Microsoft is ending support for its Windows Server 2003 in July, and millions of servers the still are running the OS. It already is too late for many to plan an orderly migration to a current OS, but some steps should be taken.
Microsoft will end support for its Windows Server 2003 operating system on July 14. This should not come as a surprise. The company published the support lifecycle and announced the effective end-of-life for the OS last year. US-CERT issued a security alert about it in November.
But an estimated 12 million servers still are running the aging OS.
Many people do not like being forced by a vendor to upgrade their software. They feel about it the same way I feel about cars. I’m going to drive mine until it dies. But just as a car becomes more difficult to maintain and less safe to operate over time, software becomes unsafe when it no longer can be maintained.
Mainstream support from Microsoft —the full service version—ended for Server 2003 back in 2010. What ends in July is extended support, which provided continued security updates and access to product data. With the end of extended support, you are essentially on your own.
Running Server 2003 without support could expose you to serious vulnerabilities. Critical updates that have been released regularly for Server 2003 will no longer be available after July. And each month the new updates for Server 2008 and Server 2012 will provide hints to new ���03 vulnerabilities in the form of patches that can be reverse engineered in the hope of finding a similar vulnerability in the older OS.
“People are really underestimating the impact of this,” said Ali Din, senior vice president at cloud provider dinCloud. Operations that are running the old OS probably are running it on outdated hardware, which will have to be replaced along with the software. And then there are the legacy apps that it supports.
Updating your servers and applications can help you be more productive and competitive. But it also can be complicated, expensive and scary. The attitude in many organizations—especially smaller ones with limited IT resources—is, “it if ain’t broke, don’t fix it. I’ve got plenty of broke things on my plate already.”
Din says the average time for migration from Windows Server 2003 is 200 days. That ship sailed back in December. Some organizations with fewer installations might be able to make it in two months, but that is probably pushing it, especially if the migration includes hardware and applications.
So what do you do if you haven’t already begun the upgrade process? If you do nothing, you will be more dependent on you perimeter security and network monitoring to identify and block malicious code and suspicious traffic, and under the best of conditions your risk is going to increase over time. But just because you can’t upgrade before the end-of-life deadline doesn’t mean you can’t upgrade at all. Better late than never. Start planning now and get some professional help to shepherd you through the process of moving to something newer, such as Windows Server 2008 or Server 2012. (Although Server 2008 is getting a little long-in-the tooth itself. It ended mainstream support in January and has moved to the extended phase.)
And there is always the cloud. Not surprisingly, Mr. Din of dinCloud suggests that the cloud is the most viable migration path for many. Virtual servers in the cloud can provide greater flexibility and scalability without the up-front capital costs of new hardware and software. A reliable cloud service provider probably can offer security that is at least as good as many enterprises can provide for themselves, and can offer a high level of customer control over their assets.
If you still are running Microsoft Windows Server 2003, the choice is up to you. Whatever decision you make, it should be an informed one, and you should be ready to incorporate the risk into your risk management program.