What this means for your business & how to prepare
Windows Server 2003 is quickly reaching the end of its life and a mass migration is set to occur. Microsoft estimates there are about 23.8 million instances of Windows Server 2003 (WS2003) running today. Microsoft will stop providing support for the old OS on July 14. Whether this announcement is a headache or opportunity, it does place an additional burden on organizations as it requires careful consideration, strategic planning and execution.
We previously witnessed a similar scenario when the support for Windows XP ended back in April 2014.
This migration won’t be easy. The tech world has changed drastically since 2003 and there is a lot of discussion taking place about how to make the leap.
WS2003 was really stable, but as we move to the cloud world there are now a lot of scenarios that were not prevalent back then. The big one is that Windows Server 2012 is cloud-ready. The ability to do private, public and hybrid scenarios is significant.
Not upgrading is not really an option. As support ends these servers present a potential security risk. Whether or not the server has important data, the end of support creates a potential point of intrusion.
In recent years, the concept of cloud computing has spread but along with that so has the attack surface for cyber criminals, hacktivists and people simply wanting to test an organization’s security posture.
It is important to note the potential security implications that organizations will face as a result of Windows 2003 approaching end of life.
The first point here is that it is very important not to panic. Your Windows 2003 servers will still operate in the same way the day after July 14 but as time goes on, you could be more susceptible to a cyber-attack.
You will no longer be able to obtain the latest security updates, thus making the confidentiality, integrity and availability of your systems and data more prone to malicious attacks. One of the core controls around the cloud environment is your protection of data in transit, whether that is actual data crossing networks and/or authentication credentials.
Software & hardware compatibility
If you are running a mixture of physical and virtualized servers, then priority should go to addressing physical aspects, as most WS2003 licenses are tied to the physical box, which is usually commodity hardware. If you continue to run WS2003 and are unable to take advantage of new security and hardware products you have invested in as part of your cloud strategy, it may be more cost effective to migrate to a later version, say 2012.
Compliance against industry requirements and/or best practice–compliance with industry standards and legislative frameworks have swiftly moved from a best practice ‘nice to have’ requirement to mandatory within a lot of industries. If you are running a WS2003 without any support, you run the risk of becoming non-compliant.
Disaster recovery & resiliency
You really need to consider how you plan on restarting servers that are out of support and beyond your IT team capabilities. If disaster recovery and resiliency is a key to your business, then migrating is an absolute necessity unless you try and negotiate a custom support contract with Microsoft—which may be fairly expensive.
Consider hardware & software
Two main variables come into play. In a lot of cases, the hardware (the OS) running on will not support the operating system. The other variable is what applications that server is running. You might need to upgrade the application itself as well if it does not have the cross-compatibility.
There are systems management considerations as well. While 2003 was a robust operating system, 2012 sees a lot of advancement with systems management.
Perhaps the biggest consideration, however, is with hardware. While 2012 has many more capabilities, it also often means a need for more powerful hardware.
The hardware benefits include advanced virtualization and reducing overhead to handle more workloads on fewer servers. If you decide to retain your 2003 servers, this activity will need to be continual, as your likelihood of compromise will increase over time whether that is an external malicious attack or an insider threat.
The end of extended support announcement for WS2003 does raise concerns from a security perspective and presents a risk. That risk is only likely to increase over time and organizations operating in cloud must plan ahead and understand the flow of their key information assets flow. They should take steps to ensure that they are adequately protected based on the business impact of compromise and cost to remediate.
Nick Pascarella is a partner at TruBambu (www.trubambu.com), a business technology consultancy company.
Art Hendela, Hendela System Consultants, Inc.
Art.firstname.lastname@example.org | (973) 890-0324
Nick Pascarella, Trubambu
email@example.com | (201) 445-8790
PHOTO CREDIT: © Wolterk | Dreamstime.com – Microsoft Building Photo