With Microsoft ceasing support for Windows Server 2003 as of July 14, security experts are warning organizations to migrate to a new operating system as quickly as possible and, in the meantime, lock down any servers that continue to use the aging operating system.
Beginning in August, Microsoft will begin releasing Windows updates that attackers can potentially reverse-engineer to design exploits that will compromise every Windows Server 2003 system that remains in use.
"After July 14, Microsoft will no longer issue security updates for any version of Windows Server 2003," according to a Microsoft announcement. "If you are still running Windows Server 2003 in your data center, you need to take steps now to plan and execute a migration strategy to protect your infrastructure."
The company recommends current users upgrade to Windows Server 2012 R2, as well as Microsoft Azure and Office 365 where applicable.
"Computers running the Windows Server 2003 operating system will continue to work after support ends," US-CERT warned in a November 2014 alert. "However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity and/or availability of data, system resources and business assets."
To mitigate those risks, organizations that continue to use Windows Server 2003 can pay Microsoft for an extended support contract for the operating system.
Microsoft declined to comment on how much it charges for Windows 2003 extended support contracts, but by some accounts, base pricing starts at $600 per server, per year, with the price doubling every year.
"If you have deep pockets, you could easily follow up with Microsoft and pay for that extended support, though it's not indefinite," says Karl Sigler, threat intelligence manager at security firm Trustwave, tells Information Security Media Group. "Frankly, depending on your architecture, it would probably be far more inexpensive and beneficial to [simply] upgrade."
Still, paying for extended support was the route chosen by some organizations after Microsoft ceased support for Windows XP. Microsoft stopped supporting that operating system in January 2014, although it did subsequently release a security update for a zero-day flaw. Microsoft's Malware Protection Center also promised to continue releasing new signatures and updates for XP's built-in anti-virus software engine until July 14.
Even so, market researcher NetMarketShare reports that Windows XP still accounts for 12 percent of all laptop and desktop operating systems. The U.S. Navy reportedly signed a $9.1 million contract with Microsoft in June to continue support for 100,000 Windows XP devices.12 Million Servers
Official usage statistics for Windows Server 2003 are difficult to come by, although US-CERT reports that as of July 2014, "there were 12 million physical servers worldwide still running Windows Server 2003."
According to a survey of 1,400 IT professionals released in March by IT firm Spiceworks, 15 percent of firms that used Windows 2003 reported that they had fully migrated away from it, while half of all firms had partially migrated, 28 percent said they were planning to migrate, and 8 percent said they had no plans to migrate.
Sigler says that numerous organizations that are still using Windows Server 2003 are likewise running older versions of SharePoint, the Internet Information Services platform, or Exchange. "Organizations - especially IT - tend to be change-averse," he says. "They're basically under the premise that if it's still working, it isn't broken, so why fix it?"
Some organizations remain stuck on Windows Server 2003 and older software due to tight IT budgets in recent years, says information security expert Brian Honan, who heads Dublin-based BH Consulting and also serves as a cybersecurity adviser to Europol, the European law enforcement agency. "I am aware of a number of organizations that are still running Windows Server 2003 and indeed will be for the foreseeable future," Honan tells ISMG. "This is due, in part, to a lack of investment in IT infrastructure over the past number of years - due to the recession - resulting in systems and hardware not being capable of or suitable to run modern operating systems."
Honan says beyond the cost of the new hardware, organizations are also faced with the cost of new software and training, as well as the challenge of having to test and potentially re-engineer numerous applications and processes that currently work on Windows Server 2003 devices. "Some legacy applications may not yet be tested - or indeed supported - on more modern platforms, therefore forcing organizations to remain on outdated platforms," he says.Gambling with Critical Flaws
But the dangers of continuing to use unsupported operating systems have been well documented. Since Microsoft ceased supporting Windows XP, for example, the operating system has been vulnerable - and remains vulnerable - to numerous flaws that have been patched via updates to more modern Windows operating systems. And every time Microsoft patches a more modern version of Windows with a flaw that also affected Windows XP, it gives attackers the option of reverse-engineering the fix, and then creating malware that can target the flaw to exploit XP systems en masse.
The same goes for Microsoft's server software, Honan warns. "Organizations that will remain on Windows Server 2003 ... should look at additional security controls to reduce their attack profile, such as employing anti-virus software, change monitoring and file integrity monitoring software; ensuring firewalls and [intrusion prevention] systems are updated and operating as expected; restricting traffic to those [servers] by users or by certain IP addresses; implementing additional security monitoring of these systems and also of associated network traffic; and finally ensuring that their incident response plans are up to date," he says.
Trustwave's Sigler says the security risks facing organizations might not be immediately severe once Microsoft stops releasing patches for Windows Server 2003 and starts releasing updates for only more modern versions of its server software. "If it's a public server facing the Internet, then it's going to be a higher risk than if it's a server just facing a small internal team," he says.
Still, the security risks will only increase, going forward. "How risky it's going to be is really dependent on what happens in August, and the months following that," he says.