back to article Why are there so many Windows Server 2003 stragglers?

Windows Server 2003 is almost out of support, and many of us simply don't have the option to upgrade to a newer operating system. In some cases this problem is self-imposed. In others it is the result of events beyond our control. Either way, there are millions of businesses – mostly small businesses – who simply don't have the …

  1. Ticl

    ASP.Net 1.1

    Many legacy .net 1.1 and 2.0 application have trouble running under 2008 let alone 2012.

    1. Danny 14

      Re: ASP.Net 1.1

      indeed. that was one of the headaches for us. We got our old .net 1.1 recoded for .net 4.0 and went from 2003 to 2008R2 (at the time) now up to 2012R2. I can imagine a lot of other people are thinking about sandboxing their 2003 if they can.

  2. Anonymous Coward
    WTF?

    You need to ask?

    Why are there so many Windows Server 2003 stragglers?

    Because Windows Server 2003 generally works pretty well, doing without Metro or any cloudy phone home Microsoft Live shit, and the cost of upgrading to later Microsoft versions is very expensive in terms of cash, re-training, lost productivity and general disappointment.

    The question should be not why are there so many Windows Server 2003 stragglers, but why aren't there more?

    1. Anonymous Coward
      Anonymous Coward

      Re: You need to ask?

      Uh? Do you install Live stuff on a server?? And if so, why? And do you administer a server from the GUI? Also, you've got Core OS installation also.

      It looks you never used a recent Windows server OS, and are just reapeting Windows 8.x desktop issues blah blah.

      Sure, upgrades may not be cheap, but 2003 is reaaaaally old now, if you bought it several years ago maybe you should also have planned the budget to replace it eventually... jsut like you plan to replace phones, laptops, etc....

  3. thedarke

    Lack of 32-bit Server platform

    The biggest objection I've heard from customers to why 2k3 is still in production is that it's their mainstay for their 32-bit LOB applications. 2008 RTM really isn't an option (because it's terrible) and Microsoft decided to kill 32-bit from 2008 R2 onwards. They've not addressed this adequately in their intervening years of mucking around with Metro, and instead have created an insurmountable upgrade point. Projects like Drawbridge held promise for solving this problem- but the earliest we are likely to see any of the results of it are next year- and I doubt very much it will the hammer to crack this nut.

    Domain joined 2003 is totally insecure as of the turn of this year. Very nasty exploit for AD joined machines found (that ran the entire Windows line)- and only 2008 or above got the fix. Profits put before customers by Redmond again means they'll have diminishing customer numbers with every cycle.

    1. James Turner

      Re: Lack of 32-bit Server platform

      32bit applications work fine on current 64bit Windows, using WoW64.

      If they're using browser components, MS are still shipping both 32bit and 64bit versions of IE on their 64bit OSes.

      1. Paul Crawford Silver badge

        Re: Lack of 32-bit Server platform

        The real problem is if you have 16-bit Win95/DOS era software as that won't run on 64-bit Windows. OK you may also have driver problems as well for older hardware under 64-bit (remember how crappy 64-bit XP support was?). Sometimes it will run on Linux emulators (Wine, or dosemu, etc) but that is a significant gamble.

        Now you might be saying "Who runs 16-bit any more?" without realising there is a lot of small speciality software from that era that works, and changing the software to a newer version is a major PITA for various reasons:

        1) New software license costs

        2) Maybe no longer compatible with old, special, and very expensive hardware

        3) Different file formats so you cant read/write previous data

        4) Different work-flow so you have to re-jig lots of scripts and re-train users.

        5) All of the above often gets you nothing more than "supported OS" status as it will do exactly the same job as the old one (maybe better, maybe more buggy).

        So while using old servers for general stuff is barely excusable, there are some VERY GOOD reasons why it won't happen for many. But as other commentards have pointed out, you should be working on the assumption that ALL systems can be p0wnd (old & new, Windows & Linux) and planning how you detect that and restore to a clean state when it happens, not IF it happens.

        1. Anonymous Coward
          Anonymous Coward

          Re: Lack of 32-bit Server platform

          That's what virtualization is for (or specific, segregated networks, or both). But you have to move away everything else, only the 'unupgradable' software should be left running on the unsupported OS, in the most restrictive setup allowed.

    2. Ragarath

      Re: Lack of 32-bit Server platform

      Why are 32bit applications holding you back? Yes 2008 is 64bit only but that is the Operating system. The OS can run 32bit applications, that is what SysWow is for.

