Ultimate farewell to Windows Server 2003 looms in 2015
In 2003, Barack Obama was an Illinois state senator still a year away from his first U.S. Senate campaign. Robert Downey Jr. was a forgotten Brat Packer who hadn't acted in anything since 1999. Taylor Swift was 13. And many computer-dependent businesses had just installed a brand new operating system on their servers, a product that would become widely distributed over the next few years and provide the backbone of numerous enterprise IT functions: Windows Server 2003.
We've all come a long way since then, including the Windows Server product itself. Five new versions have been released — Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 — and Windows Server 2003 has technically been in semi-retirement since 2010, when Microsoft ended the product's mainstream support. Plenty of customers have long since moved on, but an important deadline looms for those who have not. On July 14 next year, Microsoft will cut off extended support for Windows Server 2003.
More businesses than you might think need to consider an upgrade. The CIO Journal imprint of The Wall Street Journal reported in September that an estimated 23.8 million phyiscal and virtual machines are still running the 2003 version of Windows Server. Once the product is no longer actively supported, machines that use it are essentially holding out an open invitation to savvy hackers. So you can see why, as Windows security and training expert James Conrad of CBT Nuggets put it in an interview with GoCertify, "There's some panic out there."
Many of the machines that still use Windows Server 2003 aren't connected to other computers, and Conrad said that those are essentially safe: "In a lot of industrial situations, it might be running a machine that operates a lathe, or puts hubcaps on cars. A lot of those machines aren't even connected to a LAN, much less the internet. A hacker would have to be present onsite to cause problems."
In some situations, old software manages needed functions just fine. Conrad said that on a recent visit for an eye exam, he noticed a computer still running Windows NT 4, a 1996 OS that hasn't been supported at any level since 2006. In some cases, isolation is an adequate protection. "It didn't even have network card, it's not connected to anything," Conrad said.
Computers that are connected to other computers, however, especially if there's an active internet connection anywhere in the chain, are at serious risk. Simply because of advances in software protection, Windows Server 2003 is far less secure than its 2008 and 2012 kin. Conrad teaches a Certified Ethical Hacker course — which trains learners in penetration techniques so that they can counteract actual hackers — and said he uses Windows Server 2003 to help students learn the basics of hacking. "We go after the soft targets," he said. "It doesn't require much skill to get into it."
Some businesses assume that newer protection measures applied at other levels, to other software, will keep machines with older software safe. Attackers who penetrate the outer defense, however, will have that much more power to wreak havoc inside the network. "It's really like building a brick wall around a straw house," Conrad said. It just takes a spark making it over the wall to start a serious blaze.
Even computers that aren't part of a network and don't need to be, however, could probably benefit from an upgrade. Newer versions of Windows Server, Conrad said, are faster and more versatile: "Server 2012 simply performs better." And there are plenty of economic reasons to bring old systems forward in time. Sometimes, in order to get financing approved, Conrad said, "you have to present management with a win-win scenario." Microsoft, he said, has provided a detailed report on the positive economic impact of upgrading to Windows Server 2012.
That report, along with tools for businesses finally ready to plan a migration to newer software (and hardware) is available at Microsoft's Windows Server 2003 migration assistance site. The "Total Economic Impact" report is right there at the top of the page. There's also a giant orange banner (you may need to scroll down the page to see it in some browsers) with a countdown clock ticking away the days, hours, minutes and seconds until the end of support on July 14. Just in case you're not feeling the urgency.