James Thew - Fotolia
Approximately 11 million machines are still running Windows Server 2003 around the world and 400,000 UK businesses still use the outdated Server 2003 operating system (OS), according to application migration specialist Camwood.
Without security updates, Windows Server 2003 machines could be vulnerable to zero-day attacks. There is also the issue of regulatory compliance.
In a report published in February 2015, IT research firm IDC noted: "Failure to have a current, supported operating system raises significant concerns about an organisation’s ability to meet regulatory compliance requirements, as well as the needs of business units, partners and customers."
For instance, those organisations that take credit card payments may find they are no longer compliant with PCI DSS 3.0.
While IT departments have had years to migrate to newer platforms, the challenge has been one of identifying where Windows Server 2003 is being used, according to Tony Lock, principal analyst at Freeform Dynamics.
"A lot of organisations simply don’t have up-to-date inventory data. The first thing everybody should be doing now is some very quick and dirty discovery to find out what Server 2003 machines they have running. There are plenty of inventory discovery tools that will let you do that," he said.
Many IT security companies have developed tools to secure the unsupported operating system, given the high fees Microsoft will charge for a custom support contract.
TripWire, for instance, has released a free tool to identify security weaknesses in the unsupported OS. The SecureCheq for Windows Server 2003 scans for the 20 most common weaknesses and dangerous Windows Server 2003 misconfigurations.
How to secure unsupported Windows Server 2003
- Microsoft custom support agreement
- Isolate Windows Server 2003 servers on separate virtual LANs
- Harden Windows Server 2003 by limiting access rights, whitelisting applications and reducing the number of services running
- Run gateway security to protect vulnerable Windows Server 2003 systems
"Practical steps can be taken today to harden these systems and reduce their attack surface," said Ken Westin, senior security analyst for Tripwire. "These steps will make it harder for attackers to compromise devices running Windows Server 2003, even in the face of the inevitable onslaught of new zero-day vulnerabilities."
Isolating and securing Windows 2003 servers
After tackling misconfigured software, organisations should also consider ringfencing the Windows Server 2003 system so it is isolated from the internet. Additionally, they should limit the servers to a whitelist of applications.
Avecto vice-president Andrew Avanessian said application whitelisting will enable systems administrators to maintain business continuity throughout the process of rewriting and refactoring apps.
"Meanwhile, limiting administrator rights will ensure sys-admins are empowered to perform only the task at hand, while still obtaining the privileges they need to respond to urgent break-fix scenarios."
Beyond ringfencing, Karl Sigler, threat intelligence manager at Trustwave, said: "Exploit and malware filtering can provide an additional layer of protection. Anti-malware gateways can filter exploits before they even reach your servers. This concept is generally known as 'virtual patching'. By blocking an exploit with a gateway device such as a web application firewall or a secure email gateway, you’re not as dependent on the physical patches that Server 2003 will be missing."
Trend Micro’s Deep Security is an example of such a gateway product. Deep Security is a host-based security platform that delivers multiple security controls through a single agent.
Once secure, organisations need to plan how to move forward with Windows Server. A number of products are available to help IT administrators move settings and configurations from one server OS to another, such as when migrating from Windows Server 2003 to versions 2008 or 2012 R2.
Another option is to move appropriate workloads into the cloud.
By using a combination of cloud management and migration technologies, businesses can migrate a physical or virtual server machine quickly and simply to the cloud, according to Ian Finlay, chief operating officer at hybrid cloud provider Abiquo.
"Firewalls tailored to address the vulnerabilities of Windows Server 2003 can then be added around these servers to immediately protect them from threats, while still allowing businesses to access their critical data," he said.
Abiquo recently collaborated with Fusion Media Networks to offer a migration service designed to move Windows 2003 servers to the cloud as an interim step to a full Windows Server 2012 upgrade.