      Profits put before customers by Redmond again means they'll have diminishing customer numbers with every cycle.

      I do have to say about this line, Profits, yes businesses need that to survive and is why they exsit and people have jobs etc. People that are still using a 12 year old operating system are not customers. They paid a very small amount for 12 years of support.

      I have a single 2003 server that I have not yet moved over, there is no reason really except that I've been busy/lazy. Must get on with that.

      Edit: James Turner got in there with the WOW stuff while I was typing.

      1. Danny 14

        Re: Lack of 32-bit Server platform

        64 bit drivers for Epson printers can be a bit hit and miss (A3 inkjets with bulk in tanks, not just little ones). We had an 2008 32 bit server running for a while until we upgraded the printers. That being said, most should be dead by now and not really an issue.

        Perhaps there are other drivers needed for some obscure application. Our Paxton door card software was twitchy under wow64 until that got upgraded (at quite some cost).

    3. Bucky 2
      Trollface

      Re: Lack of 32-bit Server platform

      I feel like this is dodging the issue. You won't upgrade the OS because the software you run on it doesn't run in a modern OS?

      That sucks, of course, but it sounds like a reason to start making plans to migrate away from the dead product--not clutch all the dearer to it. Otherwise you run the risk of seeming like a person shaking his fist at the horseless carriages because they scare the horses.

  4. Tezfair

    Not as urgent as an issue as MS would like

    I have customers with 2003 boxes. They are aware of the lack of support, but as these are under stairs, cupboards etc and never accessed other than to reboot, where is the risk? It's not like anyone browses from them, and in most cases have no port forwaridn to them as they are simple file servers.

    1. Tom Chiverton 1

      Re: Not as urgent as an issue as MS would like

      Because they are one hop from your sales teams Outlook to root on your AD domain. Game over man, game over.

    2. Anonymous Coward
      Anonymous Coward

      Re: Not as urgent as an issue as MS would like

      This. The lack of urgency is just that; total apathy to upgrade. The PM attitude is: "Most business boxes are not externally facing. They do not need the constant security arms-race upgrading. They do their job, and they work. And unless there's a damned good reason to break something that just works, you don't do it because there's a penalty. Nobody wants overhead (testing, regression, pilot) and all the hassles unless you tack on a separate project for new functionality, and there's rarely any internal project worth doing a system upheaval over." That's why the Code Red virus years ago was such a big deal, it hit us inside the firewall. But we didn't learn from that, we just treated it as an isolated incident, and hey, at least now we have whole-machine backups in our shiny virtual environments. If the quake hits, we can roll back to yesterday, etc. I don't like it, but I find it hard to come up with the business case at the same time.

    3. Anonymous Coward
      Anonymous Coward

      Re: Not as urgent as an issue as MS would like

      Yes, but if it is, for example, my accountant/lawyer/etc. file server, I would not sleep well, especially sonce it's the typical situation where other machines are not properly managed...

  5. handle-wtf?

    puzzling

    But how did these poor businesses get there with hands full of windows 2003 if they have no money to upgrade or even pay salaries?

  6. Tom 13

    There is no money in a software house rewriting the software on spec

    Transparent bollocks. If the server is going away and you're in the industry and no one else rewrites the software while you do, you move first and kill their markets. Yes, you might need some vc capital to do so, but that's totally doable.

  7. Porco Rosso

    No Windows Small Business Server 2012

    but may-be like us .. the cost to go from Windows Small Business Server 2003 premium to server 2012 + full exchange + full sql-server + full sharepoint is a little to expensive for an small company's ... ( 5 to 15 man strong )

    and No not every small company want to go to the trap-cloud solution of Microsoft ...

    We where lucky to be migrate to smb 2011 but we don't know where to go from there in the future ...

    1. Sandtitz Silver badge

      Re: No Windows Small Business Server 2012

      the cost to go from Windows Small Business Server 2003 premium to server 2012 + full exchange + full sql-server + full sharepoint is a little to expensive for an small company's ... ( 5 to 15 man strong )

      I'l like to point out that the expertise to administer Exchange 2003 is trivial compared to any later versions. Exchange 2003 was practically point'n'clink to setup and maintain whereas these days it's pretty much all command-line. A SMB with 5-to-15 people usually don't have Exchange/Sharepoint gurus and since those are components usually are facing the internet you should be extra sure that they're safely configured and maintained.

      and No not every small company want to go to the trap-cloud solution of Microsoft

      What do you mean with 'trap'?

