While there comes a time in business to let go of the old and embrace the greener pastures that new technologies offer, what do you do when you are told that there is simply no money left in the budget to do so? With the scheduled end of life for Windows Server 2003 slated for July 14, 2015, many businesses are faced with that reality. According to Microsoft and analysts like Gartner, an estimated two to three million machines will still be running Server 2003 beyond the July 14th EOL date.
While you may be facing budget constraints or the reality that your organization relies heavily on custom apps or legacy business-critical applications that only run on Windows Server 2003, you need to be aware of the risks and what you can do to mitigate them.
Running an unsupported operating system poses some serious security risks that have the potential to affect your entire server network. When that day comes, and Microsoft no longer provides security updates, bug fixes and patches for Windows Server 2003, it will undoubtedly open the doors for hackers and cyber criminals to find exploits and vulnerabilities to hack into these systems. To put this into perspective, according to Microsoft, there were 37 critical updates in 2013 and another 21 updates in 2014 to this operating system. It just goes to show that even after 10 years on the market, it is not without vulnerabilities and hackers are probably counting down the days.
Windows Server 2003 and HIPAA Compliance
If you are in the healthcare industry, there are additional compliance risks that you have to consider. HIPAA compliance regulations require covered entities to establish proper safeguards with “procedures for guarding against, detecting and reporting malicious software.” When Microsoft stops patching vulnerabilities, stops sending anti-malware definitions, and stops supporting both System Center Endpoint and Forefront Endpoint Protection for Windows Server 2003, it is going to be hard to guard against, detect or even report on malicious software that has infiltrated the unprotected server’s operating system.
The reality is when day-zero hits, you will no longer receive notifications regarding vulnerabilities that affect your servers. The penalties for violating the HIPAA act can be very costly, so you need to do everything you can now to alleviate the risks to remain compliant.
How to Protect Your Windows Server 2003 Post EOL
While you will need to start planning for the eventual migration to a new platform, there are a few things that you can do not to mitigate some of the risk to your data.
Back Up Your 2003 Servers Data
Backing up data on servers running Windows Server 2003 is going to become even more important post Server 2003 end of life. As your data becomes more vulnerable, the ability to restore from your backups is essential. Should your server become infected with a virus or your data becomes corrupt, you want to be able to restore from your backup as quickly as possible to avoid any delays in production.
Some backup software solutions like NovaBACKUP will continue to support Windows Server 2003, at least for the time being. We realize that not all users can afford to move all of their data and applications to a new platform before the July 14th EOL deadline. In addition to frequent file backups, you may also want to consider creating an image backup of these servers. If you are running Microsoft Exchange 2003 or SQL 2000/2005 on the same server, you would continue to be able to backup and restore your complete databases for these applications.
Isolate Your 2003 Servers
To help minimize the risk, only run applications that absolutely have to run on Windows Server 2003 and then isolate these physical servers from the rest of your network. If you can cut these servers off from accessing the internet, do so.
Limit Access to Your 2003 Servers
Lock down and limit access to all of your physical servers that are running Windows 2003 Server. This should be high on your list of priorities. Check user access to ensure that it is limited to only those individuals that absolutely need access to these servers. Make sure that logging is turned on and that you are monitoring all activity for unauthorized access attempts.
Consider Virtualizing Your 2003 Servers
If your organization has taken on the “if it’s not broken don’t fix it” mindset with regard to legacy applications, you may want to consider virtualizing your 2003 Servers. This will offer a bit more security, allow you to run your current operating system in an isolated virtual environment, provide better utilization of your existing servers, and not require you to replace your aging servers, which might be budget prohibitive. Al Gillen from IDC, points out that in reality any business running more than a few servers should be virtualizing their workloads anyway.
Keep in mind that Server 2003 runs on a 32-bit operating system, which will require some additional preparation to convert them from physical to virtual. Luckily there are tools available to help with this process, which is known as a physical-to-virtual machine (P2V) conversion. By virtualizing your current systems, you can create an isolated virtual environment and easily test new configurations. Testing is key here. Here are some tools that help during the process:
- Microsoft’s Virtual Machine Converter will convert virtual machines and disks from VMware hosts to Hyper-V hosts or convert physical machines and disks to Hyper-V hosts.
- VMware’s vCenter Standalone Converter will convert physical and virtual machines into VMware virtual machines.
- Disk2vhd is a free, third-party utility that will create a VHD (Virtual Hard Disk) from your physical server’s hard drive for use in Microsoft Hyper-V
No matter which Hypervisor you choose, NovaBACKUP is capable of protecting your virtual machines weather they are running under Hyper-V or VMware.
Plan Your Migration
Even if you don’t have budget for it now, eventually you will need to migrate. Why not get your plan in place and be prepared for the inevitable migration. That way once funding is approved, you can hit the ground running rather than scrambling to develop a plan of action. Take the time to fully scope out the project, determine the best course of action, put together a realistic timeline with budgetary requirements and get buy-in from all stakeholders.
For additional reading on the subject, you may want to check out Spiceworks IT report on The Great IT Upgrade, which discusses the migration from Windows Server 2003 from IT pros.
If you have further questions on how NovaBACKUP can protect your servers facing Windows Server 2003 EOL, contact us directly at firstname.lastname@example.org.