Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Many Organizations Not Prepared for Windows Server 2003 End-of-Life: Survey

With just over 100 days left until Windows 2003 server will no longer be supported by Microsoft, many organizations are still not prepared to migrate to a more recent server platform, a survey by Bit9+Carbon Black has found.

With just over 100 days left until Windows 2003 server will no longer be supported by Microsoft, many organizations are still not prepared to migrate to a more recent server platform, a survey by Bit9+Carbon Black has found.

Microsoft is ending support for Windows Server 2003 on July 14. After this date, the company will no longer issue security updates for any version of the operating system. According to reports, after the deadline expires, organizations will have to pay $600 per server for extended support.

Microsoft cut off support for Windows XP in April 2014 and the decision affected both regular users and enterprises. In the case of Windows Server 2003, regular users might not be impacted, but organizations will put customer records, classified corporate information, and other sensitive data at risk unless they take action, experts have warned.

Critical vulnerabilities affecting Microsoft’s server operating systems are not unheard of. In November 2014, Microsoft released an out-of-band patch to address a serious Kerberos vulnerability that had been exploited in targeted attacks. The flaw affected Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

According to the Bit9+Carbon Black report, one in three enterprises plan on running Windows Server 2003 after July 14. Considering that currently there are roughly 9 million machines still running the old operating system, an estimated 2.7 million servers will remain unprotected.

“Unlike Windows XP, which was front and center when it went end of life, Windows Server 2003 is implemented largely behind closed doors on servers that are not as ‘present’ as Windows XP and other desktop operating systems,” said Christopher Strand, senior director for compliance at Bit9 + Carbon Black. “The fact that Windows 2003 is a server system also accounts for the deadline not being well known by IT managers, who have been focused on fixing desktop PCs and numerous other endpoints that were running XP. This is despite the fact that Windows Server 2003 is implemented at about the same percentage across servers as XP was across endpoints.”

The survey has found that more than half of the organizations using Windows Server 2003 don’t even know the exact end-of-life deadline, and 14 percent of respondents said they still haven’t laid out an upgrade plan.

The problem for many enterprises is that they have hardware or business-critical software that is not compatible with the more recent versions of the server OS. One third of respondents said they are most concerned about migrating customer relations management software. Others are concerned about their enterprise resource planning applications (23 percent), financial applications (23 percent), and custom in-house tools (11 percent).

Advertisement. Scroll to continue reading.

IT leaders from 500 medium and large enterprises in the United States and the United Kingdom took part in the survey conducted by Survata on behalf of Bit9+Carbon Black in February.

Bit9+Carbon Black says the average migration time has been estimated at 200 days. Businesses that miss the deadline should consider implementing compensating controls such as network isolation, application whitelisting, and continuous server monitoring.

According to a report published by Spiceworks earlier this month, the Windows Server 2003 end of life represents a $100 billion opportunity for companies that provide migration-related solutions, such as hardware, software, and associated services. Of the more than 1,300 global IT professionals surveyed by the company in January, 64 percent said they planned on migrating to Windows Server 2012 R2, while 14 percent prefer Windows Server 2012.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture