Advanced Computing in the Age of AI | Sunday, September 24, 2023

Multiple Choices for Win Server 2003 Holdouts 

Now Microsoft no longer supports Windows Server 2003, organizations still relying on the once popular product are dealing with several alternatives: External support, no support, upgrade, or transition to another platform.

Any enterprises still considering alternate options for their datacenters should move fast, technology experts caution. These systems are in jeopardy and the risk increases daily. Even the Department of Homeland Security's Computer Emergency Readiness Team (CERT) got into the act earlier this year, posting an alert on its website, along with upgrade guides and resources.

"In past years, Windows 2003 had critical updates every two weeks. Given that momentum for 2012, there is a lot of opportunity for someone to reverse engineer backdoors into an environment," Ali Din, senior vice president and chief marketing officer at dinCloud told Enterprise Technology. "I can’t stress enough that a weak link compromises the entire network of the organization. At a minimum, 2003/SBS servers should be run in a more secure or highly monitored environment."

Source: Computer Emergency Readiness Team

Source: Computer Emergency Readiness Team

In the first half of the year, 21 percent of servers still used Windows Server 2003 compared with 32 percent 12 months prior, according to TechCheck analysis of more than 90,000 servers at 200 organizations by Softchoice. Meanwhile, 61 percent of companies had at least one server running this older operating system, found Spiceworks' "The Great IT Upgrade" report. Only 7 percent of enterprises were completely free of Windows Server 2012, Spiceworks determined.

Most of these servers are not crucial to corporate operations, said Keith Groom, director of the Microsoft Solution Group for North America at Softchoice, in an interview.

"In our estimation, approximately 25 percent of businesses have some Windows Server 2003 still running. However, the feedback we have from clients is that the vast majority of these instances are non-mission critical applications and workloads," he said. "These organizations will be faced with the choice of accepting the risk, turning off these servers, or upgrading them."

While Microsoft's decision to no longer support this once popular operating system forces companies' hands, many IT departments – and vendors – view the move as a $100 billion opportunity for migration-related investments in hardware, software, cloud, and services, Spiceworks said.

That's because organizations face three vectors: Security, due to lack of new patches from Microsoft; regulatory concerns since Windows Server 2003 will not pass compliance for PCI, HIPPA, and other regulations, and concerns other applications will be impacted, thereby creating performance and availability issues, Groom said.

Source: App Zero "State of Readiness for Windows Server 2003 End of Support" survey

Source: App Zero "State of Readiness for Windows Server 2003 End of Support" survey

For 55 percent of those surveyed, security compliance and vulnerability management topped their concerns, an AppZero study found. In addition, 31 percent worried about increased downtime and 9 percent cited regulatory compliance concerns, the report said.

Good Days for Cloud?

Microsoft is encouraging customers to upgrade to Windows Server 2012 R2 or Azure and a sizable number of Windows Server 2003 users view the end-of-support as an opportunity to add to or expand their cloud investment.

Alternatives to upgrading on-premise hardware and software include virtualization or creating a hybrid environment that connects to cloud, said Groom. Enterprises might choose to move their workload to a public cloud, he said.

"The fourth option we've seen is they shut down the application, and move to a SaaS version or similar version of cloud-based software. We believe clients should look holistically at their options, and consider the cloud-first approach," added Groom. "They can likely lower their long-term on-premise infrastructure costs by moving the application and workload to a public cloud like Azure or Amazon. If needed, they can setup a hybrid connection to their on-premise workloads."

Enterprises can use an automated migration tool to up-level their applications; do a new installation of Windows and retain all their settings, apps, and settings; reinstall the application, reconfigure, and migrate data – which requires all the original install media and code, plus a full understanding of current configurations; rewrite applications, which is time-consuming, costly, and demands full understanding of how these apps work in order to create quality requirements, or do nothing at all and risk security vulnerabilities or system failures, AppZero wrote in its "State of Readiness for Windows Server 2003 End of Support" survey results.

Although Microsoft's upcoming iteration of Windows Server 2016 is receiving accolades, the risks are too high for organizations to wait for its arrival before dumping Windows Server 2003, said Din.

"Given that 2012 offers many benefits, once an organization plans to make the migration upgrade, 2012 is a very logical choice. While 2016 is getting a lot of press and might seem attractive to wait for the upgrade until it comes out in general release, the fact is that the risk of staying on 2003 should preclude anyone from waiting to jump to 2016," he noted. "Once any part of the network is compromised, malware can spread or data can be taken from virtually the entire network. The weak link can expose the entire organization to downtime, theft, or other loss."

No matter their decision, it's important for enterprises to start the migration process now, executives agreed. And that process can even include Windows Server 2003, said dinCloud's Din.

"If still contemplating an upgrade the reality is that it takes an average of 200 days to execute a migration. Everything – from the design and evaluation of hardware requirements, to ordering new equipment, to installing, testing applications, and rolling out the new platform," said Din. "A biased recommendation is to look to the cloud. Even if it is a temporary measure, most cloud providers can offer at a minimum, Windows Server 2003 in a more secure environment and enable a faster migration. Then, once the environment is more secure, you can always move it back on-premise, do a hybrid approach, or decide you like the cloud and stay there."

Organizations first must inventory their existing servers, applications, and workloads to determine what's running Microsoft's older OS, then conduct a risk assessment of these workloads, said Softchoice's Groom.

Solution providers, cloud service providers, and vendors offer an array of tools and programs to help enterprises transition, he said. Many vendors created specific end-of-life systems pre-loaded with Windows Server 2012 R2. Lenovo, for example, developed programs to promote its pre-configured System x and ThinkServer platforms running the latest Windows Server 2012 R2 operating platform.

Other third-party vendors target those reluctant or unable to migrate yet. Security developer Triumfant 's AtomicEye agent, which is backward compatible, supports all versions of Windows including every iteration of Windows Server – such as Windows Server 2003, the company said. "We’ve assured all of our customers that a new support program in place will protect them as AtomicEye runs smoothly and supports all versions of Windows dating back to Windows 2000," said John Prisco, CEO of Triumfant, in a statement.

For its part, security developer Tripwire last week unveiled SecureCheq for Windows Server 2003, a free tool that tests for the 20 most common system configuration errors and recommends remediation steps.

“Many IT teams are very comfortable using Windows Server 2003 for a print or file server because it’s a very stable product, and they know how to patch and maintain it,” said Lane Thames, security researcher for Tripwire, in a statement. “However, we should expect a new wave of exploits targeting these systems by mid-August. Any organization that hasn’t completed the transition should put in place a hardening plan immediately.”

About the author: Alison Diana

Managing editor of Enterprise Technology. I've been covering tech and business for many years, for publications such as InformationWeek, Baseline Magazine, and Florida Today. A native Brit and longtime Yankees fan, I live with my husband, daughter, and two cats on the Space Coast in Florida.