Recently, Microsoft released seven security bulletins for Microsoft Windows Server 2003. This means there are now just two more update Tuesday releases for this long-serving server operating system: Tuesday, June 9 and Tuesday, July 14. After July 14, 2015, 62 days from now, there will be no more security updates for Windows Server 2003.
In practical terms, this means if you’re running Windows Server 2003 on July 15, 2015, you will be immediately vulnerable to any and all security vulnerabilities that may be found that affect Windows Server 2003 from then on. There will not be any security patches for Windows Server 2003 after this date.
This isn’t the first time we’ve seen a popular, long-serving Microsoft operating system go out of security update support. A year ago, Windows XP finally went out of support 13 ½ years after its release. And while Windows Server 2003 isn’t quite as old as Windows XP was (clocking in at 12, rather than 13 ½ years), this is as big a deal on the server side as Windows XP was on the client side.
Just like we saw a staggering number of people running Windows XP on the eve of its retirement, we’re also seeing a shocking number of people on Windows Server 2003 even now. A recent survey by The Enterprise Strategy Group shows 82 percent of respondents have Windows Server 2003 present in their organization. And 25 percent of these respondents say their plan for dealing with the end of security support in 62 days is to “Continue to run Windows Server 2003 without support and maintenance.”
Running an unsupported operating system is something that should be viewed as an operational vulnerability. It’s inherently dangerous and ill-advised.
But realistically, if you’re running Windows Server 2003 as you read this, you’re likely not in a position to migrate off of it quickly. Odds are that you’re on this older operating system out of necessity and so may not be able to migrate off of it anytime soon.
If you’re facing a situation where your business requirements are keeping you on Windows Server 2003 beyond July 14, 2015, one option you should consider is mitigating the risks of unpatched vulnerabilities with the protections that Deep Security offers against attempts to exploit those vulnerabilities. While Deep Security doesn’t close the underlying flaw that puts your system at risk, it provides protections against attacks against those vulnerabilities which can significantly improve your security situation. If you’d like to learn more about protecting your Windows Server 2003 environment post-July 14, watch this recent webinar “Staying Secure after Microsoft Windows Server 2003 Reaches End of Life.”
Of course, the best solution is to retire all of your Windows Server 2003 systems before July 14. But if you can’t, there’s at least another option than entrusting the security of your systems to hope.