Facing up to the end of Windows Server 2003
Don't end up as the weakest member of the herd following the end of official support for Microsoft Windows Server 2003, says Ian Trump.
Ian Trump, LogicNow
There are a range of estimates out there – Gartner reckoned eight million, HP has gone with 11 million – but the increase in virtualisation means there could be as many as 22 million Windows 2003 servers currently in use.
Support for the OS officially ends on July 14th, and Microsoft is taking a hard line on its decade-old OS. Previously, when everyone failed to upgrade from XP, Microsoft extended the product's lifespan. This time, though, Microsoft sees a business opportunity in those stuck in the past – it will charge up to $US200,000 (£133,000) for extended support for all the patches and updates that will make sure the servers remain operational and protected from hacking attempts, and then only for a limited time.
The end of support means that Windows Server 2003 will be the ‘weak member of the herd', the preferred target for hackers looking for an easy mark. Any vulnerability won't be patched out, so will remain a vulnerability. This will fundamentally change how hackers will act, starting on July 15th – with so many potentially vulnerable servers online, it makes sense for hackers to make these the top priority.
Finding these vulnerable servers is now easier than it's ever been. With distributed computing, scanning every online server in a single hour is possible. A worst-case scenario is that we end up with an active botnet made of eleven million servers.
The simple advice – upgrade your servers! – isn't as simple as it seems. Businesses that have been around for a while may be using applications that are difficult to migrate to newer, 64-bit systems. The reason for this is not so much the 32-bit application, but the 16-bit DLLs these applications use that simply won't work in a 64-bit environment.
There are other, more extreme reasons that make upgrading tough – applications built on older versions of Internet Information Service or even Microsoft Front Page Server Extensions require legacy versions of Internet Explorer. I even know of one legacy application that requires Netscape Navigator! It's no use upgrading servers if it means that critical applications can no longer be used.
So if you have a Windows Server 2003 installation that's going to be around for a while, what should you do?
Virtualise the Windows 2003 server: There's a good chance that the hardware your Server 2003 machine is running on is nearing retirement. The first step is moving your 2003 Server off this ancient hardware and into a Hypervisor or VMware Virtual Machine environment running on a robust 64-Bit OS.
VMware vCenter Converter and Microsoft System Center Virtual Machine Manager (SCVMM) are the most popular options for achieving this. The advantage of virtualising your old Windows 2003 server is that you can copy the VM or Hypervisor onto another machine, or a robust laptop. This means you now have a development 2003 server to test your production server, without the risk of pulling it down.
Secure the server: Remove and disable as many services and applications as possible. If you can move it, then do so – AD, DNS, and DHCP should all be moved to a more secure platform. Ditch the likes of Adobe Reader, Java, Flash, QuickTime and Shockwave unless absolutely necessary. By reducing the services and applications installed on the server, you reduces the attack surface. Once core network services are no longer on the 2003 Server, ask a couple of questions: What remains on the server that's critical? And does any of this need access to the Internet? If not, secure it with a firewall rule and the problem is solved.
However, if the server has a legitimate need to communicate to the Internet, there is still more to be done. A firewall rule specifically identifying the source and destination for services like Electronic Data Interchange or API connections is vital, and a Geo-IP filtering capability is also advised – if your office is in Slough there is probably no need for Russia to be probing your business API. If the application is really sensitive and “wide open” then it needs to be secured at the network layer with VPN, SSL, IPSEC or MPLS technologies.
Backup the Virtual Machine to the Cloud: If you cannot move away from Windows Server 2003, and even if you have done everything you can to reduce the attack surface, you're still exposed. And that means you're going to get attacked. Virtual machines are “just files”, so it's easy and fast to restore or rollback, unlike a physical machine. If your Windows Server suddenly demands a ransom for access, a backup solves this problem.
The best solution remains, of course, moving away from Windows Server 2003 altogether. But as hackers act like lionesses around gazelles, targeting the most vulnerable first, then it's worthwhile making sure that you aren't among the weakest of the herd.
Contributed by Ian Trump, Security Lead at LogicNow.