Aging software can be surprisingly hard to put out to digital pasture. Microsoft Windows XP and Windows Server 2003 are both famous (or perhaps infamous) for how long they have remained in widespread enterprise use.
Windows XP and the what can go wrong with unsupported software
Introduced in 2001, Windows XP came to market at a time when LCD monitors for PCs were still rare, Wi-Fi was scarce and slow and devices like mass-market smartphones and tablets were still years away. But it still accounted for a considerable portion of all PC operating system market share leading up to the end of mainstream support early last year. In fact, it might have run on as much as 19 percent of all PCs through the beginning of March 2015.
Prior to the Windows XP support cutoff, there was widespread concern about its resilience despite the availability of newer, more secure versions of Windows, as well as desktop OS alternatives such as Apple OS X and various Linux distributions. Many ATMs depended upon XP, while enterprises everywhere put their security management strategies at the mercy of an OS that simply was not designed with many of today’s most sophisticated threats in mind. Once the regular patches and updates ceased, XP’s outdated design became readily apparent.
“Every standard desktop-security risk that a computer faces will be amplified, because there are no fixes being written by Microsoft,” Scott Kinka, chief technology officer at Evolve IP, told Tom’s Guide last year on the eve of the Windows XP deadline. “This involves every form of malware possible. Just assume someone is on your PC while you are working. Every password, trade secret and bit of personal information is at risk.”
While Windows XP’s end of life process did not precipitate any major related cyber security events, the scrutiny given to its weakness served as a case study in how preventable vulnerabilities – e.g., ones owing to a system that was not patched in time or to a communications error within the organization – can pave the way for advanced persistent threats, malware delivery and surveillance.
Another year, another end of life process for a popular piece of software
Was Windows XP just the start of a long string of difficult and potentially expensive migrations away from legacy systems? Will enterprises face similar anxieties with Windows 7 or Windows 8 years from now? That is hard to say, but at least one other OS could merit a lot of attention in the short term. If Windows XP was the center of attention among old software in 2014, then Windows Server 2003 takes the same crown for 2015.
We have discussed the impending end of mainstream support for Windows Server 2003 here before. On July 14, 2015, Microsoft will no longer issue official updates or patches for Windows Server 2003, leaving the integrity of many mission-critical systems up in the air. To get a sense of the issue, consider that more than half of businesses in Canada may still be running the server OS, according to a recent study from Avanade. Other details of the study included:
- Almost one-third of Canadian firms continue to run critical business applications on Windows Server 2003.
- Only 37 percent of all their applications have been migrated away from the OS.
- Nearly 60 percent of these organizations expect that some work will need to be done to update their applications for a newer platform.
- Twenty-nine percent expect that at least one-third of their programs will require significant rewriting or other modernization before they can be migrated.
- Slightly more than half (52 percent) reported that they would continue using Windows Server 2003 past the July 2015 deadline.
This study highlights how migrating from Windows Server 2003 to something newer is crucial in theory, but sometimes difficult to actually do. Enterprises have to think about how the upgrade will fit into their budgets and how it could affect business continuity. The respondents to Avanade’s survey cited difficulties such as longer than expected upgrade times, dealing with higher priority projects and avoiding disruptions to the business.
In a blog post from earlier this year, Trend Micro’s Mike Smith looked at how issues of these sorts would likely lead to many North American enterprises continuing to use Windows Server 2003 beyond this summer. At the same time, he pointed out that having security software in place would be essential to fend off the rising tide of threats in the mold of Heartbleed and Shellshock that take advantage of vulnerabilities in widely used platforms, whether they are inconsistently maintained open source projects or outdated commercial products..
“The smart money is … on migrating to a newer version of the product,” Smith wrote. “But realistically, this isn’t going to be possible for everyone. There are an estimated 300,000 servers in North America that are simply too old to run newer versions of Windows Server. Other organizations are running mission-critical legacy apps that can’t be upgraded onto newer systems, while others still are simply not able to absorb the cost and resource-intensive migration process.”
Dealing with upgrade anxiety through deep cyber security tools
There are several options for moving on from Windows 2003. Upgrading to a newer product is the most comprehensive solution, but as we have pointed out, it may not be immediately feasible. Custom support from Microsoft could work, albeit at a considerable price tag, as was the case with Windows XP in 2014.
Ultimately, considering these obstacles, it seems like a good bet that many enterprises will stick with Windows Server 2003 despite the looming deadline. Deep security tools can help any organization that plans to rely on the platform after July. These solutions offer features that help harden Windows Server 2003 against a wide range of threats. Virtual patching provided intrusion detection and prevention, integrity monitoring flags and prevents any unauthorized changes to the OS and anti-malware and Web reputation capabilities ensure protection from threats that could cause trouble for servers and virtual desktops.
Looking forward, these issues in moving past legacy platforms should serve as lessons in improving overall enterprise security architectures. It is not just old versions of Windows that can cause trouble – so can outdated implementations of Adobe Flash Player and Cold Fusion, not to mention error-prone manual processes such as spreadsheet-based customer relationship management.
Moreover, cyber security has become a critical area for the entire enterprise, meaning that obsolete software and processes have to be taken into account when securing core assets and modernizing both IT and line-of-business. Newer tools, custom support and deep security solutions all provide viable options for moving IT forward despite current reliance on older platforms.
