Securing Windows Server 2003 after End of Support
Ed Jones works for Firebrand Training, a Microsoft Gold Learning Partner. He has worked in the IT training and certification industry for the past 3 years. He is a tech enthusiast with experience working with SharePoint, Windows Server and Windows desktop.
Extended support for Windows Server 2003 ended on July 14, 2015.
How does this affect you? Microsoft will no longer issue security updates for any version of Windows Server 2003. This extends to System Center Endpoint Protection and Forefront Endpoint Protection on Windows Server 2003. From now, any new vulnerability identified in WS2003 will remain unpatched. The responsibility to secure the legacy OS is now yours to manage.
So, if you own one of the estimated 2.7 million unprotected Windows Server 2003 systems still in circulation not choosing to migrate, we’re going to give you a little guidance on how to secure your system.
Understand the risks of staying on Windows Server 2003
First and foremost, you need to understand the risks of sticking with Windows Server 2003. If you’re staying past end of support, here’s what you’ve signed up for:
Data breaches: Unsupported systems are extremely vulnerable to a data breach. And, with IBM reporting the average consolidated cost of a data breach now $3.8 million, the financial implications are severe. Due to the lack of compartmentalisation in Windows Server 2003, once the intruder gains access, they will have free reign to move around the system. Through a single unpatched vulnerability, attackers can access databases, applications and middleware all running on the WS2003 infrastructure.
Hardware failure: Chances are, if you’re running Windows Server 2003, the hardware could be more than a decade old. Support will long have ended for your hardware and it is now well past its operational lifespan. Failure rates will be high and could lead to a loss of data, with replacement parts a hidden relic.
Increasing operational costs: Running a 12 year old unsupported operating is expensive, with the lack of power management, virtualization and utilisation; the systems are inefficient. You need to also consider the costs of customised support, to protect and harden a single instance of Windows Server 2003 could cost upwards of £385 per year.
Software compatibility issues: The legacy OS only runs 32-bit. With most device drivers and apps now running 64-bit, don’t expect to be running the latest software on your system.
Compliance issues: Unsupported systems usually fail industry compliance stands such as HIPAA and SOX. Windows Server 2003 is already no longer PCI compliant. One consequence, Mastercard and Visa will no longer process payments for website running on the unsupported system.
Securing Windows Server 2003 post End of Support
The above list makes for some difficult reading. My advice - start migrating your systems and infrastructure to Windows Server 2012 R2 or Microsoft Azure today. Microsoft offers a comprehensive Migration Assistant and Planning tool. Combined with Firebrand’s accelerated MCSA: Windows Server 2012 course, you could be on a cutting edge and secure OS within weeks.
If however you remain undeterred, let’s get down to securing Windows Server 2003.
Multi-layer security: First things first, adding a network firewall and network application firewall will add multiple layers of security around the system. The server will still have to perform security functions but there added lines of defence will be critical in protecting your assets.
Go offline: Network isolation is credible option for extending the lifespan of WS2003. Isolating all Sever 2003 instances from central services will significantly reduce the risk of a breach. If possible, cut off any connection to the internet unless absolutely necessary. This has been a popular choice for those still running Windows XP.
Access restriction and monitoring: As much as possible, limit access to the physical server whilst locking down non-critical services. Ensure logging is active and check regularly for unauthorised access or suspicious activity.
Regular back-ups: This is not just a security consideration. Expect high failure rates, so regular backups will prevent extensive data loss. As often as possible, backup system data to an external system. I’d also consider a secondary backup in the cloud. Microsoft's Azure Backup Services and Amazon S3 backup are both recommended locations.
Application whitelisting: The opposite of application blacklisting, this process dictates the applications that may run, rather than those that may not.Ensuring only permitted applications are active is an effective method for locking out zero-day exploits and other malware.
If you put into practice all of the above, you can feel more confident your organisation remains secure running Windows Server 2003. However, with ongoing security and operational costs expected to rise year on year, it may come down to a question of budget.
The business case for migration is strong - better security, compliant, software compatible, low fail rate, energy efficient and low maintenance costs. With all things considered, why wouldn’t you migrate?