Windows Server 2003 (WS2003) was first released in, surprise, 2003. It replaced Windows Server 2000. Microsoft has released several derivatives including Windows Compute Cluster Server 2003, Windows Storage Server 2003, Windows Small Business Server 2003, Windows Home Server, and Windows Server 2003 for Embedded Systems.
WS2003 mainstream support ended in July 2010. On July 14, 2015, Microsoft will officially end extended support for WS2003. Microsoft will not release any updates, including security updates or patches, after this date. At that point you can pay Microsoft for security fixes for WS2003, but it is very expensive and not delivered promptly. Most antivirus solutions will not be supported on WS2003 after 7/14/2015 meaning that there will be no signature updates for new vulnerabilities. Considering the rate at which new malware opportunities are discovered in all flavors of Windows platforms, any WS2003 systems you have in production will quickly become vulnerable. As one data point, there were 37 critical updates for WS2003 in 2013, 10 years after the product’s release. WS2003 will not pass any further security or compliance audits. Expect stiffer fines and other penalties if you experience a data breach where a WS2003 system is part of the application environment.
This should not be a surprise. Microsoft has published its support policy and product end of life chart on its web site for over ten years. There are a lot of servers still running WS2003 out there. A Microsoft survey in January 2014 showed about 22 million WS2003 systems in use. A large number of those are in small and medium sized businesses. Many of these SMB companies do not have large IT staffs or budget to make any kind of a migration. There are probably at least 10 million WS2003 systems still in use today. Even many Fortune 500 companies are still dependent on WS2003, and most will not have migrated by the deadline, especially as it seems to take about six months to make the migration off WS2003.
Microsoft introduced Windows Server 2008 in 2008 as the successor product to WS2003. However, Windows Server 2008 is not the best destination for your WS2003 systems. Microsoft will end mainstream support for Windows Server 2008 on the same day that it ends all support for Windows Server 2003, July 14, 2015, while extended support ends in January 2020. If you need to move off Windows Server 2003 in any of its flavors, you are better served to jump to Windows Server 12. Windows Server 12 was generally available in September 2012 and released R2 in October 2013. Mainstream support for Windows Server 12 is scheduled to run until January 2018.
Microsoft provides assistance. Perhaps as an indication of their sense of urgency, the first thing you see on that Microsoft page is a count down clock telling you, down to the second, how long you have. Microsoft is, not surprisingly, pushing migration of your WS2003 servers to the cloud powered by Microsoft Azure. In some cases, that may make sense, but only if you want to make a significant change in your operations and procedures. Moving to the Cloud should be a business decision, not a technology decision. Like a lot of things involving cloud computing, the end point is often a better place to be, but getting there under a deadline can be risky. You should at least look at the material Microsoft provides to help in discovering which of your applications and workloads are running on WS2003, assess those applications and workloads by type, importance, and complexity, and choose a migration destination for each. For some of those workloads and applications, moving them to the Cloud may be the easier and less risky solution.
Your IT department probably has some good reasons for not migrating:
- Your current server hardware may not support Windows Server 12.
- Some of your mission-critical applications may not be supported on Windows Server 12.
- You do not have sufficient financial or IT resources to make the migration while simultaneously keeping your IT environment running.
- Unfamiliarity with Windows Server 2012.
The second may be the most serious, and may take the longest to fix. In the worst case, you may need to migrate to a different application.
In the meantime you may be able to mitigate some of the risk by restricting access to your WS2003 servers. Products like the Unisys Stealth Solution may help. It can completely isolate your WS2003 systems from the outside world, allowing communication only from the specific systems and users you permit. Since the protection is based on user identity, not specific network location or device identity, the rights of an individual change automatically when their role changes. As Unisys says, “You can’t hack what you can’t see.”
If you do not have the resources, get help. There are many companies out there with experience in migrating off WS2003. You do not have to go it alone.
The last word:
Windows Server 2003 is potentially as serious a security problem as Windows XP. Hopefully you are well past getting rid of that OS from your entire IT environment as have all of your business partners who share any proprietary, financial or customer protected data.
If you are running Windows Server 2008 you should start planning to move them to Windows server 12.
The keys to a successful operating system migration are planning and testing. These exercises can feel like a huge drain on your resources, and each migration can itself cause new problems. But you have to do it; you cannot afford to be vulnerable.
Keep your sense of humor.