End-of-life fun times are coming to infosec departments everywhere—again.
Just a year after the announcement of Windows XP’s end-of-life, we see another body in the OS graveyard: Windows Server 2003. After July 14th, servers running this venerable OS will no longer be receiving any more security updates. This would leave you out in the cold pretty soon, given the speed that new vulnerabilities are being published lately.
Who’d want to be in such a position? According to a survey conducted by Spiceworks, 37% of the companies surveyed hadn’t migrated to a newer OS. Looking further into this statistic reveals a scarier side: of those companies, 8% had no plans to migrate at all and 1% did not know anything about plans for migration. The majority of the companies (48%) were partially migrated; only 15% have fully migrated.
From those companies which were looking to finish their transitions, 25% planned to finish it at some point after July 14th. This includes another group that planned to complete their migration “at some point.” From a security standpoint, these are not the answers we were hoping for.
The most common reason given for delaying migration was that “the system is still working or there’s no immediate need to migrate.” But organizations need to wake up to the fact that most attackers are not interested in their companies per se (although some of them probably are). Most cyber attackers try to get the lowest-hanging fruit by means of the least effort massive attacks, and guess what? Your fruit will be hanging much lower if you still have an ancient, out-of-support OS after July 14th. Our primer, Pulling the Plug on Windows Server 2003: Can You Still Manage Your Legacy Systems?, discusses the risks of discontinued support.
Unlike migrating from Windows XP, migrating from Windows Server 2003 can be more challenging because we’re talking about servers this time, which means computers that cannot be easily be rebooted or turned off (let alone be down for a significant amount of upgrade time). Old server-side applications might not have been tested with more modern operating systems and upgrade might not be possible at all. However, we do recommend upgrading or moving to a virtual environment whenever it’s possible.
The survey also had some bright spots. A significant percent of those migrations would go to virtualized environments, which are more easily defendable. The added layer called the hypervisor (the host OS in the virtual environment) can act as a moat against threats.
So do we encourage companies to accelerate the rate of their migrations to newer server OSs? Yes, definitely! Would you want to be exposed to the new vulnerability of the day? We bet it will come shortly after July 15th. If you have trouble to stick to that timeline, sort those problems out as soon as possible. If the survey is any indication, most companies already have the licenses/cloud providers lined up; most mention it’s a matter of time or budget constraints. This is the classical security conundrum: more security or more convenience/cheaper/faster things? Bear in mind that convenience/price/speed can be quickly offset by a bad breach or attack. In my opinion, the decision is crystal clear.
The Vulnerability Protection in our Smart Protection Suites can provide defense against exploits, although we still strongly recommend migration to minimize the attack surface. Companies worried about the costs and operational issues when it comes to emergency patches and system downtime can get immediate protection with the help of virtual patching technologies, such as the solutions found in Trend Micro Deep Security. Virtual patching minimizes exposure gaps, protecting users of Windows Server 2003 from exploits as they migrate to a newer platform.
Read more about how virtual patching helps companies dodge compromise in our infographic, “Dodging a Compromise: A Peek at Exposure Gaps.”