WPC 2015 - Windows Server 2003 support ends, but do A/NZ businesses care?

As of now, Microsoft no longer issues security updates for any version of Windows Server 2003.

Yet around the corridors of the Orange Country Convention Centre this week, home to the Microsoft Worldwide Partner Conference 2015, there’s not even a whisper of migration, with two-thirds of businesses across the world failing to make the July 14 deadline.

With the deadline now passed, has the time now come for Kiwi organisations to act?

Or more tellingly, is Windows Server 2003 simply not interesting enough to warrant the same level of attention that Microsoft’s Windows XP end of support campaign garnered last year?

But as reported by Computerworld last month, the U.S. Navy is paying Microsoft US$9.1 million for a contract that provides extended support for Windows Server 2003, Windows XP, Office 2003 and Exchange 2003.

So clearly, the repercussions for New Zealand businesses staying on Windows Server 2003 are severe, and expensive.

Taking a different approach to the issue, Sasha Pavlovic, director of cloud and data centre security for Asia Pacific at Trend Micro, believes it’s now important for local organisations to understand the risks of running out-of-support platforms against the costs and effort of migrating to a new one, as well as what they can do to mitigate security risks until their migration is finalised.

“The safest plan for your business is to migrate from Windows Server 2003, however there are options to help businesses in New Zealand buy more time and extend their upgrade plans beyond the 14 July deadline,” Pavlovic says.

“Virtual Patching is a security capability that virtually patches system and application vulnerabilities, protecting them from exploit.

“In cases where legacy operating systems and applications are still being used, other than performing a full system upgrade, it’s the only alternative solution to ensuring your Windows 2003 workloads are kept safe and secure as you plan for your upgrade.”

In short, Pavlovic believes the end of support means two things: newly discovered vulnerabilities in Windows Server 2003 will not be patched anymore, nor will they be documented and acknowledged by Microsoft.

“This represents an increase in the risk of using Windows Server 2003,” Pavlovic explains.

“However, many organisations still count on Windows Server 2003 for critical business operations. If you are still running Windows Server 2003 in your data centre, you need to take steps to protect your infrastructure.”

As recommended by Microsoft, the most important thing for Kiwi businesses is to plan on migrating from Windows Server 2003.

“If you haven’t been able to migrate yet, however, you can help protect your Windows Server 2003 system with a combination of virtual patching and system security until migration,” Pavlovic adds.

“No single solution will address all security scenarios, but there is a combination of solutions and best practices you can follow to assist in keeping the data centre secure.”

At present, Pavlovic believes intrusion detection and prevention (IDS/IPS) technologies can shield vulnerabilities in out-of-support Windows Server 2003 systems before they can be exploited.

Also, security tools with virtual patching capabilities can help offer automated virtual shielding of vulnerabilities that will help businesses extend the life of legacy systems.

But to protect against changes in a system that is no longer being patched by Microsoft, Pavlovic outlines the importance of considering built-in system security capabilities, including integrity monitoring, enabling the detection of changes where there should no longer be any.

“This will allow you to keep Windows Server 2003 systems protected until they can be migrated, reducing risk and keeping your IT operational expenses low,” Pavlovic explains.

“This combined approach to security will eliminate risk exposure from new vulnerabilities, including protection against zero-day attacks as well as help detect unplanned or malicious changes on the system, enabling rapid response to a potential attack.

“Further benefits include allowing businesses to mitigate potential data security compliance issues for critical regulations like PCI DSS 3.0, while also providing a smooth migration path to secure systems beyond Windows 2003, including Windows 2012, Microsoft Azure, and other leading cloud providers like Amazon Web Services (AWS).”