Think switching OS is bad? There are just weeks left to migrate away from Windows Server 2003 before support for the operating system runs out. At this point, if a CIO hasn’t yet taken action, CEOs should be getting involved.
After all, if a business is insecure and non-compliant, that’s a corporate governance issue
On July 14, support for Windows Server 2003 ends, and almost one in four Microsoft servers are still running the 12 year-old software, according to Microsoft. A March survey by Spiceworks said that just 15 per cent of Windows Server 2003 had already made the switch, with another half partially there.
Twenty-eight per cent were still planning, while eight per cent said they weren’t going to bother.
Half of those respondents were from North America. Canadian users have significant problems, according to reports. The Treasury Board Secretariat, which is responsible for renewing government computer equipment, said that up to 8,000 federal servers may still be running Windows Server 2003.
That’s before we even get to the provinces.
And estimates from Microsoft in Canada suggest that up to 380,000 servers could be at risk there.
Overall, a quarter of Windows Server 2003 users surveyed by Spiceworks said that they wouldn’t be ready by the deadline. Those slow-to-act decision-makers face a problem, said Nick East, CEO of Zynstra, which provides hybrid IT options, and also offers migration services for Windows Server 2003 owners.
“Businesses that choose to continue running 2003 run the risk of major business trauma,” he said. “As of 14 July 2015 Microsoft will no longer develop or release any updates or patches to Windows Server 2003.”
That means users won't see any more fixes for security issues, reliability, or performance issues.
CIOs may be forgiven for thinking that all the important updates will already have been made to Windows Server 2003, leaving them with a finely tuned, reliable system that they can leave quietly humming away in the corner. That would be ill advised, though.
Software is a living, breathing thing, and bugs affecting reliability, security, and performance will always continue to emerge. This May saw one critical patch for the operating system that fixes a remote code execution bug. April saw another.
This leads to perhaps the most obvious reason to upgrade: security. Cybercriminals tend to follow the path of least resistance, and they like their exploit code to remain unpatched.
So, the chances are that many of them will hang on to exploits until after Microsoft stops patching Windows Server 2003. Then, companies still running it will potentially be at risk from a higher number of attacks that will specifically target that operating system.
Even without hidden zero-days, other bugs are bound to come to light that will affect Windows Server 2003. When support ended for Windows XP last year, it took just two weeks for the first serious bug to emerge affecting the operating system.
The other issue is compliance. Your own tolerance for security bugs may be high, but depending on which vertical sector your company operating, or which clients it sells to, that may not be relevant.
Compliance will become a big issue for companies still running Windows Server 2003 after the cut-off date, if they are bound by third-party rules affecting system security.
This will cover a long list of companies, including any firm that runs a Windows Server 2003 system touching credit card processing. The Payment Card Industry Data Security Standard is mandatory for anyone processing credit card data, and also happens to be one of the most technically prescriptive standards in the tech industry.
PCI DSS Requirement 6.2 says that system components and software must be protected from known vulnerabilities by installing applicable vendor-supplied security patches within one month of release.
In Canada, the issue is serious enough that the government’s cybersecurity organisation, the Canadian Cyber Incident Response Centre, issued a security alert about it, warning people to upgrade from the software.
Canada’s financial regulator, the Office of the Superintendent of Financial Institutions, has also issued voluntary guidance on cyber security for financial services firms in the country.
Failure to upgrade to software that can be patched would have an affect on compliance with this guidance, as it calls for the ability to obtain, test and automatically deploy security patches and updates in a timely manner based on criticality.
Requirement 4.6 of its guidance also demands that a financial institution "considers and mitigates cyber risk arising from use of any unsupported software".
The financial sector edict is particularly relevant, because Canadian banks have a spotty track record of upgrading software in time. In January 2014, shortly before support for Windows XP lapsed, NCR said that only one in five ATM machines operated by Canadian banks would be ready by the April deadline, lagging banks in other countries.
Part of this was reportedly to do with a security re-certification requirement that burdened Canadian banks. One bank said that it wouldn't have completed all the upgrades to its ATM machines until the end of this year. Perhaps at the server level, we can do better this time?