Microsoft may have ended extended support for Windows Server 2003, but one in five businesses in Australia and New Zealand are still running Windows Server 2003 or older, including the Victorian Government which has just spent $4.4 million on support.
“With over 22 vulnerabilities known but not patched, businesses should expect hackers to increasingly exploit these gaps and must take steps to prevent being exposed,” observes Phillip Simpson, Principal Consultant APJ, Dell SecureWorks.
In addition to the risks posed by the lack of security updates, Simpson says the continued use of an unsupported operating system may violate external regulatory or compliance requirements, and third-party software vendors may withdraw support for products on Windows Server 2003 systems.
“The number of vulnerabilities identified in Windows Server 2003 significantly increased after it entered the extended support phase in the second half of 2010,” Simpson says.
“According to Secunia, 22 vulnerabilities affecting Windows Server 2003 were unpatched as of March 31, 2015, and Microsoft has not announced if any of these issues will be addressed in security updates released before the July support deadline.”
For Simpson, the operating system will likely contain unaddressed vulnerabilities now Microsoft has discontinued support, essentially acting as perpetual zero-day vulnerabilities.
Consequently, Simpson believes some vulnerability researchers and threat actors have historically delayed announcing severe vulnerabilities until after support for a product ends, increasing the value and potential impact of exploits.
“Whilst the best advice is to migrate to a modern server, for those still using Windows Server 2003 and older, the typical migration takes an average of seven months,” Simpson adds.
“This is a significant window for cyber criminals to penetrate the unsupported platform and compromise the rest of the business.”
During this time, Simpson believes it is critical businesses mitigate the exposure as effectively as possible.
“Most customers will look at logically segmenting or isolating the vulnerable applications or servers during this time by putting a “virtual” ring fence around the applications themselves,” Simpson adds.
“However, these compensating controls are not recommended as it will not provide complete protection against the vast number of threats that will occur now support has ended.”
The other option is to pay Microsoft to continue to support Windows Server 2003.
“However, the cost of this outweighs the benefits and it is much more valuable to begin the process of migrating rather than implementing a stop-gap solution,” Simpson adds.