      You're free to cancel your O365 subscription and point your MX records elsewhere. Several ISPs and other shops are selling O365 -like packages with the data residing in the same country if that's to your liking.

      The basic Office 365 package (sans Office applications) costs $5 per user per month. So for $75 you'll get 15 x 50GB mail boxes in an Exchange that's always maintained and clustered. Do the maths - how much does Exchange + licenses + hardware + installation + running costs (energy and manpower) cost vs. the solution MS is peddling? It'll take years to break even.

      It is very unlikely that the 15 man company has a BOFH of their own. And if the BOFH is outsourced - a single hour of his time per month will have cost the same or more than that 75 bucks.

      There are good use cases for having Exchange in-house - enough users and a good admin, or as was the case with SBS2003 which was reasonably simple and at the time your other options was to buy small POP3/MAP boxes from your ISP or somesuch, with encryption and SMTP auth costing extra.

    2. Roland6 Silver badge

      Re: No Windows Small Business Server 2012

      >We where lucky to be migrate to smb 2011 but we don't know where to go from there in the future ...

      Well, I would agree there are BIG issues in the sub 75 user business space with migrating from SBS to some fancy 2012R2 virtual server configuration. Fundamentally, all those small MS partners who delivered SBS, generally don't have either the background or employee's with relevant MS training to actually deploy a Server 2012R2 configuration, because even though it is a relatively simple configuration, it needs an understanding of enterprise computing principles...

      Personally, I'm keeping an eye on the Zentyal Server project, which is firmly targeting the SBS market. However, the big challenge is finding local IT shops that are prepared to support it and are sufficiently skilled in Linux to actually do so. It seems many are wedded to MS without realising MS no longer cares for the SME sector and hence their business model...

  8. DougMac

    early ASP vastly different now

    The main 2003 boxes we still run are because customers can't/won't upgrade their ancient ASP websites that depend on things that either no longer exist, or can't run on newer OS's.

    They already know they are being cast to the wind to be hacked/folded and mutilated when 2003 comes end-of-maintenance, but many choose not to care.

    Perhaps if Microsoft made an actual upgrade path instead of just putting the latest shiny out, and expect all their developers to jump to the new shiny and recode everything in the process, things could have been migrated and workable. But Microsoft has no care or desire to admit to past mistakes, it just gets swept under the carpet and leaves behind a certain set of apps/users that don't retool every two years per Microsoft's schedule.

  9. Anonymous Coward
    Anonymous Coward

    Auditors

    Want to know why banks and other regulated industries get away with this crap (running unsupported systems)? The auditors let them.

    Our main LOB SaaS app is provided by a large, publicly-trade $B company. They still have network-connected desktops running XP. Never mind they won't make the July retirement date for Server 2003. They are running major trade execution apps on MetaFrame. Yes, MetaFrame. Totally unsupported now for going on 18 months.

    So you ask, how the hell do they get away with it? Easy. All they have to do is claim they have "mitigations" in place. And when I ask what those mitigations are that allow them to sleep at night? IDS. Seriously, that's the answer. So at least they'll know when they've been pwned. Maybe.

    Blame it on the auditors. They allow this kind of crap to happen because if they piss off $B business too much, they won't be doing any more audits. Everyone nods and winks, and we'll pretend to be surprised when they get taken down.

  10. Rich 11

    Health care systems in non-dystopian nations are government funded. There's no excuse for these organisations to be behind.

    Unless successive governments are run by cretins insisting that some special financial rule they've inflicted on themselves is adhered to, getting the service deeper into debt, or sociopaths obsessed with running down a service so that they can create an excuse to flog it off their mates and funnel public money into private, offshore, hands.

    1. Anonymous Coward
      Anonymous Coward

      In other news...

      http://www.channelregister.co.uk/2015/06/16/nhs_pays_9x_trade_price_commodity_it_gear/

      And then they lack the money to upgrade critical systems... although many medical systems have the same issue of applications not working on newer OS (often just because badly coded at the OS level), and/or missing drivers to access the hardware.

  11. Daz555

    My business has about 17,000 of them - can someone lend me £500m to migrate them?

    1. Anonymous Coward
      Anonymous Coward

      If your business has 17k and no one though that you should put aside a bit of budget for the upgrade then you deserve everything you get.

  12. Uncle Slacky Silver badge
    Windows

    WIll the POSReady hack work on it?

    Asking for a friend...

