Feeds

back to article July 14, 2015. Tuesday. No more support for Windows Server 2003. Good luck

Any switched-on channel type or IT manager will have this deadline hard wired in their cerebral cortex, but for those in need of an early morning jumpstart - support for Windows Server 2003 ends a year from today. On 14 July 2015, Microsoft pulls extended support for the server operating system; it will no longer issue free …

Silver badge

What's the real danger ?

Except for web facing front end servers what would be the real danger here ? I have two servers that have been running W2003 for the last six years, they are rebooted about twice a year for maintenance and they never cause any problems.

The physical machines were transfered to VM,s two years ago during a hardware refresh, they are both running a legacy application that will not get updated for a few more years, if ever. The application works, the user like it and it costs us nothing in maintenance. We have no need to update it....

Why would I want to update ? How serious do you guys treat security updates for back end servers with little or no internet connection. The proxy configurations are not configured on either machine so they have no direct connexion to the web.

11
1
Silver badge

Re: What's the real danger ?

Sounds like your shop is more smallish but Enterprise IT can't really think like that. Relaxing security behind the firewall too much has gotten an awful lot of companies in trouble. Often a company's biggest threat is a disgruntled employee or insider. Granted an unpatched WS2003 is not likely to be their juiciest target but in general its bad to assume no direct internet connection means safe.

3
0
Silver badge

Re: What's the real danger ?

It all depends on how common YOUR usage is.

The places where you can assume that your users are always going to be non-hostile and that you're holding nothing of import that you have to protect? Sure.

But did you know you can get done for a DPA violation for just letting someone have access to certain data that they weren't required to have as part of their job? And PCI standards pretty much dictate that you have to be on the new OS with official update procedures in place and supported software throughout?

Before you even flinch, you have to consider that - say - every school MUST upgrade. All web businesses MUST upgrade. Most offices MUST upgrade. Anything on the network periphery MUST upgrade whatever you're doing. Anything that handles credit card data in any way - even offline - MUST upgrade. And so on. Before you even start, you're close to the majority of computers in the majority of workplaces. At that point, convenience, homogeneity, simplicity of deployment and just hardware refresh means that you probably shouldn't be on 2003 almost anywhere now.

Sure, I've run an internal Intranet server for years and got several hundred days of uptime from it, because it wasn't critical, held no important information, and wasn't accessible remotely. But the problem today is that the places you can do that are increasingly rare. I converted a school from 2003 to 2012R2 only last year (they'd not bought into the MS annual licensing, so only had VLKs for 2003, so we were putting it off as long as possible until we KNEW we had to upgrade). But it was still technically in support then and even then we KNEW we were leaving it very late. Only a tech-savvy Bursar, a huge injection of cash, and dire warnings of what would happen if we stayed on 2003 much longer prevailed (for a start, our MIS system was dropping support for the same reasons given above, and MIS software runs the school).

Consider even a basic school or office. Your Exchange server is front-line, so that has to go. Your probably have RD or website hosting machines - they have to go. Your AD servers have publicly visible names and (in a small scenario such as that) probably host user files too. It takes a second to guess share names and start poking holes in them, especially if they aren't updated. Sure, you have staff processes in place to discipline those who access data like that but as soon as you go from small business to having employees that might be unhappy, you have to protect them.

So that's all your main internal servers. Now you're doing that, you need to integrate old 2003 servers with your brand new (presumably) 2012R2 setup. The hassle of doing so, especially if you've taken the opportunity to virtualise, means it's probably just easier to wipe them out and put in a 2012R2 VM to take their place. Hell, you can do it on the same hardware if you like - the chances of you being in a place that is at 100% CPU on all their servers is vanishingly small - and it's silly to drag around old systems like that.

Sure, for some reasons, for a mom-and-pop shop without direct finance detail access, you can get away with not keeping up. For the majority of places, someone's going to have your arse for not keeping up to date - whether that be data protection, PCI-DSS, or just your boss. I'd say if your IT FTE (full time equivalent) staffing is much less than 1, you "could" get away without updating. For anything else, you damn well shouldn't be because almost certainly there's more on the line than just your job.

