Microsoft will soon move Windows Server 2003 into the category of an 80’s big hair metal band, whose aging rock stars no longer fill arenas and no longer even headline casinos. I’m not trying to be mean to aging rock stars, but I am calling out those of you that think keeping Windows Server 2003 in production is viable, especially without taking some steps to secure it after Microsoft pulls support.
No. I know some of the best firewall dudes on the planet and no Firewall can protect you against every conceivable threat. If a vendor/consultant suggests this, accuse them of being a charlatan and never listen to anything they say ever again. If you have taken a cavalier attitude to firewalling and your Windows Server 2003 is exposed to the Internet I’m going to describe your situation a little graphically…
Your business is the cyber equivalent of bleeding into a pool of sharks. OK, the entire Internet is a big pool, but the sharks are hungry and will find you – I think you get my point here. A Windows 2003 server, after support and security patches stop is a tasty cybercrime target. You may as well add barbeque sauce.
It may be fair ball if your Windows 2003 machine is not on the Internet in any way shape or form, but you better know what you're doing from a network segmentation point of view. If you know what a VLAN is you may be able to out swim the sharks – at least for a short while.
No it’s not. Any chance of compliance went good-bye when support stopped. One of the primary requirements of <insert-your-compliance-requirement-here> is to “apply security patches” or that your “operating system software must be supported by its vendor”.
If there are no security patches any more, or your operating system is no longer supported by the vendor you can’t be compliant. Not being compliant in this day and age of data breach litigation seems uncomfortable, to say the least.
Once lawyers start throwing terms like “negligence” around things move from uncomfortable to damaging. This is an easy case to be made if a vulnerability is publicly disclosed and the vendor does not issue a patch for it. You’re going to have a really tough time convincing people you followed due diligence.
Not true. The business relies on you to protect it and you can’t protect it without securing it and ultimately thinking about replacement. Change is hard, but rebuilding a 2K3 server from scratch, especially on a 10-plus year-old hardware platform and installing hundreds of patches and driver updates is going to suck way more. And that’s just the OS; now add on the old Database or old client/server software, or some awful early 2000s web interface, and hell just put your resumé on Monster and update your LinkedIn profile with “looking for opportunities”.
Wrong again. There are lots of things you can do. There are plenty of companies that have the expertise, resources and tools to help you. It may cost money for sure, but so will the clean up costs and remediation from when you’re massively, professionally hacked.
Security consultants charge way more in a panic post breach incident response scenario than spending some money on developing, purchasing, or adapting an off-the-shelf solution for the “we can’t live without our critical business Windows Server 2003 server/application that runs on Windows Server 2003”. A legitimate approach is to buy some time.
Ultimately, this security problem is avoidable. Think of it this way. If you retired from the army, your chances of getting shot by bad guys are way less then if you’re still in the Army. It’s that simple. Moving away from Windows Server 2003 will avoid having Windows Server 2003 associated vulnerabilities and a potential data breach.
Make the Internet a safer place to work and play and don’t feed the sharks your server – everyone wins, except the sharks.
Ian Thornton-Trump, CSA+, CD, CEH, CNDA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.
We recognized that meeting a 14 July 2015 deadline may not be viable for your business, or your customers. So we released a white paper with some ideas for temporary solutions and hardening for a 2K3 (pro tip: start learning about virtualization). Click here to download the whitepaper.