Windows Server 2003: The Time to Act is Now
With the end of Windows Server 2003 support fast approaching, companies must act now to migrate systems where possible and secure legacy systems.
By now most are aware that Windows Server 2003 support will end on July 14, 2015, less than two weeks from now. Microsoft announced the end of support over 18 months ago, and a spate of articles about that have been published recently.
Microsoft provides comprehensive information on migrating Windows Server 2003 systems to Windows Server 2012 R2 or other alternatives. If you have Windows Server 2003 systems, please read the information at the Microsoft site; there’s no point in repeating it here. But do go read it, and act on it.
The reasons you need to act now are very simple and very important:
- Microsoft will not provide security updates for Windows Server 2003, meaning your systems will become increasingly vulnerable to cyber-attack. While several major anti-virus providers have announced they will continue to provide anti-virus software for Windows Server 2003, they are also clear that they will not support Windows Server 2003 indefinitely. And anti-virus software is an incomplete replacement for Microsoft security patches.
- If your systems contain credit card information, you will be out of PCI compliance. If your systems contain health care information, you will be out of compliance with HIPAA.
- Applications you are using on your Windows Server 2003 system may no longer be supported and many application vendors will no longer provide enhancements or bug fixes for those applications on Windows Server 2003 systems.
- No technical support from Microsoft in case of a system outage. If your Windows Server 2003 system is down, you are on your own.
Until your systems are upgraded from Windows Server 2003, you should consider the following temporary mitigations:
- Apply the latest software updates and security fixes from Microsoft and your application vendors.
- Continue to update your anti-virus software and check regularly with your anti-virus vendor to ensure that they are continuing to support Windows Server 2003.
- Be extra vigilant in applying security best practices: verify that you have implemented the principle of least privilege for access to Windows Server 2003 systems (i.e., only those users that require access to Windows Server 2003 systems have that access); if possible, remove those systems from internet access or, better yet, air-gap those systems; and ensure that firewall and proxy server settings limit access to those systems to the greatest extent possible.
- Consider adding a whitelisting solution to your Windows Server 2003 systems. This will ensure that only allowed applications will run. Whitelisting is also an accepted compensating control for PCI credit card information when the vendor no longer provides security patches. It also ensures that malware cannot execute on your system – while malware can still land on your system, it cannot run if it is not on the application whitelist.
Remember, these solutions should be treated as temporary fixes to improve the security of legacy Windows Server 2003 systems and will not be as secure as migrating to modern, fully supported server infrastructure. So now, today, this minute, start planning your migration from Windows Server 2003 to supported platforms.