And if you don't know the DPA, PCI-DSS, etc. off by heart but you deal with personal data / card info, the chances are you're going to fall foul of it before long anyway. And if you do, you know why you have to keep up-to-date (hint: the potential for PERSONAL LIABILITY now!). You can't afford to let the data you have get into other's hands, so you can't be sloppy about managing it, so you can't put it on out-dated computers of any flavour.

It doesn't save you automatically but if you can show "reasonable effort" was used to secure the system, and not just "I let it linger on a 11-year-old OS", then chances are you'll be seen as doing your job, and not being irresponsible with people's data.

8
1
Pirate

Re: What's the real danger ?

Worms will be my primary worry after support ends. Things that get brought onto the network and work their way through it via bugs in netbios or IIS or whatever else the black hats can think up. All of my Internet-reachable stuff is 2012, but I do still have quite a few 2k3 servers kicking around doing various little things. So I'd say make sure your remaining 2k3 servers are in their own DMZ so the local desktops can't infect them. That's what I'll be doing here. Although hopefully I can chuck all of my 2k3 boxes over the next year or two. Too bad, as I liked the simpler Win2k-ish interface on the 2003 server.

3
0
Silver badge

Re: What's the real danger ?

@asdf

>Sounds like your shop is more smallish but Enterprise IT can't really think like that.

I can easilly understand why you would think that. For obvious reasons I can't mention who I work for but I can say that it is a large Multi-National with a more than 100K direct employees. It really is a very large company.

We do have the normal Enterprise IT attitude but not always and not for all business lines. It all boils down to money, project investement commitees and project priority calendars. Budgets have not been made available, nor suitable priority given to some of the older applications and as such they remain static, they can't be decommissioned but at the same time have no resource allocation for upgrades/renewals.

The regional DPP is well aware of the situation but also has his hands tied by the bean-counters and higher priority projects - especially those concerning new business.....

And in the mean-time I have to keep the local shop running... it's one of those catch 22 situations in which I can't win..... ( notice how I used "I" rather than the company).

I always thought that the large corporate world would always have the latest technology etc.....how wrong I was.... ( they do have some nice stuff to play with though).

2
0
LDS
Silver badge

Re: What's the real danger ?

You just need a foothold into your LAN - and it could be whatever, an insider, a compromised client, a rogue device connected to the network - and then all vulnerable machines inside the LAN can be easily compromised as well to extend and strengthen the attack. The more machines become compromised, the more difficult the remediation is.

If you believe your servers can be compromised only if connected to the Internet, your looking in the wrong direction. This sense of false safety is what is helping attackers to easily compromise large networks.

3
0
Silver badge

Re: What's the real danger ?

"We didn't have the money" is not a viable excuse for failing to abide by the law. In fact, it will just make the problem worse when you are compromised, then held responsible for running an "obsolete" and unsupported operating system on the servers, and then fined hugely. It's not the beancounters who will fall in that case, they will just say "Well, our IT guy said it was okay".

And as my more verbose post says - if you have that large a network, there's even less reason to cling onto operating systems that were designed before some of the kids that left the school I work at this year were even born.

Latest technology? No... because you'll want to spend a year or so testing ANYTHING on that scale - I am more suspicious of "zero day updating" than I am of letting working systems continue. A botched install without proper planning will provably cost you money. But equally running unsupported software over a decade old for no good reason other than "it costs money to replace", that's just asking for more trouble. I'm surprised you can even find new hardware that will boot it, to be honest. I haven't seen a 2003 driver for, say, a RAID controller in a while - and UEFI BIOS are quite common now.

1
1
Silver badge

Re: What's the real danger ?

@Khaptain

Yep I understand. Wasn't trying to belittle you or anything and the VM migration should have been the give away yours just wasn't a mom and pop office. And trust me I know all too well how corporate bureaucracy works (doesn't) so I feel your pain. The worse part is credit always flows up and the crap flows downhill.

0
0
Silver badge

Re: What's the real danger ?

@asdf - No problem ;-)

Yes, as soon as the golden words are mentioned "corporate bureaucracy" it is easy to understand the root cause of many a problem.

In the perfect world I would have a team of developers/admins constantly updating all of our apps/servers, but I don't pay the bills, so here in the real world things are a lot less glamorous...

1
0
Silver badge

Re: What's the real danger ?

No connection to the web? And the client PCs that access it? Do they have access to the web?

Also are you in an industry that has any form of compliance or ISO 9001? If so then it will cause audit problems.

Do your customers require you to be compliant with any form of compliance or certification or are they certified? If so, you may have problems delivering to them, if they find out during a compliance request that you are using unsupported software.

Is there any personally identifiable data on the machine (emails, email addresses, CRM database, personnel records etc.), if so you might have a DPA violation on your hands - I'm not up on UK data protection, in Germany it would cause headaches.

If you are only selling to consumers and the systems are running well and there is no compliance or certification in your industry, then you should be able to carry on using them, as long as you ensure they are kept secure and clean from infection - and that means good permieter protection and ensuring any network devices which can see the server are also kept clean.

0
0
Silver badge

Re: What's the real danger ?

@Khaptain if the shop is that big, I assume they also have ISO9001 or equivalent. Couldn't that be slipped under the radar as compliance?

Or tell them, in order to keep compliance and certification status either the servers need to be upgraded in the next 12 months or they will be automatically decomissioned next July...

Threats to the businesses compliance and certification often work wonders on suddenly finding budget.

0
0

Re: What's the real danger ?

You only patch your servers twice a year...???

0
0
Bronze badge

It's enough to make me wonder whether the place I was contracting at a couple of years ago still runs Windows 2000. Discovering that was a bit of a shock to the system.

0
0
Anonymous Coward

windows 2000?

Well at least one financial Institution * still runs Netware AND XP in their branches.

sounds like they inherited their IT people from a Cable Company that shares the first part of their name.

* The plus side is that a lot of work is still done via a terminal onto a Mainframe. Progress!

1
0
Anonymous Coward

we just killed of the last couple of 2K server boxes last week. Only because the programme that ran on them was no longer needed.

Oh and the last NT4 boxes about 4 months ago.

5
0
Silver badge

Re: windows 2000?

How have they managed with all the changes in basic arithmetic since 2000?

0
0
Anonymous Coward

NT4 Servers

We still have 2 WinNT 4 servers operating that I know of... AV is out of date and they are a security risk waiting to happen... making inroads to remove them has been more difficult that I could have imagined.

1
0
Anonymous Coward

"the reality is there is a reason they are running Windows Server 2003"

The reason is that they bought a server and software when server 2003 was the windows Server OS of choice. They bought that hardware and OS because the software they had just bought needed the latest version of the OS to run. 10 years on and the software hasn't changed so neither have the hardware or OS requirements.

There's no technical reason I can think of for wanting server 2003 over 2012 providing the hardware is up to the job of running the new OS.

4
0
FAIL

"The reason is that they bought a server and software when server 2003 was the windows Server OS of choice."

I'm sure a substantial percentage of those servers were actually installed when 2008R2 was the Windows server OS of choice.

1
0
Bronze badge

The reason is that they bought a server and software when server 2003 was the windows Server OS of choice. They bought that hardware and OS because the software they had just bought needed the latest version of the OS to run. 10 years on and the software hasn't changed so neither have the hardware or OS requirements.

There's no technical reason I can think of for wanting server 2003 over 2012 providing the hardware is up to the job of running the new OS.

Neither assertion is really true. Most of our servers are Unix based but we have precisely two 2003 VMs running those odd jobs that absolutely must run on Windows. 2003 was chosen for a reason - it seems that the WGA stuff in 2008 onwards has a tendency to false positives on Xen. The documented way around that is a licensing server which means special agreements and basically a lot of infrastructure to support only two VMs.

As for "no technical reason I can think of" I pity your lack of imagination. One that immediately comes to mind is that it is 64 bit only so if you still have any legacy 16 bit code you are plain out of luck. That isn't as easily dismissed as you might imagine outside the mainstream - for example we have a few pieces of test equipment that are still dependent on 16 bit control apps. It's a difficult business case arguing that £30,000+ of plant needs to be replaced halfway through its natural operating life simply because of a change in Microsoft's supported platforms.

7
0
LDS
Silver badge

If you have 16 bit control apps it's time you run them in a VM with its original OS. At least you're safer, because I guess no actual attacker knows how to compromise a 16 bit systems, nor have a compiler available <G>

Jokes apart, there are situations you may need to really run really outdated software - you have to assess risks and re-design the network, if needed - to put those machines in their own separate LAN whose accesses are highly controlled.

I guess is not a difficult business case to justify such an expenses to protect £30,000+ of hardware plus the whole company....

0
0
Silver badge

If you're running a 16-bit control app, chances are it's running direct hardware (to the metal) code: one of the types of code you CAN'T virtualize because it's a proprietary interface no one else knows about. A few months back, a few of us were having a discussion about a lathe or some other CnC machine that relied on Windows XP (at the time IT went EOL) and couldn't use anything else because of the proprietary hardware driver that ONLY worked on XP (it was an ISA board IIRC). Since the machine was still in its amortization and the firm was facing stiff competition with razor-thin margins, it was basically chance it or fold.

1
0

The problem is......

Not whether or not the software will continue to still run perfectly if you don't upgrade your servers to a supported OS, but, in many organisations, whether or not your compliance processes insist that all software is running on a manufacturer supported OS.

0
0
Silver badge

Re: The problem is......

No, the REAL real problem is having BOTH issues at the same time. Imagine being FORCED to upgrade to an OS where you KNOW your mission-critical, unupgradeable custom software is going to fall flat on its face. Better hope the IT has enough in the budget for a new custom job or the entire company could be hosed.

1
0
Silver badge
Mushroom

Re: The problem is......

>Better hope the IT has enough in the budget for a new custom job or the entire company could be hosed.

And most companies should be paying some suit a lot of money to worry and coordinate such things. Generally not a CIO though. The CIO job is usually to look good on the golf course, back stab for a better C suite job, and if the IT department is lucky occasionally get IT some of the budget they need.

1
0
LDS
Silver badge

Re: The problem is......

Correct - there's still a lot of software around written as it was still Windows NT - which would start to have issues from Windows 2008 onwards when what previously were only "development guidelines" (i.e. don't write in <program files>) starts to be enforced, or old compatiobility modes now switched off by default (i.e. some NTLM features, etc.)

It's better to assess it now and found reasonable workarounds now, than waiting the last minute... well designed software shuould have no issue, just hope you got the right one.

Anyway many other applications are starting to desupport Windows 2003 after XP was desupported - you may find yourself in the situation where you can't upgrade the OS because of one application, and you can't upgrade an application (because of a security fix, maybe), because of the OS....

1
1
FAIL

Re: The problem is......

Lack of proper lifecycle management.

Every service owner is responsible to provide the nessesary ressources to setup,maintain and retire a service.

1
1
Silver badge

Re: The problem is......

Even when that service provider ceases to exist?

0
0
Silver badge
Trollface

Perfect opportunity

…to switch to Linux!

6
5

Re: Perfect opportunity

Why? The lack of understanding of Linux by some serious application vendors is shocking.

2
1
Silver badge

Re: Perfect opportunity

Just in case a newly installed Microsoft CEO decides to boost its falling revenue by end-of-lifing new editions of server a little quicker.

In fact the entire MSFT corporate board could be replaced by a pocket calculator that looked at the income for the next quarter and decided how many copies of Server it had to force customers to replace to break even.

4
1
LDS
Silver badge

Re: Perfect opportunity

With releases who gets desupported even faster? Windows 2003 is being desupported after twelve years. How many Linux releases has been supported for so long?

Also, a lot of Windows applications won't have a direct replacement under Linux. Not all servers are used to run Apache and MySQL only...

