If you woke up today feeling a bit out of sorts, chances are that it might be related to the fact that any Windows Server 2003 (WS2K3) installation still running within your company is now officially a security liability that could have serious repercussions for your entire IT infrastructure.
Microsoft's official end-of-life for the popular platform – coming in the wake of a Patch Tuesday filled with fixes including the repair of recently disclosed and rapidly-exploited Hacking Team vulnerabilities – means companies that continue to use the platform are now on their own when it comes to security.
Such companies are still quite common, with one recent survey by solution provider Softchoice reporting that 21 percent of servers the company scanned in the first half of this year were still running WS2K3. That figure represents a “slow” transition away from the platform, the company said, noting that last year's figure of 32 percent suggests chronic intransigence on the part of many companies.
An Australian survey, conducted by Telsyte and released this week by Dell Australia, found similar results, with 1 in 5 ANZ companies still running the platform and 24 percent of businesses still unaware that Microsoft was terminating support for the platform this week.
One in 10 of the companies in Dell's survey suggested there were no security risks in running the old platform, but 70 percent intended to upgrade within 12 months – largely as an opportunity to refresh their server hardware.
Retaining the platform past its end-of-life date could create immediate legal and regulatory issues, Dell data centre and cloud practice lead Dean Gardiner warned.
“When support ends in 2015, bug fixes will be at a cost to the customer and many IT managers will not take action until an issue has been raised,” he said in a statement.
“Not receiving timely bug fixes and patches will put organisations at increased risk of security breaches – especially as attackers will know about the potential security holes. To meet legal and regulatory requirements, many organisations will have to pour resources into monitoring and isolating any servers that run Windows 2003 or older. Moreover, audits of systems running outdated software can often cost more than the licenses for newer software.”
Windows 2008 users will face a similar situation in five years, when extended support is terminated by Microsoft after the company ceased mainstream support for the platform in January.Read more: Ubuntu maker System76 ditches Flash because “security, security, security”
Sasha Pavlovic, director of cloud and data centre security with security firm Trend Micro, also reinforced the need for businesses to be moving away from the now deprecated platform as quickly as possible.
“The safest plan for your business is to migrate from Windows Server 2003, however there are options to help businesses in Australia and New Zealand buy more time and extend their upgrade plans,” he said in a statement, noting the ability of tools such as the company's Virtual Patching to provide a measure of protection while the migration is planned and executed.
The feature “virtually patches system and application vulnerabilities, protecting them from exploit,” he explained. “In cases where legacy operating systems and applications are still being used, other than performing a full system upgrade, it’s the only alternative solution to ensuring your Windows 2003 workloads are kept safe and secure as you plan for your upgrade.”
Customers still using WS2K3 should look to the use of built-in system security capabilities such as integrity monitoring, which will enable the detection of changes to a platform that should not normally be changing anymore. Pavlovic also recommended the use of technologies such as intrusion detection and prevention, which can provide a buffer between vulnerable systems and external attackers.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
- Australians report $136k lost to malware in June, $45m to all scammers this year: ACCC
- Don't take hacks personally; bots don't care who you are
- Google opposes US-Wassenaar export controls on intrusion software
- Patch Tuesday: Adobe fixes 34 Flash bugs, Microsoft fixes Edge browser
- Office bug in September patch Tuesday reportedly under attack