It might seem odd to say there is anything ‘hidden’ about the end of support for Windows Server 2003. In fact, Information Age has already run several pieces on this operating system being put out to pasture, the consequences it could have and the best ways to protect organisations.
However, the problem is that Windows Server 2003 has been one of the most popular server operating systems yet. A very large number of applications were developed during the time when Windows Server 2003 was the predominant OS and many of them made up of features specific that have never been updated to work on more recent versions.
It’s hard to get an accurate figure for the total installed base. Gartner has said 8 million; HP has gone with 11 million. But some estimates are that, including virtualised installations, there could be as many as 22 million Windows 2003 servers currently in use.
That adds up to a massive problem that must be addressed, both as a result of the sheer number and because of the application dependencies for which there may not be a simple solution.
When support for the OS officially ends next week, it will be the weak member of the herd. Any vulnerability won’t be patched, so will remain a vulnerability for the remaining life of the system.
While businesses have been living with legacy Windows XP systems beyond the end of support date, server operating systems are more critical and more likely to be exposed to external attack.
On July 15, criminal hackers will change their behaviour as they seek to exploit a potentially mission-critical OS that is no longer updated and finding these vulnerable servers is now easier than it’s ever been. With distributed computing, scanning every single online server in a short period is possible.
Some industries are more at risk than others. Many press and printing production systems date from the days of dial-up and run almost exclusively on Server 2003.
Today, digital plate makers and binding machines are connected to the internet, often directly or through remote desktop software, for the convenience of transferring images or operating remotely.
In many cases, the business has never had a failure on one of these machines because they are so reliable – if they get hacked it may be the first time work grinds to a halt.
Building management systems, such as these to control heating and ventilation, alarms and cameras, or voicemail systems, may well be running software that relies on Windows Server 2003.
Older software for this purpose isn’t unusual, as the requirements don’t change much from year to year – one school in the US still uses a Commodore Amiga to run its heating system.
The problem is compounded by the fact that this software was often written in a more innocent time – ten years ago the internet was much less regarded as a likely attack vector, so the software will not be optimised to protect against this sort of hack – it may not work with a firewall turned on, or without the server’s administrator logged in.
These Windows Server 2003 installations aren’t likely to be going anywhere soon – so what should organisations do to minimise the risk from attack?
There’s a good chance that the hardware that Server 2003 machines are running on is nearing retirement. So organisations should move it off this hardware and onto a virtualised environment.
They should also remove and disable as many services and applications as possible. Ditch the likes of Adobe Reader, Java, Flash, QuickTime and Shockwave unless absolutely necessary.
By reducing the services and applications installed on the server, they cut down on potential vulnerabilities. Does this system actually need access to the Internet? If not, secure it with a firewall rule.
However, if it does need outside access, then a geo-IP filtering capability can help – if an office is in Maidenhead there is probably no need for Russia to be probing the business API.
If an organisation cannot move away from Windows Server 2003, and even if it has done everything it can to reduce the attack surface, it’s exposed. And that means it’s going to get attacked.
Virtual machines are just files, so it’s easy and fast to restore or rollback, unlike a physical machine. If an installation is compromised, all is not lost.
Moving away from Windows Server 2003 altogether remains, of course, the best solution. But the important first step remains knowing where all of the vulnerable installations are – check the more hidden parts of the infrastructure before the deadline date.
Sourced from Alistair Forbes, LogicNow