    1. Sandtitz Silver badge

      Re: WIll the POSReady hack work on it?

      Unlikely but you probably won't break anything by trying it...

      POSReady was based on 32-bit XP so that'll immediately rule out 64-bit 2003 servers. Server 2003 also has extra components so obviously you wouldn't get updates to DNS and such. IIS version in 2003 is v6.0; IIS for XP was v5.1. SBS servers wouldn't get updates for Exchange and other SBS components.

  13. Anonymous Coward
    Anonymous Coward

    OS upgrades should be backwards compatible

    "In some cases this problem is self-imposed. In others it is the result of events beyond our control.

    It's primarily a problem foisted on us by vendors who have a strong vested interest in forcing change = new licenses = lots more revenue. And if there's any collateral damage, they can shirk any blame.

    Thinking of the next upgrade already? That's hoe the industry makes its money, by continually performing upgrades which deliver minimal benefits to customers or users.

    1. Anonymous Coward
      Anonymous Coward

      Re: OS upgrades should be backwards compatible

      Playing devil's advocate...

      Surely free patches for the lifetime of the newer version of the OS provides a reason for upgrading?

    2. Anonymous Coward
      Anonymous Coward

      Re: OS upgrades should be backwards compatible

      Windows does a lot to be backward compatible, but sometimes it's impossible, especially when compatibility means less security, or forces to keep on with really outdated designs/implementations, and hinder needed improvements.

      Often, incompatibilities are applications faults, almost all code written correctly for Windows 2000 (but drivers) would work without issues in 2012, but too many developers back then took 'shortcuts' assuming the 'Win 3.1' model would have never been changed. Unluckily for them, the raise of security threats forced Windows to be much less 'liberal'.

  14. chivo243 Silver badge

    in our case

    The upgrade was forced by a financial software vendor, they dropped support for W2k3 and Sql2005. Was a surprise when we heard it during a support call to them a while back.... Turns out the vendor's support group was sending news of this change to another department.

  15. Gis Bun

    Many government or organizations require a currently supported OS. These include SOX and PCIDSS.

    Part of the blame can be out on management of a company. They know the life of the OS is generally 10 years. By year 7 [or before] they should be planning a migration and by the time year 10 begins they should be on the way finishing the migration.

  16. Daniel von Asmuth
    Windows

    Support? What support?

    The author assumes that Windows 2012 users receive support from Microsoft, but perhaps the difference between supported and unsupported Windows is too small to matter.

  17. Anonymous Coward
    Anonymous Coward

    "There is no way we can trust ... not be compromised"

    While the author is correct there's no way we can trust Windows 2003 not be compromised, the same is true for Windows 2012. Getting regular security patches from Microsoft only protects against holes they discover, not against holes someone else discovers first.

    Proper server/network admin practices can cover for a lot of sins, but if you think of ways that you can better protect those Windows 2003 servers, why wouldn't you do the same for newer Windows and Linux/Unix servers? Security problems are a fact of life, the only difference between obsolete servers and servers still under support is the length of time you'll be vulnerable to an exploit that is found tomorrow.

    The problem is, there are always multiple exploits against fully patched servers out in the wild at any given moment. Every Windows 2012 server is vulnerable to exploits someone knows about right now, you just won't find out until details are made public or a patch appears on a future Tuesday. By the time the current set of exploits are fixed, new ones will have been discovered. The only difference with Windows 2003 when it goes out of support will be your discomfort in knowing there is no fix forthcoming for problems you are informed about - that's why there's a saying "ignorance is bliss."

    1. Anonymous Coward
      Anonymous Coward

      Re: "There is no way we can trust ... not be compromised"

      Just, zero days are very valuable and often not used for large scale attacks. While known vulnerabilities are available in any 'hack it yourself' kit. Data shows that a lot of successful attacks are not performed using 'unknown' zero days vulnerabilities, but through older, known ones against unpatched systems. Once they allow a foothold into a network, enough privileges could be gained to compromise even fully patched systems, no vulnerability needed.

      Moreover vulnerabilities are not discovered by black hat guys only, many are the outcome of legitimate researches, and gets patched before disclosure. But once published, without a fix, they are a big risk.

      Sure, patching a system is only one layer of protection, and other layers are needed. Just, as Trevor wrote, no longer supported systems may need some special 'heavy' layers methods that could be unfeasible for each and every system.

  18. Bucky 2

    "ignorance is bliss"

    Thomas Gray was thinking fondly of his childhood, and the corresponding lack of adult responsibilities.

