August 11, 2017

By: Isaac Guevara, ICS Network Design Associate, Grantek Systems Integration

On July 14, 2015 Microsoft officially ended support (or “End of Life” – EOL) for Windows Server 2003. This was said to be the “biggest security threat of 2015” Jamie Hinks, link. That means that since July 2015, any form of Microsoft support such as hotfixes, security patches, use of Microsoft Knowledge Base, etc. has not been available for systems running on Windows Server 2003. There is also a very good chance that the applications running on these servers are past their own life-cycles and could have security vulnerabilities as well.

Here are some of the primary concerns that customers face when using the no-longer-supported Windows Server 2003:
• No Updates
• Compliance Risks
• No Support
• Security Risks
• Legacy OS and Application Dependency

No Updates

There are no longer any patches or updates to improve the functionality and performance of the OS.

Compliance Risks

Customers within regulated industries may find themselves out of compliance with regulations or contracts. In some cases, this could result in fines or loss of business with partners (who also may need to protect their own compliance positions).

For example, businesses with Server 2003 machines as part of a cardholder data environment would not be compliant with PCI DSS unless significant compensating controls are implemented which requires manual patching, restricted logical and physical access to the servers, and log files that are carefully reviewed. Steve Robb, link.

PCI DSS Requirement 6.2 states:

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release (www.pcisecuritystandards.org)

For businesses with a Server 2003 machine as part of a cardholder data environment.

No Support

Microsoft technical support is no longer available for Windows 2003 if any issues occur. System outages, loss of data monitoring and controls, loss of line runtime or even product losses could occur due to an OS bug which cannot be repaired.

Microsoft still has a paid service available as a custom support contract. This will incur hefty monthly costs and is only intended for those customers looking to migrate in the near future while requiring immediate support for their current-state.

Security Risks

No updates means Microsoft will never ever perform security patches. Several vulnerabilities in Server 2003 have already been created, including remote code execution. What’s remote code execution? Put simply, it’s an attacker’s ability to execute any command of the attacker’s choice on a target machine. This could be big trouble especially if a hacker gets administrative privileges.

One example is the vulnerability CVE-2017-7269, which is a buffer overflow vulnerability in Microsoft Internet Information Service (IIS) 6.0. This vulnerability allows hackers to perform remote code execution attacks or cause Denial of Service in vulnerable applications. Shodan shows that there are a little over 600,000 publicly accessible IIS 6.0 servers on the Internet, most of which are probably running Windows Server 2003.

Additionally, there is a vulnerability in Windows Server Message Block (SMB), which ransomware uses to spread from one server to another on the network, called ETERNALBLUE. In recent events, a major cyber attack using ransomware WannaCry and a no-fix cyberweapon NotPetya infiltrated major global corporations leveraging this exact vulnerability. Combined, these two attacks affected roughly 600,000 systems and even lowered revenue expectations for some of those corporations that were affected. Historically Microsoft has never released patches after EOL, however, due to the dangerous implications of these vulnerabilities, Microsoft released patches on May 13, 2017 for windows 2003 and XP.

Legacy OS and Application Dependency

With the continued use of this legacy OS, it’s very likely that the applications being used (or the release of the applications) are either considered legacy or will shortly be reaching EOL. This poses potential application problems similar to those of the server issues such as lack of support resources and unmitigated security risks.

There also some significant improvements that were added to Server 2008 and onwards that are not being realized by remaining on Windows 2003. Benefits like improved system scaling, better remote desktop services, new server management tools and other improvements that Microsoft has added.

By remaining on a legacy server OS, companies put themselves a position that does not allow them to compete on the same level as others who have taken advantage of the features of the improved and maintained operating systems.

What are the Next Steps…?

While migrations may be time consuming and are often associated with costs and system downtime, the system improvements are often worth it when all considerations have been accounted for, especially when a supported OS means making the business more secure.

Grantek recommends migrating to a current generation Microsoft OS, either Server 2012 R2 or 2016 as Server 2008 reaches the end of support in 2020 (see Microsoft Support). While Server 2008 end of support is still three years away, the cost savings and risk mitigation associated to a newer generation OS migration will prove worthwhile (and we won’t have to repeat the same thing in the next couple of years).

Grantek is experienced in both consulting on the next steps as well as implementing successful manufacturing server migrations. We have been involved in multi-site migrations, working alongside with the client enterprise IT to meet their standards and practices. By performing design upgrades for an entirely new server infrastructure and doing industrial application migrations, we’ve helped clients to move forward to more secure and higher performing platforms that keeps them competitive in this next-generation manufacturing world.

About the Author:
Isaac Guevara is an ICS Network Design Associate in the Industrial IT/OT & Cyber Security practice at Grantek Systems Integration. Isaac has worked out of Grantek’s Vancouver, BC office for 3 years. With a background in mechatronics systems engineering, Isaac has developed and supported networks for many of Grantek’s industrial and manufacturing clients.