It is over 12 months since Microsoft officially stopped providing any support for Windows Server 2003. Its End Of Life (EOL) was the 14th July 2015. Of course, there are many companies who still pay US$600 per server to Microsoft per year to keep their environment protected and some, namely government departments, are paying millions per year for this facility. However, for many companies, probably a scary number, they have simply left the 2003 servers running unprotected and evermore vulnerable.
Statistically in July 2014 there were approximately 65% of all organisations in the Asia Pacific Region running Windows Server 2003. In the 12 months leading up to the 14th July 2015 EOL deadline that percentage reduced to 60%. In the 12 months since the deadline anonymous, aggregate technology usage data provided by Spiceworks users in Asia shows that a little more than 50% of organizations still have at least one instance of Windows Server 2003 running in their environment.
This is quite a staggering statistic when you consider that more than 1 out of every 2 companies in Asia is still running at least ONE copy of Microsoft Server 2003, more than a year after Microsoft stopped supporting it or patching any vulnerabilities.
In the first half of 2015 there were 36 CVE’s issued identifying confirmed vulnerabilities for Microsoft Server 2003 and since the EOL any new vulnerabilities are no longer documented for unsupported softwares. One could extrapolate this for the last 18 months and deduce that there could be as many as 100+ unidentified vulnerabilities that have not been patched for Server 2003.
Running software that is unsupported by the vendor not only puts an organization at risk from a cyber security perspective but it also opens the company up to a multitude of potential regulatory compliance issues. Compliance frameworks such as PCI-DSS, SOX, HIPAA, and GLBA do not identify specific platforms for compliance issues but instead write their guidelines in such a way that inferred compliance would not be possible should the organization be running unsupported software. Most frameworks require you to ensure your systems are patched against the latest threats, therefore any software where the vendor no longer provides patches it would be very hard to justify compliance in this case.
For companies that handle personal data, every country has a privacy data ordinance. Most ordinances state that the company should take all reasonable efforts to ensure the security of the data stored and again a system running Server 2003 even if it is not the server storing the personal data could be used as a gateway to access the private data. The consequences of this vary from country to country and from fines to jail time.
Some companies will argue that the server running Server 2003 operating system is not connected to the internet and is therefore not at risk. Whilst technically correct this will impact a network environment. If that Server 2003 machine happens to be a Domain Controller then it will keep the Active Directory schema of that entire network on an older, less secure model ultimately meaning the network can still be at risk. It should also be noted that even if this is not the case, the hardware aspect would still pose a threat would also be old and at some point fail and it may not be possible to get legacy hardware.
There are in total 8 versions of Server 2003 covered by this article, namely:-
– Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
– Microsoft Windows Server 2003 R2 Datacenter Edition with Service Pack 2
– Microsoft Windows Server 2003 R2 Datacenter x64 Edition
– Microsoft Windows Server 2003 R2 Datacenter x64 Edition with Service Pack 2
– Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
– Microsoft Windows Server 2003 R2 Enterprise x64 Edition
– Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
– Microsoft Windows Server 2003 R2 Standard x64 Edition
To put things into perspective most of the versions above came into existence in March 2006 so are now over 10 years old. Realistically any corporate user would not want to be running any desktop or mobile software that was 10 years old because they know it would be redundant by now. The same logic applies here in that a server operating system that is 10 years old is also obsolete and should be replaced whatever the cost.
If your organization has any Microsoft Server 2003 instances still running or even is unsure whether there are please contact FunctionEight Limited and allow us to resolve this serious security risk in your organisations.
Stop running FRAILware now before its too late.