plus69free - Fotolia

Still running Windows Server 2003? Don’t panic

Many organisations are facing the prospect of running Windows 2003 server unsupported. Where do you go from here?

The 14 July 2015 end of support date for Microsoft Windows Server 2003 sounds terminal, and if you believe the warnings emanating from certain quarters of the industry, for some firms it could be just that.

With the end of support for the ageing -- but still widely used -- operating system (OS), those that have failed to prepare risk falling prey to damaging security and compliance breaches. As vulnerabilities are uncovered, made public and remain unpatched, hackers will have increasing opportunities to infiltrate networks running Windows Server 2003 undetected.

The extent of the problem isn't fully known, but a survey by Spiceworks of more than 1,000 companies worldwide shows six out of 10 organisations are still running at least one instance of Windows Server 2003. And it's not just smaller businesses that are affected.

"It's everybody. Lots of organisations have these platforms in place and either don't have the time to upgrade them or simply haven't yet found the political will or budget to do so," says Tony Lock, distinguished analyst at Freeform Dynamics. 

"That applies as much to large enterprises with dedicated IT departments as it does to smaller firms. Sometimes you might only have half a dozen people using the OS for some application, when thousands are using a newer system that does the same thing. Nonetheless, the political issues involved in getting that half dozen to move can still be very tricky," he adds.

To compound matters, many don't even know they're running the out-of-date OS. 

"A lot of organisations simply don't have up-to-date inventory data. The first thing everybody should be doing is some very quick and dirty discovery to find out what Server 2003 machines they have running. There are plenty of inventory discovery tools that will let you do that," says Lock.

Organisations cannot expect their hardware supplier to carry on supporting Windows 2003-based systems. 

"My concern is as Windows Server 2003 goes end of life there is a significant number of customers that have done nothing. We are very concerned they don't understand the threat of a breach," Angela Cross, Hewlett-Packard's UK and Ireland country manager for industry standard servers and software, told Computer Weekly's sister title MicroScope.

"Even HP will not be able to help them," she added.

Independent security consultant and commentator Graham Cluley has little sympathy for those organisations running unsupported Windows 2003 systems. 

"Sticking your head under the carpet and ignoring the problem didn't make it go away," he says. "You've had years of notice, you should have switched to a more up-to-date, or alternative, OS by now. Anything else is just foolhardy, inexcusable and likely to cost you more."

If you want to move to a new platform reliably and securely, it's going to take time, particularly if you use Server 2003 for any of your critical infrastructure, rather than just for isolated applications. 

"Organisations have to put in the time to carry out all the background work necessary to ensure everything works flawlessly," says Lock. "Obviously, if you get it wrong when you're migrating parts of your infrastructure everybody notices because they can no longer access anything."

Migration options

The good news is you still have several options to avoid putting your company in jeopardy in the interim, but, as Cluley says, they don't come cheap, and the longer you try to avoid the hassle of upgrading then the pricier it will become to maintain and secure these ageing servers.

The easiest "quick fix" is to cough up for extended support from Microsoft, but the company will charge you heavily for the privilege and you'll still need to migrate at some point. 

Trend Micro's director of datacentre security Mike Smith blogged in March 2015: "Customised support from Microsoft for ongoing patches is possible, but it's also expensive and unsustainable in the long term. It's also not a good idea to run software for which patches will never again be made available. If you think Windows Server 2003 gets a lot of attention from malware writers at the moment, imagine what it'll be like post-July."

Trend Micro and other IT security firms are touting various services and software to keep Server 2003 systems running, secure, compliant and effectively isolated from the open internet. 

If you have critical components of your infrastructure or customised applications running on the system, and really don't want to upgrade yet, investigating what the security suppliers can offer is probably a better and more economical medium-term answer than opting for extended Microsoft support. It really depends on what you have running on these machines and how quickly you think you'll be able to move off them.

"There are no clear patterns based on sector or size of business that might suggest the best route for a particular organisation," says Lock. 

"It all comes down to individual circumstances -- what workloads you're running, how exposed these systems are and how comfortable your organisation is with risk," he adds.

Read more about Windows Server 2003 migration

Ultimately, though, the majority of firms will ditch the system entirely -- at which point they'll need to decide whether to upgrade to Windows Server 2008, Server 2012 or some other OS -- or to migrate workloads into the cloud.

Server 2008 is probably only a sensible option if you're already using it elsewhere in the organisation. 

"If you're in a larger company, you might have some Server 2008 systems already in place. In that case, it might be easier to move to a unified platform using 2008," says Lock. 

However, if you're starting from scratch -- and want to stick with an on-premise or hybrid Microsoft system -- then Server 2012 is clearly the way to go. 

"The upgrade path to 2008 is just as complex as moving to 2012, so it makes sense to go for the newer platform. In particular, it offers considerable improvements when it comes to working in virtualised or part-virtualised environments and offers far better integration with System Center 2012," says Lock.

Windows Server 2012 also has a longer shelf life, meaning you can avoid having to replace the same issue facing Server 2003 for about a decade. 

"Support for Windows Server 2008 will end in 2020, so if you go for that rather than Server 2012 it will only be a few years before you face end of life of Windows Server 2008," says Lock. 

So what of the cloud? While firms might decide to use Microsoft Azure or Amazon Web Services for certain applications, Lock says he's still not seeing any evidence of a wholesale cloudward shift. 

"Public cloud is generally still only being used for very specific workload cases, such as testbed applications. For long-term production applications which typically have a lifespan of three to six years, most companies still prefer to run those in-house, or at least -- in the case of some smaller companies -- with a managed service provider," says Lock.

Of course, while organisations must clearly ensure they don't ignore the end-of-life issue and leave Server 2003 systems exposed, it's also worth remembering many of the industry voices warning of widespread system meltdown and armies of hackers infiltrating our networks have a vested interest in encouraging firms to take up more of their products and services. 

As Ian Cohen, group CIO of financial services firm Jardine Lloyd Thompson, says: "There'll be loads of claims of impending conflagration, but in reality people will migrate at their own pace based on the risk profile of the services they have running. I think we're all past falling for the old scare stories and engaging in panic migrations."

Read more on Microsoft Windows software

Data Center
Data Management