For businesses and organizations across the globe July 14, 2015 may be a date that goes down in infamy… at least for their internal IT teams. That date represents the end of support —or the end of life — for Microsoft’s Windows Server 2003. The Department of Homeland Security has identified the end of support for Microsoft Server 2003 as a critical threat. TechRadar calls it “the biggest security threat of 2015.”
Microsoft published warnings about this development since April 2013. Fast forward to July 2015 and there millions of organizations that continue to rely on the platform for vital business functions. HP estimates there are 11 million installations of Windows Server 2003 in the market globally. If you are working in one of those organizations still utilizing the end of life servers, you need to understand the types of vulnerabilities you will encounter.
Critical Risk #1 - IT Security
Home Depot and Target were recent victims of hackers. Both had their customer data breached, exposing 60 million and 40 million of their customers respectively. These are two national organizations that have the resources to recover. Small and medium businesses do not have those luxuries.
Continuing to run Windows Server 2003 leaves your organization unnecessarily vulnerable to outside threats. Vital information about your organization and your customers will be exposed. Consider the vital functions Windows Server 2003 users rely upon — DNS Server, Email Server, File Server, Customer Directory Server and internal uses such as File sharing— all of which are now at risk after July 14, 2015. Cybersecurity threats to your organization’s computer systems, databases and internal applications are increased exponentially while running Windows Server 2003.
Critical Risk #2 - Added Strain To In-House IT Teams
Those functions listed above are exposed because Microsoft will no longer provide support updates or bug fixes for the server. This will overwhelm internal IT teams because they will not have access to that valuable resource. No more performance updates. No more customer support for troubleshooting a problem with the server. No longer will Microsoft monitor and update your IT team of any potential malware.
To put this in perspective, Microsoft was required to issue 37 critical updates to the server in 2013 alone. With nearly an update a week needed for the server to function properly in the past, imagine a world without those updates and how vulnerable that makes your information. Any additional critical issues will remain unfixed by Microsoft after the end of life date.
Critical Risk #3 - Compatibility Problems
In today’s business environment, keeping up with new hardware and new software entering the organization is a tough task in and of itself. Windows Server 2003 users will be forced to handle that task from a server incapable of integrating new hardware and new software. Almost every organization has employees that bring their own devices. Odds are that most of those devices are of newer iteration. Judging by the popularity of personal devices, that trend that will not change in the immediate future. Windows Server 2003 may not have the capability to communicate with the latest devices.
The same goes for organizations attempting to implement new software to create more efficient internal workflows and payment processes that impact their bottom lines. Windows Server 2003 is a 32-bit operating system. Most everything is 64-bit now from device drivers to stand alone applications. Utilizing such technology is irrelevant — and often times redundant — if you’re unable to integrate that technology with their internal servers.
Critical Risk #4 - Failing Compliance Audits
As soon as Windows Server 2003 became end of life, millions of organizations immediately failed to meet industry wide compliance standards. A few examples of those regulations are HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry Data Security Standard), SOX (Sarbanes-Oxley Act) and Dodd-Frank (Dodd-Frank Wall Street Reform and Consumer Protection Act).
Potential consequences of being non-compliant could be crippling for your organization. Visa and MasterCard will no longer do business with an organization lacking PCI compliance. Failing to comply with HIPAA data policies could result in your organization being fined for amounts far greater than the cost of migrating to a modernized technology infrastructure. Your organization could face the repercussions such as damages to your reputation because you are not compliant with industry standards. You are also at risk of increasing the cost of doing businesses when faced with higher transaction fees and penalties.
Critical Risk #5 - Increased Operational Costs
Now that your Windows Server 2003 is vulnerable, your IT team will have to implement intrusion detection systems and high-end firewalls. There are estimations that place the cost of custom support for a server — post end of life — at $200,000 on average. In addition to the cost of new security measures, older servers are inefficient and unable to adapt to a virtualized environment.
Looking at the Past When Windows XP reached End of Life in 2014
Even though technology moves at an incredible pace, it’s important to take a look at the past to better understand the implications of the future. Back in August 2013 in preparation of the impending end of life for Windows XP, Tim Rains - Chief Security Advisor for Microsoft explained in detail the vulnerability of a Microsoft product going end of life:
“The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities,” Rains explained. “If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero day’ vulnerability forever… The challenge here is that you’ll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero-day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice,” Rains continued. “Furthermore, can the system’s APIs that anti-virus software uses be trusted under these circumstances? For some customers, this level of confidence in the integrity of their systems might be okay, but for most it won’t be acceptable”