This year, Microsoft retired two of its most prevalent products: Windows Server 2003 and Windows XP. Support for Windows XP expired earlier this year on April 8th, while support for Windows Server 2003 will be ending on July 14, 2015. If your first thought is, “Wait a second, I have Windows Server 2003!” Then your second thought is probably, “what does this mean for my organization?” There are a number of things that need to be considered when answering this question. The first is: what happens to Windows after it becomes EOS?
If you look at the product lifecycle at Microsoft, you will see a few important milestones. First, the Service Pack support end date. This is when Microsoft stops adding new features and enhancements to a product. Next, the Mainstream support End Date. At this time, Microsoft stops fixing bugs in the operating system and only releases security updates to fix vulnerabilities in the operating system. And finally, the Extended Support End Date. This is what we face today for Windows XP and Serer 2003. This means that Microsoft will no longer release any fixes for the operating system. No bug fixes, no security updates, and no code updates what-so-ever.
In a statement released by Microsoft concerning Windows XP, they admitted that XP would “become five times more vulnerable to security risks and viruses, which means you could get hacked and have your personal information stolen.” Microsoft is telling you that they know that this will happen when they stop providing security updates. One common thought when a product is no longer supported is that your anti-virus can pick up the slack. While this can certainly extend the life of your Windows Server 2003 box, AV Vendors will only continue to support software on these platforms until they simply cannot anymore. Remember, Microsoft will not update the code anymore. This means no bug fixes for anyone, not even software development companies and AV vendors. In a statement released by Intel, they remarked, “Intel Security will continue to support currently supported versions of Enterprise products on Windows Server 2003 SP2 beyond July 14, 2015 for a limited time, as long as it is technically and commercially reasonable for us to do so.” If a fix to Windows is required to keep the AV product viable, and Microsoft won’t provide the fix, then say goodbye to the protection you thought you had.
What else do you need to consider? Well for starters, any compliance program that has computer security as part of its requirements will fail all environments that run outdated software. This includes PCI, SSAE, SOC, HIPPA, PIPEDA, Controlled Goods and just about any compliance program that has a technology component. Vendor support for Windows XP and Server 2003 will also stop. This will create an ever growing hole in your security defenses. Kaspersky also took a look at the age of these Operating Systems as part of the risk involved. In an article recently published by Kaspersky, they compared infection rates of XP versus newer OS systems. They maintain that the newer OS code was built with the very real threat of hackers and malicious attacks in mind, whereas the XP code could not possibly have taken modern attacks into consideration.
Ultimately, what is the answer? The quick answer is to migrate to something newer and do it now. The longer answer is make sure you have a plan in place to ensure you are as secure as you can possibly be. Plan to move off of Windows Server 2003. Make sure that these systems will be as protected as possible until you can do this, and isolate any systems as much as possible if you cannot migrate them.
Staying on Windows Server 2003 is not a good idea. It could open you up to liability, and not migrating off of it demonstrates a lack of due diligence. Any system that remains on older platforms should have had a risk assessment done, and should include a business case exception to be allowed to continue to run. These exceptions should be re-assessed every year after to ensure the business still requires them.
Time is running out, so start planning now.