    So you're saying the update cycle is like a parental security safety net that allows you to remain blissfully ignorant of the vagaries of actual server security.

    Okay, I see what you're doing there. I can't say I disagree completely, but I'd still rather have the net than not.

    1. Anonymous Coward
      Anonymous Coward

      Re: "ignorance is bliss"

      Not saying you shouldn't have it, but too many people are freaking out over the loss of Windows 2003 support because they think it makes a much larger difference in the exposure level of 2003 and 2008/2012 servers than it really does. When I hear talk about putting 2003 servers behind stricter firewalls I have to wonder - why aren't the rest of their servers behind those stricter firewalls as well?

  19. Trixr

    Managers who are too chickensh*t to lay down the law with lazy application owners. There is plenty of money in this organisation, but no will.

    We have no 16-bit LOB apps, we have a handful of dumb ASP apps that could easily be re-written, and the rest are COTS products that could and should be upgraded. It's not like we haven't been sounding increasingly-strident warning bells over the last year.

    1. Pascal Monett Silver badge

      Don't worry. When do get pwned, it'll be all your fault anyway.

      On the other hand, it may just provide a bit of entertainment to see the managers' headless chicken rush to CYA.

  20. MissingSecurity
    Linux

    Linux?

    Why is this never considered for small business? I understand some legacy applications, LOB applications may require windows, but I am of a firm mind set that if you're a Sysadmin that works in the SMB (at any level really) space and your knowledge is not (at least some what) agnostics for OS platforms, your holding your company back.

    Hell if you going to be losing MS "Support" and you just don't want to upgrade do to costs, your FS/FTP/Web Server could all be running on a modern 'nix box (for free if you didn't want the support).

    1. This post has been deleted by its author

    2. Roland6 Silver badge

      Re: Linux?

      >Why is this never considered for small business?

      Because it is a non-starter! Believe it or not many people running SMB's haven't heard of Linux, but they have heard of Microsoft and Apple.

      Also small business'es don't actually want Windows Server or Linux but the stuff that typically goes on the server, namely email, file sharing, time management, accounting etc. etc. that enables them to run their business.

      So having a solid set of business applications the actual platform becomes significantly less important. Remember SMB's don't have the time or money to 'play' with IT, they want it to largely work straight out-of-the-box and to carry on working with minimal effort on their part.

      Hence why astute offerings such as Microsoft's SBS Server (Windows platform) were appropriate. The challenge Zentyal server, an open sourced SBS server alternative/replacement, faces is increasing it's market presence, so that choosing it feels more like choosing between a Ford and a GM?Vauxhall, rather than between a Ford and a vehicle from some new name south east asian startup - remember Hyundai were among the first to offer 5 year warranties etc. because of this problem.

  21. W. Anderson

    Some common sense and investigation to prevent no options

    It is understandable that one of the most practical and critical considerations in upgrading from Windows 2003 based solutions - to where? - is determined by horizontal and most times vertical or industry specific aplications that are either not available on Windows 2012 64bit or other operating System (OS).

    There should be no sympathy however for those Windows 2003 users who did not understand clearly some time ago that the OS is 32bit only, rife for hacker intrusions with weak security mechanisms and restricts them completely to Microsoft Windows ecosystem only.

    Most, if not all should have more thououghly researched alternative but equal quality and value applications (they do exist in many if not most cases!) that are OS "platform agnostic", so that the viability of switching to a GNU/linux version, for example, would not require significant hardware systems upgrade, and inter-operating with the entire Microsoft and Windows ecosystem is left in place.

    Virtualization of Windows 32bit software under Linux KVM, Xen or free! VShpere -”included” in CentOS 64bit business configurations serves just as efficiently as native windows 32Bit.

    The costs of upgrading under this scenario is generally a fraction - as great as 1/4 of total costs, including support services, of staying with costly Microsoft Windows lock-in.

    Hopefully many of these Microsoft bling users will learn lessons of sensible modern day technology use, especially in business - "vendor lock-in is a catastrophic dead-end", particularly to a technology base that has proven inferior to most of the Free/Open Source Software (FOSS) world class solutions today that provide multiple services and support providers of same or better quality and with greater expertise than dominant behemoths of yester-year.

  22. Anonymous Coward
    Anonymous Coward

    I'm not sure I'd be comfortable with my bank secretly running a bunch of Windows NT boxes

    I can name that bank in 3 letters!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like