As we quickly approach the end of support for Microsoft Windows Server 2003 in July, thousands of organizations are working to migrate to newer platforms to avoid the risk of exposing themselves to vulnerabilities. For many organizations, migrating in a timely manner can be especially challenging considering the limited amount of resources, monetary and otherwise, available to address the issue.
As we work to help organizations through this migration (we can protect Windows Server 2003 if they’re not ready to migrate on July 14 and protect the new Windows platforms they migrate to, such as Windows Server 2012 and Azure), we’re also aware of the valuable insights our customers have to share from their experiences with other recent end of support migrations. We spoke with Tim Nance, Information Security Manager at University of Florida Health Shands, about his organization’s migration from Windows XP. With a desktop count of around 18,000 and 1,400 servers (900 of which are VMware), the team at UF Health Shands faced quite a task. Here’s a snapshot of their migration experience:
TM: How big of a concern is it for your organization to protect platforms that reach end of support, and what does that mean for your organization from a preparation point of view?
TN: The people responsible for the Windows XP migration in 2013 and 2014 didn’t take migration into serious account until quite late. We had a few thousand devices in the system, and we kept telling them that the sky was falling, but they didn’t seem to realize that it was going to happen. A mandate then came from the main university office saying that all machines running XP had to be off the wire, and lots of resources were then engaged for mitigation. They hired on people to do upgrades, but knew they couldn’t get done in time.
That’s when we looked at leveraging Trend Micro Intrusion Defense Firewall (now called Trend Micro Vulnerability Protection) to mitigate the issue. We rolled out policies to all of the Windows XP machines to mitigate until we could go through the process of identifying permanent mitigation solutions. We had many expensive devices and were able to leverage IDF/Vulnerability Protection to buy ourselves time.
TM: How did you use virtual patching to help in your migration?
TN: We implemented virtual patching via Trend Micro Deep Security as an interim solution for our Windows XP devices to extend their life as we continue to reduce the number of those machines. The deadline to have the devices migrated was October, and with virtual patching, we could extend that by six to seven months. In some cases, the rule base was going to get so large that it was going to impact the performance of the machines, but the single-task machines could have been run for a year to year and a half, buying us plenty of more time. We were already an existing Trend Micro customer, so we knew the solution would be a good fit for us.
TM: What was your primary migration strategy away from Windows XP?
TN: They were moving to Windows 7, and there was also a push and set up for VDI endpoints and licenses. The initial goal to complete migration was six to seven months. Within a month of that six-month timeframe, the critical U.S. machines were done. There are still a couple hundred Windows XP machines left that can’t be migrated because they run specific applications that were not able to work with the next Microsoft operating system. For those, we’re going to either continue to mitigate those with virtual patching or going to purchase hardware firewalls for those devices.
For example, we have a pathology machine that does lab analysis; it would cost $175,000 to replace that machine, and we wouldn’t get any additional diagnostics out of that – just a new operating system. Spending $500 to permanently isolate that machine behind a firewall made much better business sense.
We definitely would have had some interruptions in our business had it not been for our use of virtual patching. In an environment that needs to run 24/7, we can’t take 300 machines and disconnect them. We only have 48-50 people on our field service team, and we didn’t have enough time to go out and replace the operating system in a timely manner while keeping business running as smoothly as normal. Virtual patching was able to extend the life of those devices and keep our business running.
TM: As the end of support approached, were there compliance needs that were in jeopardy?
TN: We weren’t driven by the compliance concerns; rather, I prefer to look at what is best for the organization from a security and risk point of view. Mostly, we were concerned with vulnerabilities. Security Industry experts have stated that there are people waiting to release a zero-day attack as soon as the end of support date hits. As soon as Microsoft stops patching, you’re likely to see a massive attack on data, probably within just a couple of days of the last patch Tuesday. It’s important to protect ourselves from these threats.
TM: What are some lessons you’ve learned from your Windows XP migration experience?
TN: We really got ahead of it and still have three months before XP is out – we expect that, except for the devices that can’t be migrated, we’ll have them done. I learned that if you can make a plan and identify your strategy, Deep Security can extend your timeline if you don’t have the resources to get out and migrate quickly; it bought us seven months during our XP migration.
Click here to learn more about how Trend Micro can help you through your migration from Windows Server 2003.