Support for Server 2003 Ends Tomorrow!

Windows XP reached end of support last year and now it’s time for another end of life—Windows Server 2003. On July 14, 2015, this widely deployed Microsoft operating system will reach its end of life—a long run since its launch in April 2003. Estimates on the number of still-active Windows Server 2003 users vary from 2.6 to 11 million.

But this new end of life will raise a whole new set of challenges. Unlike Windows XP, Windows Server 2003 is a server operating system. While Windows XP is used in home PCs and enterprise workstations/laptops, Windows 2003 offers a deeper attack surface across enterprise servers. Windows Server 2003 is (still) widely deployed for core business functions as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on it to run critical business applications and support their internal services like Active Directory, File Sharing, and hosting internal websites.

When support ends for Windows Server 2003, there won’t be a mechanism to keep it up to date, which is critical in preventing security issues. Typically, security issues would be resolved by regular support for an operating system, which involves:

– Getting security updates to protect against vulnerabilities
– Getting regular support on almost any issue with the product
– Getting non-security updates, i.e., the ‘regular’ bug fixes

Understanding the risk

End of life for an operating system—specifically for Windows Server 2003—means the beginning of a lot of effort for your IT department. Organizations like yours must prepare to deal with missing security updates, compliance issues, fighting malware, and other non-security bugs. You will no longer receive patches for security issues or notifications of vulnerabilities. And you will no longer know when there are vulnerabilities that affect your servers.

At the time of launch, Windows 2003 was as a much safer alternative to Windows 2000. Over time, it became clear that it had its own share of vulnerabilities. CVE Details notes that organizations with Windows Server 2003 faced close to 403 vulnerabilities with 27% of them being remote code execution vulnerabilities. Without notifications to help monitor and measure the risk associated with these vulnerabilities, you may be left facing a big hole in your server security.

To understand the risk further, let’s see how a similar situation played out for Windows 2000, which reached its end of support on July 13, 2010. There have been several vulnerabilities reported in other versions of Windows operating systems since then. But how many of them affected Windows 2000? One example would be the vulnerability MS10-061, which did affect Windows 2000. It should be noted that there was no security patch for it.

Unfortunately, you could be facing a similar situation for Windows Server 2003. After July 14, you will no longer be notified of new vulnerabilities and there will no longer be any notifications or patches available to help protect your systems. But you can still take action to keep your out-of-date systems secure before it’s too late. Now is the time for serious planning and careful risk assessment.