Unless they take action soon, some 3,000 Irish businesses still using Microsoft Windows Server 2003 will face increased security risks this summer, when the company ends all support for the ageing operating system.
Many users should be aware the lifetime of the product is coming to an end, as Microsoft halted mainstream support for the server system more than four years ago, in July 2010. Since that point, support has been limited to system patches and security updates.
However, Microsoft is concerned many businesses are not aware the final cut-off deadline is approaching in July, and may fail to upgrade to a newer server operating system before all support ends and the system is mothballed.
Microsoft believes about 3,000 Irish SMEs are still running Windows Server 2003 on more than 23,000 computers and devices.
"People do need to put a plan in place," says Art Coughlan, Business Group Lead for Cloud and Enterprise at Microsoft Ireland, who notes that the product has had a long life cycle of over a decade. "We're concerned smaller organisations may not be aware of the deadline, or may not even be aware that they are still running Windows Server 2003 on a server somewhere."
Three-quarters of all businesses in Ireland run a Windows server operating system of some type, he says.
Third-parties
An added complication is that companies also need to make sure third-party service providers and partners have updated to a newer server application.
If third-parties are still on Windows Server 2003, they could place companies at a security risk. Also, compatibility problems might arise if a business has switched to applications designed for a newer system, but the third-party is still using the 2003 product.
Servers that continue to use the operating system after the July 14th deadline will be increasingly at risk of security breaches and data loss, as protective updates cease to shield servers from the latest exploits.
This potentially could place organisations in breach of data protection obligations. In addition, the major credit card firms require companies that fail to comply with their security regulations (called PCI DSS), to foot the costs of financial losses to cardholders due to security breaches.
Failure to update from an unsupported server system would expose businesses to such a liability.
Coughlan says many companies outsource their website shopping cart and financial transaction functions to third-party partners, so it is particularly important to ensure those partners are not still on the outdated system.
Larger businesses that work with certified information technology suppliers, or have in-house experts, are likely to be more aware of the issue, says Coughlan, but he warns that it can take more than 200 days for a large company to carry out a proper systems and network assessment and then implement the changes to bring in a replacement system.
Smaller companies should be able to do a changeover more quickly, but still should expect to set aside a period of weeks or months to complete it, he says.
Applications running on Windows Server 2003 are likely to take the longest to change over, but Coughlan notes that most application providers will have a newer product version designed to run on Microsoft’s replacement system, Windows Server 2012.
Companies could choose to continue to use the 2003 product but would encounter costs to introduce extra firewalls and security processes to defend the system, he said.
“On thing that won’t address [the issue] is, you can’t virtualise the server to make it go away,” warns Coughlan. “The vulnerability will still exist.”
Assessment
To address the issue, Coughlan says companies should first do an assessment and determine how many servers they have running Windows Server 2003, and also check with partners.
Companies can use online system checkers on Microsoft’s website to see if they are running Server 2003, if they are unsure.
Next, companies should assess which applications they have running on Windows Server 2003, contact their application service providers, and see if a version is available for Windows Server 2012 (or their server system of choice).
Then, organisations should work out an order of priority for doing a changeover. For example, often-used applications should probably be switched over first, notes Coughlan.
In addition, given advances in information technology since 2003, most businesses will want to consider where they want their applications to “live” – which could include splitting them between a data centre, a cloud provider, or on the company’s own premises.
Coughlan notes that companies may find cost savings in upgrading to new servers from Microsoft partners such as Dell and HP, whose new servers run on a third of the power required in 2003. A server today will also run 20 virtual servers for the same power it took to run a single application in 2003.
“We advise businesses to contact your Microsoft partner, as they have the training and can help with the migration and also help with targeting where your applications will go,” Coughlan says.
Microsoft also has advisory information on its website, at www.microsoft.ie/ws03.