Last word: prepare for the end - of MS Extended Support

Kevin Linsell, director, strategy and architecture, Adapt
Kevin Linsell, director, strategy and architecture, Adapt

With Microsoft estimating that 22 million instances are still running on Windows 2003, there will be a lot of companies out there that are worried about what the future holds and whether they have left it too late to put migration or contingency plans in place.

There are three key security concerns that companies using WS2003 should consider in the coming weeks and months:

1. Security updates: You will no longer be able to obtain the latest security updates from Microsoft. Over time, this will have an impact on the confidentiality, integrity and availability of your systems and potentially expose your data to more malicious attacks.  In the short term, the main risk to think about is a Denial-of-Service (DoS) attack. Particularly for any companies in the retail sector, where an attack could potentially occur during peak hours.

2. Software and hardware compatibility: For companies running a mixture of physical and virtualised servers, managing the end of life for WS2003 could seem like a daunting task. My advice is to focus first on the physical components. If you conclude that it's not going to be possible to integrate your unsupported WS2003s with new products, licences and applications you've purchased for your virtual environment - or plan to purchase in the future - then you need to put a migration strategy together sooner rather than later.    

3. Disaster Recovery and resiliency: Consider how you plan on re-starting servers that are out of support and beyond your IT team capabilities. If disaster recovery and resiliency are key to your business, then migrating is an absolute necessity. Sadly there is no work around for this one.

An increasing amount of government legislation and industry standards require businesses to be able to prove that their IT security infrastructure is up to date. Running a WS2003 without Microsoft support may mean that you can't fully comply with these regulations and that you might be exposing your company to risk of a formal government investigation and/or prosecution.  

How big is the issue and what are the next steps?

It may all seem like doom and gloom, but to mirror the three security concerns above, here are three proactive suggestions:

1. Ensure your servers and their lifecycle are integrated into your risk management processes: The Microsoft Support Lifecycle (MSL) provides various details on their products and associated roadmap.  Microsoft also offers a search facility that enables you to run through your product line and plan with your cloud provider to develop three to five year strategy for migration, should you require it.

2. Ask the obvious: Why? It is important to understand what these servers deliver for you, so undertake a data mapping and services audit.  Identify your information assets and then risk assess them against confidentiality, integrity, availability and the likelihood of compromise.

3. Test, test and test again: Do not wait for a malicious attack. A certified security professional can identify weaknesses in your architecture and provide remediation advice.  This again may not be good enough, dependent on where your WS2003 servers are situated within the architecture, but it will give you that concrete evidence to improve and support the case for investment.

The end of extended support for WS2003 does raise security concerns. The risk is only likely to increase over time and companies operating in cloud must plan ahead, understand the flow of their key information assets and take steps to ensure that they are adequately protected.

Kevin Linsell, director, strategy and architecture, Adapt