An operating system on end of life is ripe for attack

Microsoft is turning off the life support machine for the ailing grandparent of the Windows server family on July 15.

Will anyone really care if Windows Server 2003 is no longer supported? Surely no system administrator in his or her right mind would be running a 12-year-old operating system, right? Wrong!

I was shocked when a report suggested there are approximately 25 million Windows 2003 servers still running. That’s a lot of systems that won’t be patched after the middle of July.

This is concerning given the severity of some of the insidious vulnerabilities that have hit us over the past year.

Naysayers may postulate that any operating system as old as this is unlikely to have malware specifically crafted for it. The business can rest easy as modern high-value targets will attract all the hackers’ focus.

My counterargument is that if I were in the exploit writing game, I would be smashing Server 2003 with everything I have to engineer as many new ways to break it as possible.

And would I launch an attack today? No way, I’d wait until 16^th July before pressing the big red attack button. 25 million targets and no knight in shining armour coming to the rescue.

Aside from specially crafted malware, what else might happen? You need to consider what happens when incidental weaknesses or zero-day exploits are discovered in components of the operating system that are common in both current and legacy systems.

Just this past week, security teams have been battling the LogJam SSL vulnerability, affecting web servers, mail servers and any other SSL/TLS dependent endpoints that permit export-grade Diffie-Hellman ciphers.

Researchers discovered LogJam a few months ago and worked closely with vendors to ensure patches were in development prior to public disclosure. From a Windows Server perspective, administrators can mitigate this issue by modifying the SSL configuration settings in IIS using group policy.

But what happens after July 15 when a bug requires more than a configuration change? If you are on Windows 2003 you are in a world of hurt.

How can you protect yourself? Firstly, if what’s holding you back is that the server has always been reliable, don’t hesitate, you need to upgrade asap.

If you are running legacy hardware not supported on a modern operating system, this requires more planning. You might be able to factor additional benefits, such as hardware consolidation using virtualisation, which ultimately saves you money.

Nevertheless, what about those situations where Windows Server 2003 is the only operating system on which your vital application runs? 

For example, you may have an app where the original developer has long since gone out of business, but you still rely on it for logistics and inventory management. You have two options:

1. Consider alternative software packages or cloud solutions. You might find your favourite accountancy software is now available on a subscription basis in the cloud. If you migrate to a SaaS solution you don’t need to worry about platform and infrastructure support any more; your cloud provider does all that for you.
2. Consider whether or not you can relocate the server to another part of your network and put additional controls around it. If it was on your main server network, consider segregating it onto a more protected subnet. You could install a firewall between your main network and the secure one so that the only protocols and ports you need to communicate with the application are open.

Try to focus on your information and ways of working and consider infrastructure last. 

Consider exporting your information from Windows Server 2003 to a cloud solution thus eliminating the need for server administration. 

Information security risks would largely become the responsibility of your cloud provider allowing you to focus on doing business. 

Even if you can’t import legacy data, can you archive it and then consider working in a new way that allows more collaboration with customers and partners?

Should your organisation be affected by Microsoft Server 2003 end of support then use it as a trigger for evaluating alternatives that can enable smarter working and cost saving. 

Do due diligence on any cloud provider you are considering; look for certifications and read reviews.

Whatever you do, make sure you have options. Leaving yourself unpatched should be a measure of last resort.