Writing on the eve of Windows Server 2003 reaching its end of life, it is fair to say that is has been well communicated and every Enterprise IT team will be aware and have assessed the risk.
In our introduction post we stated that this is some of the most challenging and interesting work in Enterprise IT - as there is the need both to deconstruct and build, decomission legacy systems and work with many stakeholders across the business.
Over time there is the risk Windows Servers may become subject to malware as Microsoft will no longer provide security updates to this server platform. These servers may become the stepping-stone to the rest of your infrastructure.
From the Malware developer's perspective Windows Server 2003 EOL could be their most significant opportunity this year. The lack of security updates over a period of time combined with the millions of copies of Windows still running within business make it a prime target for Malware development shops.
Why move from Windows Server 2003?
According to Gartner and HP there are more than 23 million copies of Microsoft Server 2003 running on more than 11 million physical servers. If a new security vulnerability is discovered Microsoft is not committed to produce a fix nor is it obliged to assist customers that encounter problems in operation. Using Windows Server 2003 after July 14, 2015 may expose a business to risks such as:
End of Security Updates37 critical updates were released in 2013 for Windows Server 2003/R2 under Extended Support. No updates will be developed or released after end of support.
Virtual Servers are just as vulnerableBoth virtualized and physical instances of Windows Server 2003 are vulnerable and would not pass a compliance audit. Many applications (including those from Microsoft) will also cease to be supported once the operating system they are running on is unsupported.
Lack of compliance with various standards and regulations can have serious consequences. This may include non-compliance with key regulatory and industry standards, or having to pay high penalties and transaction fees.
An opportunity to simplify the estate and management
Windows Server 2003 End of Life is an opportunity to consolidate the infrastructure, remove old hardware and standardised towards a newer Operating System. Removing Windows Server 2003 may also allow the removal of associate legacy management systems.
Eliminate uneccessary services
Windows Server 2003 elimination projects often discover servers that have been running for many years that simply have not been decommissioned due to tight integration with other systems. In order to see some ROI it may be prudent the organisation works with both business and IT stakeholders to identify applications and services that are no longer in use.
Available routes for Windows Server 2003 workloads
It is essential to have a detailed and up to date inventory of the servers, applications and line of business workloads and how they interact with the other servers within your IT environment. By having up-to-date and relevant information to hand it will be possible to develop the business case and rationalisation plans.
Businesses have the many paths to take:
1. Re-utilise existing Windows Server FarmsMapping existing services to existing servers might be a cost-effective way to eliminate risks and reduce costs. For instance moving a service from Windows Server 2003 machine to an existing Windows File Cluster on Windows Server 2008/2012 may allow the project team to migrate with minimal disruption.
2. In-place upgrades to Windows Server 2008
On the surface this may be seen as the easiest of all options but it will depend on the applications being transferred and some rigorous testing. Therefore virtualising the existing 2003 server (if not already done) and upgrading that instance may help identify and resolve issues during the migration. But please note upgrading in-place can be time consuming as a in-place upgrade can produce unique issues specific to the server configuration and its application - i.e. it may just be quicker to move to a "clean" platform.
3. Migrate to Windows 2012 R2If the server workload is 64-bit or the dependent application has been assessed to be "complex" it can often work out a more manageable and dependable route to build a new Windows Server platform and migrate the application across. Regardless of whether the workload is Commercial Off the Shelf (COTS) or a bespoke Line of Business application there will be an mandatory research and testing phase before this solution can be confirmed as the appropriate one for the specific workload.
4. Migrate Windows 2003 workloads to the public cloudDependent on the workload that is being migrated it may work out more cost effective and strategic to move it to a public cloud service such as Microsoft Office 365 and or SharePoint online. Moving to these services can provide agility and new features at a quicker rate than on-premise solutions.
5. Stay on Windows 2003 for now
"Doing nothing" may expose your business-critical applications will become susceptible to targeted attacks and consequent data theft. Therefore it is important to understand the risks of not migrating whilst also mapping it across your IT enterprise.
A Malware Developer's Dream
Considering all of the above it seems obvious that some malware developers may see the lack of support for Windows Server 2003 as an good opportunity to try to attack servers that are not behind the corporate firewall. This is pure speculation but time will tell. What we do know is that the projects are complex, needng pepole with a wide knowledge of infrastructure technology and the ability to drive the work forwards whilst working with all effected stakeholders.
In the meantime it would be good to understand your point of view regarding the need to migrate from Windows Server 2003.