What does end of life for Windows 2003 server mean?
Microsoft has officially sun-setted (discontinued) the Windows 2003 server platform as of July 15, 2015. They are not developing or providing any further updates to the operating system (OS), which had more than 60 critical updates released in 2013 and 2014. What end of service really means is that, as of July 15, they stopped patching the OS, including both security patches and functional patches. This means that, eventually, vulnerabilities could be exploited on that server platform, and Microsoft will not be releasing patches for the OS.
Because the Windows 2003 server has reached end of life, any services or applications running on that platform are no longer in compliance with standards and regulations. Most standards and regulations require that end of life for an OS, application or device be monitored and migrated off of prior to the sunset date. They also require that OSs be maintained to the latest security patches and software updates to address recent vulnerability discoveries. Since Microsoft is not releasing any new patches for Windows 2003, companies are out of compliance and may suffer reduced volume and/or financial penalties from servicers.
End of life also means end of support in a number of ways. First, not only is Microsoft not releasing patches, they are not providing support to trouble shoot operational issues that may arise on the platform. This will likely affect application support from third party vendors/software companies as well. Since the Windows 2003 server is no longer supported by Microsoft, software vendors will not invest time, effort and money into supporting applications running on the outdated OS. Apps written for the 2003 platform may no longer be supported by their respective vendors.
One online technology publication, TechRadar, says it’s the “biggest security threat of 2015.”. This certainly raises the stakes for continuing to use this now retired platform.
Risks of continued use
There are numerous risks that are identified with the continued use of the Windows 2003 server. Not that they will occur on day one, but your customer records and confidential data are at a higher risk of being compromised as time goes on. Hackers are constantly looking for unprotected servers, and without Microsoft’s updates, patches and service packs, the risk of a security breach increases. You can expect and will see increased exposure to major vulnerabilities and cyber security attacks on your computer systems, databases and applications running on the Windows 2003 server.
Aside from the financial risk of a security breach, there also comes the reputational risk and the publicity that is attached. Everyone wants to be on the cover of the Wall Street Journal...unless it’s because your data has been breached. Sony, Target and Blue Cross are just a few of the data breaches that have happened over the last few years and they received plenty of negative press that has affected their reputational and financial positions.
What about compliance? Continuing to operate on the Windows 2003 server platform after the deadline means you are noncompliant with various regulations and standards including PCI, HIPPA and FFIEC to name a few. Since most regulations and standards require that end of life systems be phased out and decommissioned, an independent audit will certainly flag the use of the Windows 2003 server as noncompliance. The penalties for this noncompliance can be greater than you think. There’s the likely financial penalty from the regulatory entity and possibly the loss of volume from the servicer, and, in some cases, the cost of those two penalties is more than the cost of upgrading your infrastructure.
So how does this affect your operational costs? Who is going to address the issues that arise on a Windows 2003 server or the application(s) that runs on that server? Support from Microsoft and the third party application vendor will no longer be available. Your support staff will have the same SLAs to meet and less support of their own. It will take an increased amount of resources (people, work hours, overtime, etc.) to research and correct these issues since they will not be able to rely on the support forums they had prior to the Windows 2003 server being sun-setted. This is all a moot point if you’re running an application that can be upgraded to a newer version, migrated to a newer OS, or decommissioned without major impact to your business. If you do choose to keep these applications on the Windows 2003 server platform (or can’t migrate or upgrade), you can expect increased operational expenses, as well as the additional investments you’ll make to keep them secure (it all comes back to security at some point). Some third party software may no longer be supported by the vendor because it’s running on an outdated platform and your internal staff will need to spend more time in addressing these issues than they have in the past. In-house development coding changes to applications running on the win2k3 environment may break the OS and Microsoft will not assist in rectifying the issue, potentially increasing operational costs at both the Infrastructure and application support levels.
Security audit reaction
We’ve already experienced several IT audits where the Windows 2003 server has been a topic of discussion. In all instances, the auditor’s initial reaction/question was “when are you planning on being off of Windows 2003?” These have resulted in audit findings against the entity, but they’ve not set a requirement date for remediation. The bottom line is that outdated/retired/sun-setted (choose your term) software is an issue of noncompliance and, with the Microsoft 2003 server being deployed so heavily, it’s going to be a low hanging fruit for them to pick. This is similar to the Windows XP end of life timeline that we all experienced last year where Microsoft ended support for the 13-year-old desktop OS and effectively pushed everyone to Windows 7 and Windows 8. In some instances, companies couldn’t make or chose to ignore the desktop upgrade and were penalized by servicers by having their referral volume reduced.
There are ways to mitigate the risk to those Windows 2003 servers that ease the severity in the audits. The easiest way to ease the severity is to remove as many Windows 2003 servers as you can from the network, or at the very least do not make them Internet facing. Security vulnerabilities can be exploited via network connectivity, but if you limit that network connectivity, you decrease the likelihood of that vulnerability being exposed, which lowers the overall risk. Upgrading to a more modern server platform that is supported by the vendor is another option, but this takes time, careful planning and testing; otherwise, you may increase your operational risk by creating an unstable environment.