Story image

Old servers present cyber criminals an opportunity to compromise your business

23 Jul 15

Microsoft’s product lifecycle provides at least ten years of support for its operating systems, ensuring that organisations can gracefully upgrade to a new version while support for the older version is still available.

As of last week, Microsoft has discontinue support for Windows Server 2003. In addition to the risks posed by the lack of security updates, continued use of an unsupported operating system may violate external regulatory or compliance requirements, and third-party software vendors may withdraw support for products on Windows Server 2003 systems.

The number of vulnerabilities identified in Windows Server 2003 significantly increased after it entered the extended support phase in the second half of 2010. According to Secunia, 22 vulnerabilities affecting Windows Server 2003 were unpatched as of March 31, 2015, and Microsoft has not announced if any of these issues will be addressed in security updates released before the July support deadline.

The operating system will likely contain unaddressed vulnerabilities now Microsoft has discontinued support, essentially acting as perpetual zero-day vulnerabilities. Some vulnerability researchers and threat actors have historically delayed announcing severe vulnerabilities until after support for a product ends, increasing the value and potential impact of exploits.

Whilst the best advice is to migrate to a modern server, for those still using Windows Server 2003 and older, the typical migration takes an average of seven months. This is a significant window for cyber criminals to penetrate the unsupported platform and compromise the rest of the business.

During this time, it is critical businesses mitigate the exposure as effectively as possible. Most customers will look at logically segmenting or isolating the vulnerable applications or servers during this time by putting a 'virtual' ring fence around the applications themselves.

However, these compensating controls are not recommended as it will not provide complete protection against the vast number of threats that will occur now support has ended. The other option is to pay Microsoft to continue to support Windows Server 2003. However, the cost of this outweighs the benefits and it is much more valuable to begin the process of migrating rather than implementing a stop-gap solution.

By Phillip Simpson, Dell SecureWorks principal consultant APJ.

Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
QNAP introduces new 10GbE and Thunderbolt 3 NAS series
The new series is supposedly an all-in-one NAS solution for file storage, backup, sharing, synchronisation and centralised management. 
HPE to supply tech to Formula E racing team
“At HPE, we believe the future belongs to the fast, and we’re focused on accelerating what’s next for enterprises, including in the world of auto racing."
Data Exchange Networks achieves world-first
After receiving a new Uptime Institute award, DXN is now the first modular data centre developer in the world equipped to blend different standards.
Why the future of IT infrastructure is always on and always available
As more organisations embrace digital business, infrastructure and operations leaders will need to evolve their strategies and skills to keep up.
Malaysia investing in data-driven future – but obstacles remain
The country has openly expressed its desire to become the prime destination for high-tech industries in Southeast Asia.