Vale Windows Server 2003. Still using it? It's time to panic.

If you woke up today feeling a bit out of sorts, chances are that it might be related to the fact that any Windows Server 2003 (WS2K3) installation still running within your company is now officially a security liability that could have serious repercussions for your entire IT infrastructure.

Microsoft's official end-of-life for the popular platform – coming in the wake of a Patch Tuesday filled with fixes including the repair of recently disclosed and rapidly-exploited Hacking Team vulnerabilities – means companies that continue to use the platform are now on their own when it comes to security.

Such companies are still quite common, with one recent survey by solution provider Softchoice reporting that 21 percent of servers the company scanned in the first half of this year were still running WS2K3. That figure represents a “slow” transition away from the platform, the company said, noting that last year's figure of 32 percent suggests chronic intransigence on the part of many companies.

An Australian survey, conducted by Telsyte and released this week by Dell Australia, found similar results, with 1 in 5 ANZ companies still running the platform and 24 percent of businesses still unaware that Microsoft was terminating support for the platform this week.

One in 10 of the companies in Dell's survey suggested there were no security risks in running the old platform, but 70 percent intended to upgrade within 12 months – largely as an opportunity to refresh their server hardware.

Retaining the platform past its end-of-life date could create immediate legal and regulatory issues, Dell data centre and cloud practice lead Dean Gardiner warned.

“When support ends in 2015, bug fixes will be at a cost to the customer and many IT managers will not take action until an issue has been raised,” he said in a statement.

“Not receiving timely bug fixes and patches will put organisations at increased risk of security breaches – especially as attackers will know about the potential security holes. To meet legal and regulatory requirements, many organisations will have to pour resources into monitoring and isolating any servers that run Windows 2003 or older. Moreover, audits of systems running outdated software can often cost more than the licenses for newer software.”

Windows 2008 users will face a similar situation in five years, when extended support is terminated by Microsoft after the company ceased mainstream support for the platform in January.

Read more: Ubuntu maker System76 ditches Flash because “security, security, security”

Sasha Pavlovic, director of cloud and data centre security with security firm Trend Micro, also reinforced the need for businesses to be moving away from the now deprecated platform as quickly as possible.

“The safest plan for your business is to migrate from Windows Server 2003, however there are options to help businesses in Australia and New Zealand buy more time and extend their upgrade plans,” he said in a statement, noting the ability of tools such as the company's Virtual Patching to provide a measure of protection while the migration is planned and executed.

The feature “virtually patches system and application vulnerabilities, protecting them from exploit,” he explained. “In cases where legacy operating systems and applications are still being used, other than performing a full system upgrade, it’s the only alternative solution to ensuring your Windows 2003 workloads are kept safe and secure as you plan for your upgrade.”

Customers still using WS2K3 should look to the use of built-in system security capabilities such as integrity monitoring, which will enable the detection of changes to a platform that should not normally be changing anymore. Pavlovic also recommended the use of technologies such as intrusion detection and prevention, which can provide a buffer between vulnerable systems and external attackers.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Hacking Team vulnerabilitiesVale WindowsWindows Server 2003 (WS2K3)Sasha PavlovicCSO AustraliaPatch Tuesday

More about CSOCustomersDellEnex TestLabMicrosoftTelsyteTrend MicroTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place