sticking with the old operating system said they had concerns with security vulnerabilities, 72 percent were worried about software compatibility, and 66 percent said they had concerns with compliance risks.

Of those who said they hadn't yet migrated, 51 percent said that the old systems were still working, 48 percent said that they didn't have time, 37 percent pointed to budget constraints, 31 percent said that software compatibility was a factor.

According to Sean Curran, director of the technology infrastructure and operations practice at West Monroe Partners, manufacturing is one example of an industry with extremely expensive custom-built software that cannot be taken offline -- but which also cannot be moved to newer hardware.

"It can cost as much as the business initially invested, if not more, to upgrade," he said.

And that's if the vendor or employees who created the original applications are still even around.

"Organizations tend to be risk averse," said Karl Sigler, threat intelligence manager at Trustwave Holdings. "As long as it's still running, there's no need to fix it. Upgrading can be costly and complex for a lot of organizations."

For regulated industries, that can include compliance audits for each system affected.

"A lot of organizations put it off until the last minute," he said.

He added that some organizations might not even know that they have Windows Server 2003 machines still hanging around.

"A lot of these systems go unidentified, adding risk to a network that's unknown to the IT staff," he said.

Security risks

Unsupported software doesn't get security patches, and doesn't offer many of the security features that newer releases of the operating system have had added in.

"Later operating systems have user rights management and memory protection features," said Sigler.

Even if the old system is running on a completely private network, it doesn't mean a company can ignore these risks, he added.

"If the server is not publicly exposed to the Internet, the risk the servers presents to the organization is far less," he said. "But perimeter security is not enough anymore. We really need security in depth, layers of security that offer protection regardless of what the entry point turns out to be."

Compliance risks

According to West Monroe's Curran, most regulatory clauses require that reasonable security measures be in place to protect data.

"Choosing to do nothing and remain on an unsupported platform may not pass the 'reasonableness' test in the event of a security breach," he said.

That would result in fines, as well as in bad press and lost customers.

Operational risks

Sticking with Windows Server 2003 after June 14, companies may find themselves having to pay hefty support fees to Microsoft.

"Organizations should not expect a reprieve from Microsoft's end of support plans, as Microsoft has been true to its word regarding the end of support for Windows XP," Curran said.

And, in addition to security risks, compliance, and support fees, there are other reasons to want to get rid of Windows Server 2003, said Trustwave's Sigler.

Newer releases are more efficient, he said. They are easier to manage, and they have more functionality.

According to IDC's Gillen, for some companies the best solution may be not to upgrade, but to rip out the old system altogether and switch to a cloud-based, software-as-a-service solution.

"This is particularly true of small and medium-sized businesses," he said. Running Office, Exchange or other Microsoft applications in the cloud could be a better solution for many customers.

Join the CSO newsletter!

Error: Please check your email address.

Tags operating system securityVirtualiIDCsecurityCSO

More about CSOMicrosoftSpiceworksTrustwaveWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place