Windows Server 2003 reaches its official end of life (EOL) date on July 2014 despite the fact that sizable numbers of organisations apparently still use it. Beyond that date, Microsoft will no longer issue security updates.
Arguably it’s as significant a date in the computing calendar as was the EOL experienced by XP last year but for some reason simply less discussed. MIcrosoft recommends migration to Windows Server 2012 R2 rather than using Server 2008 as some kind of stop-gap staging post. The question remains what organisations should do if they can’t avoid running Server 2003 in the meantime.
Windows Server has suffered 36 software flaws with security implications so far in 2015 a considerable uptick on 2014’s figure and suggesting that by the time the year is out it might challenge 2011’s record 95 flaws. Most of the flaws now being patched are towards the serious end of the CVE scale - it is clear that continuing to run Server 2003 represents a major risk going forward and one that even the occasional Microsoft patch will not be able to plug.
The best advice is to get out of Server 2003 as soon as possible. For a broader perspective we decided to consult Adrian Foxall, CEO of applications consultancy Camwood, whose firm has experience of Windows Server 2003 and 2008 migration projects.
The end of support for Windows XP generated a lot of “buzz”. Why hasn’t this been the case for Server 2003?
The end of Windows XP was considered an extremely significant event for the IT community and in many ways XP impacted so many different aspects of technology that it was simply too big to ignore. As a result, in the six months building up to April 5th we witnessed far more discussion and analysis around the repercussions of the end of support for XP than during the build up towards Server 2003. Financial services, retail, consumer technology, government infrastructure, apps - everything was going to be affected by the end of XP. It was an extremely broad topic with a massive array of consequences.
While the same is reasonably true of Server 2003, which is being used in all variety of different sectors, server maintenance is considered more of a back-end process and not a user-facing issue. The demise of 2003 simply hasn’t received the same level of visibility - and ultimately interest - as its front-end counterpart.
To see the drastic difference between these two migrations one need only look at the different levels of visibility in the core IT media. According to Camwood’s own research, Server 2003 has received one twentieth (5 per cent) of the coverage that surrounded the end of Windows XP. In terms of explaining why this disconnect exists, we’ve found that most people still hold a strong association between Windows XP and “turn of the millennium” computing. As a result – even though Server 2003 was only released two years later – XP is still perceived as significantly more dated in the minds of both consumers and IT professionals.
Server 2003 has also received less discussion due to changing attitudes towards OS migration. Following multiple end-of-life ‘non-events’, IT professionals have grown increasingly circumspect about the need for migration. In many ways we have grown far too accustomed to the Y2K effect, where everyone in the industry starts panicking only to realise that - in the vast majority of cases – nothing actually changes.
Most IT professionals were able to see this first hand at the end of Windows XP. For every article or whitepaper calling for a rational and measured response, there were 10 proclaiming revelations-style destruction throughout the IT and business community. When the deadline did eventually come to pass, everybody realised that the security threats were much slower burning than expected, and would only gradually worsen over the months to come.
How big of a threat does the end of Server 2003 pose?
Ironically, in many ways it is the lack of hype around Server 2003 that could cause the biggest security threat. While the mania surrounding the end of XP didn’t help to solve the issue, it did at least raise widespread awareness. The biggest problem we now face is that too many businesses remain either ill-prepared or simply ill-informed about the consequences of not migrating their OS.
The physical security threats, as with XP, will not manifest as some massive organised attack on 14th July. Instead, the potential security issues will develop over time, leaving business systems unpatched and vulnerable within the long-term.
Security aside, the bigger risk for businesses lies in a lack of application compliance. Those organisations that fail to move away from Server 2003 will quickly find themselves unable to receive vendor support and outside of their legal requirements. As a result, if a vital application were to stop working three months down the line, vendors will simply refuse to provide updates or fixes to maintain applications for a twelve-year out-of-date operating system. Not only can this leave businesses vulnerable from a security point of view, the resulting application downtime can also significantly impact an organisation’s bottom line.
For some businesses this is a risk they may be willing to take. For those in the public or financial sector, however, a lack of vendor compliance can lead to serious legal issues. This is turn will often result in hefty fines, further damaging an organisation’s bottom line.
How many businesses are still using Server 2003?
Given that a lot of vendors have been trying to encourage people to switch to their preferred solutions (AWS, The Cloud, Windows Server 2012), the number of active 2003 servers remains surprisingly high.
According to estimates from earlier this year, the 12-year-old operating system is still running on as many as 11 million individual servers around the world. This figure represents around 1.6 million organisations worldwide, along with 400,000 businesses in the UK that are still running Server 2003.
It doesn’t matter whether businesses are thinking about the security implications, the legal ramifications, or simply the problems of applications compliance; given the closeness of the deadline, this number remains a significant point for concern.
What is the best “next step” following on from Server 2003?
For the most part Camwood has been moving companies either to Server 2012, Server 2012 R2, or to the cloud. All of these technologies have their own merits, but it really just depends on what your particular business is trying to achieve. Moving to the cloud has obvious benefits in terms of scalability, offsite protection and stability/cost ratios, however some legislation-heavy sectors (such as banking and finance) are still reluctant to host their servers in the cloud due to potential compliance and security concerns.
For those reluctant to move to the cloud, an on-premises Server 2012 offers a number of benefits. These include significantly improved security and Dynamic Access Controls, as well as providing a single view of the server health and remote server management.
In certain instances, some of Camwood’s clients have opted to make the switch to Windows Server 2008, if only as a temporary cost saving measure. While we consider it advisable for businesses to make the leap to 2012 in order to ‘get ahead of the game’, 2008 can provide a useful stepping-stone.
A lot of businesses have actually been using Server 2008 to allow them to move away from Server 2003 (ahead of the deadline) and then look at transitioning the rest of the way over a longer period of time. From an application management point of view, this also gives them time to get their estates in order before making the full switch to Server 2012.
What is the likelihood of businesses missing the July 14th deadline?
Given the sheer number of businesses that are yet to make the transition, we expect that the migration process will carry on well into 2016. Considering that we are still helping some businesses move away from Windows XP more than a year on from the official end date, we expect similar levels of non-compliance for Server 2003. We would like to think that most organisations would be off Server 2003 in late July early August, however based on the current figures this seems unlikely.
Most of our clients are well underway in terms of making the move, yet even if they’ve successfully completed 90 per cent of the migration ahead of the deadline this will still leave a lot of applications unsupported or failing to meet compliance standards.
In a lot of instances, certain applications don’t have a designated upgrade path; they will simply never migrate effectively away from Server 2003. In these cases we’ve done what we can to offer viable alternatives or search for functional equivalents.
From our experience these migration processes do usually turn out to be much more complicated than most businesses anticipate. In many instances we’ve had companies approach us claiming to have an IT estate of less than 100 applications which need transferring. After a full audit, we’ve quickly found there to be literally thousands of installed applications that the organisation didn’t even know existed.
We don’t need to migrate them all, but before anything can be deleted businesses need to decide how their removal would impact other applications and other aspects of the business.