EHR and Health IT Consulting
35.0K views | +0 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

Windows Server 2003: Mitigating Risks

Windows Server 2003: Mitigating Risks | EHR and Health IT Consulting | Scoop.it

With Microsoft ceasing support for Windows Server 2003 as of July 14, security experts are warning organizations to migrate to a new operating system as quickly as possible and, in the meantime, lock down any servers that continue to use the aging operating system.


Beginning in August, Microsoft will begin releasing Windows updates that attackers can potentially reverse-engineer to design exploits that will compromise every Windows Server 2003 system that remains in use.


"After July 14, Microsoft will no longer issue security updates for any version of Windows Server 2003," according to a Microsoft announcement. "If you are still running Windows Server 2003 in your data center, you need to take steps now to plan and execute a migration strategy to protect your infrastructure."


The company recommends current users upgrade to Windows Server 2012 R2, as well as Microsoft Azure and Office 365 where applicable.

"Computers running the Windows Server 2003 operating system will continue to work after support ends," US-CERT warned in a November 2014 alert. "However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity and/or availability of data, system resources and business assets."


To mitigate those risks, organizations that continue to use Windows Server 2003 can pay Microsoft for an extended support contract for the operating system.


Microsoft declined to comment on how much it charges for Windows 2003 extended support contracts, but by some accounts, base pricing starts at $600 per server, per year, with the price doubling every year.

"If you have deep pockets, you could easily follow up with Microsoft and pay for that extended support, though it's not indefinite," says Karl Sigler, threat intelligence manager at security firm Trustwave, tells Information Security Media Group. "Frankly, depending on your architecture, it would probably be far more inexpensive and beneficial to [simply] upgrade."


Still, paying for extended support was the route chosen by some organizations after Microsoft ceased support for Windows XP. Microsoft stopped supporting that operating system in January 2014, although it did subsequently release a security update for a zero-day flaw. Microsoft's Malware Protection Center also promised to continue releasing new signatures and updates for XP's built-in anti-virus software engine until July 14.


Even so, market researcher NetMarketShare reports that Windows XP still accounts for 12 percent of all laptop and desktop operating systems. The U.S. Navy reportedly signed a $9.1 million contract with Microsoft in June to continue support for 100,000 Windows XP devices.

12 Million Servers

Official usage statistics for Windows Server 2003 are difficult to come by, although US-CERT reports that as of July 2014, "there were 12 million physical servers worldwide still running Windows Server 2003."

According to a survey of 1,400 IT professionals released in March by IT firm Spiceworks, 15 percent of firms that used Windows 2003 reported that they had fully migrated away from it, while half of all firms had partially migrated, 28 percent said they were planning to migrate, and 8 percent said they had no plans to migrate.


Sigler says that numerous organizations that are still using Windows Server 2003 are likewise running older versions of SharePoint, the Internet Information Services platform, or Exchange. "Organizations - especially IT - tend to be change-averse," he says. "They're basically under the premise that if it's still working, it isn't broken, so why fix it?"

Some organizations remain stuck on Windows Server 2003 and older software due to tight IT budgets in recent years, says information security expert Brian Honan, who heads Dublin-based BH Consulting and also serves as a cybersecurity adviser to Europol, the European law enforcement agency. "I am aware of a number of organizations that are still running Windows Server 2003 and indeed will be for the foreseeable future," Honan tells ISMG. "This is due, in part, to a lack of investment in IT infrastructure over the past number of years - due to the recession - resulting in systems and hardware not being capable of or suitable to run modern operating systems."


Honan says beyond the cost of the new hardware, organizations are also faced with the cost of new software and training, as well as the challenge of having to test and potentially re-engineer numerous applications and processes that currently work on Windows Server 2003 devices. "Some legacy applications may not yet be tested - or indeed supported - on more modern platforms, therefore forcing organizations to remain on outdated platforms," he says.

Gambling with Critical Flaws

But the dangers of continuing to use unsupported operating systems have been well documented. Since Microsoft ceased supporting Windows XP, for example, the operating system has been vulnerable - and remains vulnerable - to numerous flaws that have been patched via updates to more modern Windows operating systems. And every time Microsoft patches a more modern version of Windows with a flaw that also affected Windows XP, it gives attackers the option of reverse-engineering the fix, and then creating malware that can target the flaw to exploit XP systems en masse.


The same goes for Microsoft's server software, Honan warns. "Organizations that will remain on Windows Server 2003 ... should look at additional security controls to reduce their attack profile, such as employing anti-virus software, change monitoring and file integrity monitoring software; ensuring firewalls and [intrusion prevention] systems are updated and operating as expected; restricting traffic to those [servers] by users or by certain IP addresses; implementing additional security monitoring of these systems and also of associated network traffic; and finally ensuring that their incident response plans are up to date," he says.


Trustwave's Sigler says the security risks facing organizations might not be immediately severe once Microsoft stops releasing patches for Windows Server 2003 and starts releasing updates for only more modern versions of its server software. "If it's a public server facing the Internet, then it's going to be a higher risk than if it's a server just facing a small internal team," he says.


Still, the security risks will only increase, going forward. "How risky it's going to be is really dependent on what happens in August, and the months following that," he says.

more...
No comment yet.
Scoop.it!

Keeping Up With Technology: A Must for Medical Practices | Physicians Practice

Keeping Up With Technology: A Must for Medical Practices | Physicians Practice | EHR and Health IT Consulting | Scoop.it
Still carrying around that BlackBerry you've had for the last five years? Still using Microsoft 2003 on that XP machine of yours? Still think the "cloud" is a fad? You might be doing yourself and your business a disservice if you answered "yes" to one or more of those questions.

Keeping up with the ever-changing world of technology is tough. Change can be hard. It's much easier to keep the status quo and ignore all the technological advances happening around you. The problem is, if you don't adapt and keep up with technology, you'll miss out on all the advancements and benefits it has to offer.

That trusty BlackBerry took too long to embrace touch-screen technology and missed out on creating a robust app store. The result is you can't check into your American Airlines flight on your phone, you can't use Hailo to get a cab, you can't access your Google Drive documents, and you can forget about looking up restaurant reviews on Yelp. Basically, even though switching to an Android or iOS device may be inconvenient in the short-run, the long-term benefits are well worth it. You'll have to learn how to use a new tool but that took has far more uses.

Technology in the workplace can mean the difference between a successful business and a failing business. Capable hardware and efficient software will keep your office running in tip-top condition and will allow your employees to focus on their jobs instead of troubleshooting their computers.

Look into Web-based programs that can be accessed remotely and that have export features that allow you to easily extract the data you need. Productivity suites like Google Documents are free and offer a comparable experience to the costly Microsoft Office standard (Google documents are compatible with MS Word). If you have to use Microsoft Office, don't skip on more than one major update. The difference between Word 2007 and Word 2010 is probably greater than you think.

The anxiety in introducing new technology to your office staff lies in the assumption that each employee has a different adoption threshold; some will "get it" and others will struggle. That's not as big of a hurdle as it's been in the past, as technology has become more uniform. Most people have a smartphone of some design, and many have households with smart TVs, multiple computers, and other universal technologies. Like all things, it may take a day or two for your staff to become comfortable with the new work flow, but your bottom line...and talent pool...will appreciate it.

In summary, don't be afraid to try new technology. If there's a hot new device or productivity program, there's probably a reason for it being so popular. Don't turn your practice into a technological ghost-town. Think about what your competition is doing.

In regards to technology, it’s good to be a leader and it’s also good to be a follower ... just make sure you’re one of them versus neither of them.
more...
No comment yet.