Microsoft’s product lifecycle provides at least ten years of support for its operating systems, ensuring that organisations can gracefully upgrade to a new version while support for the older version is still available.
As of last week, Microsoft has discontinue support for Windows Server 2003. In addition to the risks posed by the lack of security updates, continued use of an unsupported operating system may violate external regulatory or compliance requirements, and third-party software vendors may withdraw support for products on Windows Server 2003 systems.
The number of vulnerabilities identified in Windows Server 2003 significantly increased after it entered the extended support phase in the second half of 2010. According to Secunia, 22 vulnerabilities affecting Windows Server 2003 were unpatched as of March 31, 2015, and Microsoft has not announced if any of these issues will be addressed in security updates released before the July support deadline.
The operating system will likely contain unaddressed vulnerabilities now Microsoft has discontinued support, essentially acting as perpetual zero-day vulnerabilities. Some vulnerability researchers and threat actors have historically delayed announcing severe vulnerabilities until after support for a product ends, increasing the value and potential impact of exploits.
Whilst the best advice is to migrate to a modern server, for those still using Windows Server 2003 and older, the typical migration takes an average of seven months. This is a significant window for cyber criminals to penetrate the unsupported platform and compromise the rest of the business.
During this time, it is critical businesses mitigate the exposure as effectively as possible. Most customers will look at logically segmenting or isolating the vulnerable applications or servers during this time by putting a 'virtual' ring fence around the applications themselves.
However, these compensating controls are not recommended as it will not provide complete protection against the vast number of threats that will occur now support has ended. The other option is to pay Microsoft to continue to support Windows Server 2003. However, the cost of this outweighs the benefits and it is much more valuable to begin the process of migrating rather than implementing a stop-gap solution.
By Phillip Simpson, Dell SecureWorks principal consultant APJ.