In January 2015, Microsoft released a patch to fix an issue in the Network Location Awareness (NLA) service. The vulnerability affects all versions on Windows Server, but a fix was not provided for the Windows Server 2003 platform. After July 14, 2015, Windows Server 2003 is no longer receiving free security updates. This highlights the differences in operating system (OS) architectures between modern OSes and an OS now over 11 years old. In that light, Vikram K, Director, Servers, HP India share insights on risks involved in using a Windows Server 2003.
After July 14, 2015, Windows Server 2003 is not receiving free security updates. What is the outcome of this ‘end of support’?
Microsoft has two different lifecycles for its products namely – mainstream and extended. The difference between the two is the availability of non-security updates. Mainstream support for Windows Server 2003 ended back in 2010, which means there have been no service packs or new functionality changes in over four years. On July 14, 2015, extended support for Windows Server 2003 ended. After this date, there is no additional security fixes or updates of any kind freely available. While deployments of the Operating System has not stop working after 15th of July, enterprises that continue to use this server post this date are vulnerable to different security risks.
Why is it critical to stop using the Windows Server 2003?
Due to the lack of security updates, enterprises running Windows Server 2003 will become an even more attractive target to adversaries. Some of the risks are:
Compliance concerns – In almost every industry, there exists a certain regulation which expects the systems in that domain to adhere to the security and maintenance. If this does not hold well with any system, they will not be part of that domain. Hence Windows Server 2003, which is out of support, does not come in compliance with the regulatory policies.
Security – Lack of security updates is a primary concern, for those running out-of-support servers, there are additional security concerns related to running Windows Server 2003. One area that is often overlooked is the availability of defense-in-depth (DiD) features available in modern OSes. The goal was to prevent known attack techniques from working on a target system, even if the attacker attempts to exploit an unpatched bug. The first of these DiD measures implemented was Address Space Layout Randomization (ASLR). Windows Server 2003 does implement ASLR, but the development of memory randomization has continued over the years to include methods that cannot be implemented on Server 2003.
Another example of DiD is known as SafeSEH, which means an image has safe exception handlers. Windows Server 2003 does have SafeSEH.
Hidden costs in maintaining older systems – Some reports indicate the cost of maintaining older systems is 1.6 times the cost of replacement – especially for small and medium sized enterprises. The amount of investment required to replace old servers is more expensive; it’s better to get new hardware which comes along with the new software.
What are some of the security concerns for enterprises that continue to use Windows Server 2003?
When you look back at the time when Windows XP stopped receiving free security updates, it was exposed to active attacks targeting Internet Explorer versions on XP. While Microsoft made the decision to offer patches for XP at that time, it is unlikely they will make this decision again. In addition to the current attacks, many of the issues affecting the more modern platforms (e.g. Windows Server 2012 R2) also affect Windows Server 2003.
Even though the OSes are different, there is still shared code between the platforms. In January, 2015, five of the seven security bulletins released by Microsoft impacted both Windows Server 2012 R2 and Windows Server 2003. After support ends, attackers may use the security bulletins to determine new vulnerabilities on Windows Server 2003. Due to the lack of security updates, the enterprises still running Windows Server 2003 are susceptible to attacks.
What would be the best solution for people who continue to use Windows Server 2003?
Some of the solutions for people who wish to continue with Windows Server 2003 are:
Get a Custom Support Agreement – For those who cannot migrate away from Windows Server 2003, there is an option that will provide security updates after support ends – for a price. Microsoft has an option Custom Support Agreements (CSA), which offers support to products that have reached their support end date.
Migrate to a newer version of Windows Server – Moving to the latest version of Windows Server gets you to a supported state with access to the latest features in both functionality and security. However, keep in mind this may also have its challenges as server migrations take an average time of about 200 days.
Migrate to Linux – Migrating servers from Windows to Linux is another viable option. Linux can work equally well in an enterprise scenario. While this may not be the optimal solution for all enterprises, from a cost savings aspect, it might be attractive to other enterprises.