Time has nearly run out for Windows Server 2003. Barring an unlikely reprieve, Microsoft will pull support on July 14, meaning that the steady stream of security updates and bug fixes customers had grown accustomed to for 12 years will dry up.
Twelve years may seem like more than enough time to move on, particularly in a rapidly-shifting IT landscape. However, businesses typically don't replace critical servers and infrastructure with the regularity that consumers upgrade to the newest Apple iPhone or Samsung Galaxy S smartphone. In Windows Server 2003's case though, the time has come.
For this story, eWEEK spoke with some IT experts about the effect impending support suspension will have on IT organizations that haven't upgraded their servers by now. Generally, they agreed that in the weeks leading up to July 14, many will have to make some major decisions about the future of their server environments.
Organizations have stuck with their Windows Server 2003 servers after two new versions (Windows Server 2008 and 2012) not only because the older operating system works, but because it keeps critical applications running. "If it's not broken, don't fix it," is the type of mentality that governs most IT departments, said James Conrad, a computer security specialist with IT training firm CBT Nuggets.
"If not for the fact that there are a lot of problems staying on Windows Server 2003," most organizations would keep the operating system (OS) running indefinitely, suspects Conrad.
That helps explain why so many vintage servers are still in use.
Last July, Microsoft estimated that organizations were on track to upgrade 15 million physical servers in the twelve months leading up to the support cutoff. Transitioning their workloads is costing companies billions of dollars.
A recent survey from Spiceworks revealed that companies are allocating $60,000 for migration-related expenses on average, amounting to a total of $100 billion across the board. The same study revealed that a majority of organizations had at least begun their migrations or were well on their way. That's the good news, because after July 14, 2015, holdouts face a risky future.
When it comes to security, Windows Server 2003 is no Fort Knox, according to Conrad. In fact, he routinely makes an example of the OS by using it as the target of the ethical hacking courses he teaches.
Generally, Microsoft eventually gets around to fixing glaring vulnerabilities, but this time, when Microsoft stops issuing patches, hackers aren't the only cause for concern. On July 14, Windows Server 2003 customers will cease getting definition updates for System Center Endpoint Protection and Forefront Endpoint Protection. In effect, they're on their own in terms of keeping malware and other malicious code from infiltrating their systems.
Conrad also makes the case for a wholescale upgrade to newer versions of the OS. Just one 2003 server is "definitely the weak link" in corporate data centers and can be used as a stepping stone to other network resources, enabling hackers "to take ownership of them."
However, some customers can get away with biding their time, he admits. Custom or specialized implementations, like one used in manufacturing, "might be fine if it's not connected to the Internet," he said. "Security risks are dramatically minimized" on standalone systems.