Time has nearly run out for Windows Server 2003. Barring an unlikely reprieve, Microsoft will pull support on July 14, meaning that the steady stream of security updates and bug fixes customers had grown accustomed to for 12 years will dry up.
Twelve years may seem like more than enough time to move on, particularly in a rapidly-shifting IT landscape. However, businesses typically don’t replace critical servers and infrastructure with the regularity that consumers upgrade to the newest Apple iPhone or Samsung Galaxy S smartphone. In Windows Server 2003’s case though, the time has come.
For this story, eWEEK spoke with some IT experts about the effect impending support suspension will have on IT organizations that haven’t upgraded their servers by now. Generally, they agreed that in the weeks leading up to July 14, many will have to make some major decisions about the future of their server environments.
Organizations have stuck with their Windows Server 2003 servers after two new versions (Windows Server 2008 and 2012) not only because the older operating system works, but because it keeps critical applications running. “If it’s not broken, don’t fix it,” is the type of mentality that governs most IT departments, said James Conrad, a computer security specialist with IT training firm CBT Nuggets.
“If not for the fact that there are a lot of problems staying on Windows Server 2003,” most organizations would keep the operating system (OS) running indefinitely, suspects Conrad.
That helps explain why so many vintage servers are still in use.
Last July, Microsoft estimated that organizations were on track to upgrade 15 million physical servers in the twelve months leading up to the support cutoff. Transitioning their workloads is costing companies billions of dollars.
A recent survey from Spiceworks revealed that companies are allocating $60,000 for migration-related expenses on average, amounting to a total of $100 billion across the board. The same study revealed that a majority of organizations had at least begun their migrations or were well on their way. That’s the good news, because after July 14, 2015, holdouts face a risky future.
When it comes to security, Windows Server 2003 is no Fort Knox, according to Conrad. In fact, he routinely makes an example of the OS by using it as the target of the ethical hacking courses he teaches.
Generally, Microsoft eventually gets around to fixing glaring vulnerabilities, but this time, when Microsoft stops issuing patches, hackers aren’t the only cause for concern. On July 14, Windows Server 2003 customers will cease getting definition updates for System Center Endpoint Protection and Forefront Endpoint Protection. In effect, they’re on their own in terms of keeping malware and other malicious code from infiltrating their systems.
Conrad also makes the case for a wholescale upgrade to newer versions of the OS. Just one 2003 server is “definitely the weak link” in corporate data centers and can be used as a stepping stone to other network resources, enabling hackers “to take ownership of them.”
However, some customers can get away with biding their time, he admits. Custom or specialized implementations, like one used in manufacturing, “might be fine if it’s not connected to the Internet,” he said. “Security risks are dramatically minimized” on standalone systems.
Managing Windows Server 2003 Migration Risks, Reaping Rewards
For network-connected servers, however, time’s up on July 14. “I recommend disconnecting it from any network.”
An IT Inflection Point
Though overworked IT personnel may feel differently, there’s a silver lining to migrating away from the aging OS. David Brisbois, senior manager of assessment and technology deployment services at Softchoice, an IT consultancy and services provider, said organizations running Windows Server 2003 are on the “verge of a new world.”
Now that the choice of staying on Windows Server 2003 is essentially being taken away from organizations—upgrade or risk slipping into non-compliance—businesses have an opportunity to not only modernize their server environments, but capitalize on 12 years of operating system advances that have helped lower IT costs and enabled companies to respond to market shifts in a more agile manner.
Whereas the Windows Server upgrade path has been fairly straightforward in the past, today businesses have options. Brisbois argues that IT departments must now weigh whether it’s “time to move these workloads to the cloud; upgrade [their] hardware and apps; or if it’s time to do more virtualization.” They can also carry out any combination of the three.
One obvious alternative is to upgrade to Windows Server 2012, Microsoft’s virtualization-friendly, cloud-enabled OS. Not so fast, suggests Brisbois’ colleague, Tim McKellips, practice manager at Softchoice.
For the first half of 2014, Softchoice discovered that out of 72,000 customer servers, nearly a third (32 percent) were still running Windows Server 2003. The majority, 63 percent were running Server 2008 while a mere 4 percent had made the jump to Server 2012.
The disparity, said McKellips, is due to the availability of mission critical apps. “The third-party ISV community was slower to adopt newer OSes. Hence, the move from Server 2003 to 2008 “allowed for some complacency,” he said.
The situation has improved, due in no small part to the work Microsoft has put into Windows Server 2012 and the company’s ISV outreach. “They lived up to their commitments; produced a superior server product and improved the quality of the server,” McKellips said.
Get a Move On
There’s no time to waste, regardless of the path IT managers take, according to Sergio Galindo, general manager of GFI, a software and services provider for small and midsized businesses (SMBs). He suggests that IT organizations “start by inventorying what they have on their server.” Critical applications aside—databases, Web servers, email and the like—”people should also inventory the stuff they don’t need,” he said.
Galindo is a big proponent of archiving old and unused data and starting with a clean slate. “Treat it like you’re moving to a new house, toss that old fridge and clothes that don’t fit.” In fact, archive everything, he recommended.
“Archive your environment; take an image of your current machines as-is,” he said. If a mishap occurs during the migration, it’s a relatively trivial matter to fall back to a previous setup unstill the issue is resolved. “Start from a known good place and keep it in a safe place.”
In terms of hardware, just bite the bullet.
Organizations, SMBs in particular, may initially balk at the cost of the latest server hardware. But it’s an investment worth making, said Galindo. “The beauty of technology over the last couple of years is that it’s gotten reliable,” he said. Servers today are “as reliable as refrigerators,” he said.
From modernizing data centers to preventing compliance meltdowns, there is no shortage of reasons for businesses to upgrade their server OS installations. For now, the most pressing concern is that support for Windows Server 2003 will soon come to an end and Microsoft, aggressively pursuing a cloud-focused approach to IT, appears unlikely to extend the deadline for customers that are clinging to the past.