When Microsoft discontinues support for Windows Server 2003 (WS2K3) on July 14th, it will cease to provide any new updates or vital security patches for the systems still in use. This will leave those organisations still running the outdated operating system (OS) dangerously exposed to the modern-day pirates of the cyber-seas. Alarmingly, there are 10 million WS2K3 systems in production, and research indicates that the majority (62%) of those still running it have been slow to consider their options ahead of the switch-off. Unfortunately, the average time needed for a full server OS upgrade is around 200 days, so time is rapidly running out for those that are looking to migrate to a supported alternative.
Drifting into uncharted waters
There are, of course, good reasons why many have been slow to react to the impending switch-off. One major blocker is that many businesses either have hardware or business-critical applications that are incompatible with the available upgrades, leaving them with a tough decision that cannot be made quickly. Other IT departments are fully willing to make the changes, but lack either the budget or resources to embark on a full-scale upgrade. For those who plan to wait to upgrade there is an urgent need to put in place some form of compensating controls in the short-term to ensure servers are protected, as they are likely to become lucrative targets come July.
Without the ongoing security patches from Microsoft to fix any newly discovered vulnerabilities in WS2K3, organisations still using it will be directly exposed to the latest zero-day attacks and malware being leveraged by cybercriminals. However, unfortunately, security weaknesses aren’t the only concern when WS2K3 ends. Businesses that fail to make changes could face regulatory action over non-compliance issues. Bodies such as HIPAA and PCI mandate that companies in regulated industries must run on a supported platform, so failure to update systems or processes in time could lead to the loss of key privileges; such as the ability to process sensitive information or transactions and huge potential brand damage. There is also the risk that running costs and systems downtime could increase, as ageing systems become more difficult to maintain. Newer applications could furthermore become incompatible with the existing infrastructure.
Charting a Course
The good news is that it’s not world’s end for those that aren’t able to upgrade their server OS ahead of the deadline; there are a number of compensating controls available to help plug any potential leaks in the shorter term. Crucially, decision-makers must stay calm, evaluate all their options and draw up a thorough plan of action before deciding which way to turn. The key things for IT departments to consider include:
– Understanding your risk is essential and every business will need to decide which approach is best for them. The main thing is to make sure that all the relevant aspects have been considered. For example, there is no point in planning anything until questions like "how many devices are still running WS2K3?" and "what is the sensitive information that needs to be guarded at all costs?" can be answered, as this will inform the solution needed.
– Custom Support will be available from Microsoft, allowing businesses to avoid upgrading, at least in the short-term. The downside is that with an average cost of $200,000, it isn’t cheap. Custom support also has a number of limitations. Only ‘critical’ priority patches will be delivered as part of the package, with ‘important’ patches incurring additional cost. However, ‘moderate’ and ‘low’ priority patches will not be delivered at all and many legacy applications will no longer be supported.
– Network Isolation can be used to keep Windows 2003 servers and the devices connected to them running in a contained network that cannot be accessed from outside. Whilst this theoretically means they can’t be contaminated, it can only work where applications don’t need access to the internet or services running on other networks within the business. This means that network isolation is only viable in exceptional cases.
– Whitelisting inverts the traditional anti-virus security model. Rather than blocking files that are known to be malicious, whitelisting only allows files that are known and trusted to execute, making it far more difficult for new code; such as malicious malware, to infiltrate the business. Previously, whitelisting has been done on a file-by-file basis, which can be time-consuming. However, recent advances in policy-driven whitelisting offers a far better approach, enabling organisations to allow or deny software execution on the basis of configured trust ratings; a faster and less admin-heavy method.
– Continuous Server monitoring is vital if you plan to carry on relying on Windows Server 2003 after the support cut-off date. Total real-time visibility over all endpoint devices, including servers is essential in order to detect and respond to threats faster. There is no silver bullet to security, cyber threats are constantly evolving, so companies should assume they have been breached. This is why having total visibility over all endpoints, including servers, and the ability to prevent and alert on any suspicious activity, is critical. Having always-on, continuous monitoring and recording of the endpoint environment will not only allow organisations to detect breaches faster, but the replay will allow them to track attackers’ ‘kill chain’ to better understand the level of risk exposure and defend against future threats.
If properly planned, WS2K3’s end of life is not an insurmountable problem. Those organisations that handle the process best will be the ones that step back, develop a holistic plan and execute an effective strategy that leaves them better placed to address the new threats set to emerge in 2015 and beyond. Those who don’t could be the next ones walking the plank after a large-scale data breach goes public!