Security Experts:

Many Organizations Not Prepared for Windows Server 2003 End-of-Life: Survey

With just over 100 days left until Windows 2003 server will no longer be supported by Microsoft, many organizations are still not prepared to migrate to a more recent server platform, a survey by Bit9+Carbon Black has found.

Microsoft is ending support for Windows Server 2003 on July 14. After this date, the company will no longer issue security updates for any version of the operating system. According to reports, after the deadline expires, organizations will have to pay $600 per server for extended support.

Microsoft cut off support for Windows XP in April 2014 and the decision affected both regular users and enterprises. In the case of Windows Server 2003, regular users might not be impacted, but organizations will put customer records, classified corporate information, and other sensitive data at risk unless they take action, experts have warned.

Critical vulnerabilities affecting Microsoft’s server operating systems are not unheard of. In November 2014, Microsoft released an out-of-band patch to address a serious Kerberos vulnerability that had been exploited in targeted attacks. The flaw affected Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

According to the Bit9+Carbon Black report, one in three enterprises plan on running Windows Server 2003 after July 14. Considering that currently there are roughly 9 million machines still running the old operating system, an estimated 2.7 million servers will remain unprotected.

“Unlike Windows XP, which was front and center when it went end of life, Windows Server 2003 is implemented largely behind closed doors on servers that are not as ‘present’ as Windows XP and other desktop operating systems,” said Christopher Strand, senior director for compliance at Bit9 + Carbon Black. “The fact that Windows 2003 is a server system also accounts for the deadline not being well known by IT managers, who have been focused on fixing desktop PCs and numerous other endpoints that were running XP. This is despite the fact that Windows Server 2003 is implemented at about the same percentage across servers as XP was across endpoints.”

The survey has found that more than half of the organizations using Windows Server 2003 don’t even know the exact end-of-life deadline, and 14 percent of respondents said they still haven’t laid out an upgrade plan.

The problem for many enterprises is that they have hardware or business-critical software that is not compatible with the more recent versions of the server OS. One third of respondents said they are most concerned about migrating customer relations management software. Others are concerned about their enterprise resource planning applications (23 percent), financial applications (23 percent), and custom in-house tools (11 percent).

IT leaders from 500 medium and large enterprises in the United States and the United Kingdom took part in the survey conducted by Survata on behalf of Bit9+Carbon Black in February.

Bit9+Carbon Black says the average migration time has been estimated at 200 days. Businesses that miss the deadline should consider implementing compensating controls such as network isolation, application whitelisting, and continuous server monitoring.

According to a report published by Spiceworks earlier this month, the Windows Server 2003 end of life represents a $100 billion opportunity for companies that provide migration-related solutions, such as hardware, software, and associated services. Of the more than 1,300 global IT professionals surveyed by the company in January, 64 percent said they planned on migrating to Windows Server 2012 R2, while 14 percent prefer Windows Server 2012.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.