2
0

Re: Perfect opportunity

Windows 2003 is being desupported after twelve years. How many Linux releases has been supported for so long?

Red Hat supports their enterprise OS for ten years standard, with the option for thirteen if required.

That said I think such long support runs are half the cause for the migration troubles we so often see on both sides of the fence. The changes to an OS after ten years are often so dramatic to applications that the step becomes too big to move.

0
0

End of the world

Dell, HP, IBM/Lenovo, and others are rubbing there hands thinking about all the servers they will sell. Problem is than many larger places have Server 2003 in a VM. Where I work, I wouldn't be surprised if 75% of the servers are in VMs. Only thing maybe needed is a new host server or 2 to divide the extra horsepower needed.

4
0
Anonymous Coward

Re: End of the world

Our single Svr 2003 box is a Dell PowerEdge. And while I could replace it with a new HP to match our main server, I checked and it is cleared to take 2008 R2. And it's got a brother that isn't doing anything.

I've got an estimate on the cost to pay an IT support company to bring the second poweredge up to speed and into operation. And it's a sight cheaper than forking out for a whole new 2012 box. Could keep us going a good while a proper plan for the future of all the servers is scoped out.

1
0
Anonymous Coward

Lovely smell of licenses in the morning...

What nobody seems to realize is how the cost of licensing Windows has increased over the past 10 years.

Say, 10 years ago you set up an Enterprise class W2003 server, installed your application/middleware/database/whatever and it has been running smoothly since then. Except perhaps for the continuous stream of application changes. But the OS has, except for patches, been untouched in 10 years.

Now they have to upgrade and they find that the equivalent "Enterprise" W2012R2 costs... how much more? Good luck and have a good dose of Paracetamol ready for your discussion with your friendly Microsoft reseller, because you're going to find that W2012R2 costs more than W2003 in very subtle and complex ways.

Add that the cost of installing all the upgraded software -because the latest versions are not W2003 certified- the cost of migrating all those customizations to the new version and look at the bill. Twice. Realize that developing the app from scratch will cost you about the same. Take another dose of Paracetamol.

So in a lot of places the result is going to be "Duh, let's move it to a VM, ring fence the network where it is running and call it a day" ... which incidentally will stop the server vendors drooling as they'll discover that their super-duper W2003 hardware with Windows Enterprise is likely underutilized by HW standards of the the current decade.

Security folks will likely show some testimonial reluctance, but after seeing the upgrade bill they'll likely agree that with some mitigations in place they can keep running W2003 until the application is retired. Or forever. Heck, there are some NT4 apps still running out there.

Let's not even start talking about dedicated hardware equipment that depends on W2003 to run.

1
0
Anonymous Coward

Re: Lovely smell of licenses in the morning...

Problem is, what if you HAVE TO upgrade because you're under a legal obligation to keep your software up to date...only you CAN'T because your mission-critical, so-expensive-it's-STILL-being-amortized hardware relies on proprietary hardware and drivers that can't make the jump.

Oh yes, and you just found out you have liver problems AND peptic ulcers, meaning you can't take paracetamol OR NSAIDs. Hurts to be you.

0
0
Bronze badge
Mushroom

String pulling

Obsolescence...great programme on BBC2 yesterday discussing consumerism and the default way in which manufacturers have you by the balls...ouch..!

0
0

When Will This Pollution Madness Stop!!!!

All this obsolescence game plan (in this particular case) is generating so much money for Microsoft and it's shareholders, maybe it is time to get these greedy polluters to foot the landfill clean up costs! Millions of servers, not to mention all the associated peripherals, all need to be buried somewhere.

You (Microsoft) cause the all the mess, you pay to clear it up.

Who needs all this constant replacement of equipment anyway? Those that care less about our planet or the future generations that will try to live on it, I suspect.

End of rant.

1
0
Black Helicopters

July 14, 2015

Isn't it the same very day Hew Horizon will pass the (ex)planet Pluto?

http://www.nasa.gov/mission_pages/newhorizons/main/

Does Microsoft use astronomers (or astrologs?) when planning its end-of-support dates?

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon