There are now just a little over 100 days left until July 14, when Microsoft will end support for Windows Server 2003. That means no more patches at all, just like with Windows XP last year.
And a lot of people don't even seem to know it.
After July 14, "Microsoft will no longer issue security updates for any version of Windows Server 2003. If you are still running Windows Server 2003 in your datacenter, you need to take steps now to plan and execute a migration strategy to protect your infrastructure." That comes right from the company.
Bit9, an endpoint security firm, recently posted the results of its "Windows Server 2003 (WS2K3) End-of-Life Survey," and the findings were not pretty. There were two glaring results from the survey:
- Nearly one in three enterprises (30%) plan to continue to run Server 2003 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected.
- More than half of enterprises surveyed (57%) do not know when the end-of-life deadline is. In the survey, Bit9 gave respondents a multiple choice question asking the month when Server 2003 end-of-life would occur. Thirty percent of organizations surveyed said "I do not know," and another 27% guessed wrong.
Now, we all remember the predictions of Armageddon when Windows XP hit its end of life. I contributed a little to that hysteria. It turns out it never happened. XP has been in rapid decline, and the end of life accelerated that process. The bad guys go where the numbers are, and Windows 7 has the numbers.
But with Server 2003, migrations are nowhere near as quick as they are with desktops. At this point, even if you started a migration you probably wouldn't complete it in time. Bit9 says a migration would take at least 200 days, while other experts give more high-low room due to the variances in the apps, complexity, and so forth.
This means that millions of Windows servers holding sensitive data will be unpatched. Bit9's mission is security, so it was most concerned about this.
"Servers, including domain controllers and Web servers, are where most organizations' critical information resides. So, if organizations continue to run Windows Server 2003 after July 14, without implementing appropriate compensating controls, they are putting customer records, trade secrets, and other highly valuable data at risk. Cybercriminals, hacktivists, and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines, and loss of customer trust," the company wrote on its blog post.
A bit alarmist? Perhaps, but it's their job to sound the alarms.
With 100 days left, Bit9 says organizations yet to upgrade must immediately aim to get their Server 2003 systems into a compliant state to eliminate both financial and legal penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance. Effective compensating controls for organizations without an upgrade plan include network isolation, application whitelisting, and continuous server monitoring.
And quite frankly, if you are in charge of an IT department and didn't know this was coming, you should start updating your resume/LinkedIn profile.