• No results found

Research and Recommendations

N/A
N/A
Protected

Academic year: 2021

Share "Research and Recommendations"

Copied!
12
0
0

Loading.... (view fulltext now)

Full text

(1)

Research and Recommendations

Windows Server 2003

Custom Support Agreements

Paul DeGroot

Senior Consultant

(2)

Who Are Software Licensing Advisors?

Mission: “The Customer’s Advocate”

Too many customers rely only on Microsoft or a reseller, who

focuses on what they want to sell

Leaves most customers with software they don't deploy or don't need

• While projects or investments with demonstrable ROI beg for funds

SLA focuses on value and fit

What you need to buy and the best way to buy it

Align IT spending and strategies with corporate objectives and constraints

Personnel

Steve Kelley

Microsoft sales for 5 years, insider knowledge of Microsoft’s negotiating process

Paul DeGroot

World-renowned expert on Microsoft licensing, previously with

Directions on Microsoft

Steve O'Halloran

SAM technical expert, creator of AssetMetrix (now built into SCCM)

“"I've learned far more from this engagement than I expected. You really

made a difference.."

--High-tech manufacturing firm that reduced EA spend by 50% “"I've learned far more from this engagement than I expected. You really

made a difference.."

--High-tech manufacturing firm that reduced EA spend by 50%

“"Your team has been absolutely fabulous..." --Fortune 500 consumer products firm that

reduced EA spend by 60%

“"Your team has been absolutely fabulous..." --Fortune 500 consumer products firm that

reduced EA spend by 60%

“We exceeded our expectations for these negotiations. Because we had your intelligence, we knew what to hang on for.

You really showed us the art of the possible.” --Global 25 resource company “We exceeded our expectations for these

negotiations. Because we had your intelligence, we knew what to hang on for.

You really showed us the art of the possible.” --Global 25 resource company

“Your financial models, worksheets, and strategies were invaluable. Outstanding work.” --Global 100 pharmaceutical firm that reduced 3-year EA spend by more

than $60 million

“Your financial models, worksheets, and strategies were invaluable. Outstanding work.” --Global 100 pharmaceutical firm that reduced 3-year EA spend by more

(3)
(4)

The Issue: End of Support for Windows Server 2003

Availability of service packs, updates, hotfixes, and patches depends on a product's life-cycle

phase

Guidelines, not guarantees

Phase

Duration

Updates

Costs

Mainstream

5 years after release, or 2 years

after release of successor,

whichever is greater

All: Service packs, program

patches, updates, hotfixes,

security patches

$0

Extended

5 years after the end of

Mainstream

Security patches, custom

hotfixes

Security patches: $0

custom hotfixes require Extended

Hotfix Service Agreement

Web

2+ years after the end of

Extended

Web access to previously

released updates,

knowledge base articles

$0

Custom

2 years after the end of Extended

Same as Extended

Custom Support Agreement, with

per device pricing

(5)

Why Not Upgrade Windows Server 2003?

The vast majority of our customers who will not upgrade from Windows Server 2003 by July have

a significant barrier to doing so. No one takes the issue casually

A custom application still hasn't been/can't be rewritten

Application vendor's product specifies this version

Will require a costly upgrade to a newer version of a vendor's application

Will void warranty/support on associated application, equipment

Upgrade drivers

Regulatory compliance requirements

HIPAA, PCI, etc.

Need to replace hardware but new hardware is not well supported by Server 2003

Drivers, storage subsystems, faster networks

Want to avoid purchasing a Custom Support Agreement (CSA)

What's your situation? What are other people doing? Fill out our survey (Google logon required)

at

https://docs.google.com/forms/d/176GG1UILgff3Pd3J2pIAUe11gu9WIdi2PkNcGRMUPfE/viewfor

m?usp=send_form

(6)

The Hitch

A Custom Support Agreement is very expensive

First year: ~ the cost of the original license

For Windows Server 2003 Standard that is about $700 per license

We have seen quotes for $600

Second year: double year 1--$1,200 per device

Third year: double year 2 – $2,400 per device

Not clear what, if anything you will get out of it

Patches may apply to only a few, or even none of your systems

You don't run .NET applications

Administrators do not browse the Web or run user applications (e-mail, Word, Media Player) from the server console

Your device is not accessible over the network, or to the Internet

You are not running vulnerable services on your servers

No significant patches may appear in the next year or two

(7)

What kind of risks without a CSA

Microsoft has multiple definitions of update severity

Critical non-security updates

System may become unavailable

Critical security updates

Remote Code Execution

Escalation of Privilege

Denial of Service (DOS)

Without user prompts

Important security updates

Could compromise confidentiality of user data

Some may prompt the user for action, others not

Many Windows XP critical updates are also applied to Server 2003

Share much of their code

But XP user activities (Web browing, media playing) and common practice of users with admin rights

create more opportunities for compromised systems than servers

No admin logged on much of the time

Consumer features less available

(8)

What our research found

Critical updates are declining in frequency

Many critical updates address narrow, specific configurations that may not be typical

.NET applications

Telnet Use

Windows Media

Office

Paint

2010 2011 2012 2013 2014 2015 0 5 10 15 20

(9)

Non-Security Updates by Type

Type

Number Most Recent

Comment

Application compatibility issue

3

04/05/12

SharePoint and Microsoft time stamps

Feature update

3

10/11/10

1

12/10/12

Volume Shadow Copy issues

1

04/05/12

Templates from Server 2003 VMs

6

10/08/12

Primarily a desktop issue

12

02/10/14

Server Web browser issue

1

04/05/12

Limited to Small Business Server 2003 R2

Updates security capabilities

1

04/05/12

Limited to Small Business Server 2003 R2

WSUS Updates

1

08/29/12

Primarily to implement Extended Protection for

Authentication in the Server

Functionality issue that does not

affect live data

Functionality issue, with available

workaround

Internet security issue with manual

workaround

Untrusted security certificates from Comodo,

Microsoft; t00-short cryptographic keys

Rendering Web pages, Office and Windows client

compatibility

Moot, since no further updates will be delivered via

WSUS

(10)

Microsoft's Solution: the CSA

Provides Critical and Important updates beyond extended support

Plus problem resolution, some support assistance, account management

Custom hotfixes only for “critical” problems

Significant business loss or degradation of service

Cause products to crash, lose data, function unpredictably

No changes for additional functionality, eg time zones, daylight savings

Payment is always retroactive to the start of support

(11)

An Alternative: Custom Support Essentials

Covers critical hotfixes only (nothing for “important” severity

Can substantially reduce costs if few critical hotfixes are released

One critical hotfix is included, at a fixed price

Payment is a fixed fee plus a per device fee. As older systems taken out of service, hotfix costs go

down

(12)

CSA Strategies

Don't purchase a CSA immediately

You can always buy it later

By then you may have taken many vulnerable servers out of service, reducing your cost

Cost will be the same if you buy it later

Consider Custom Support Essentials

For a few critical hotfixes that apply to you it will be less

Risk reduction

Servers with .NET applications should be upgraded first

Control administrative activities at the console

Turn off unnecessary services, like Telnet

Take our poll to see what others are doing:

References

Related documents

The original Pedersen process focused on the smelting of bauxite, iron ore, lime and coke to recover low-silica calcium aluminate slag and metallic iron, followed with leaching of

 Customer has access to any hotfixes previously released during the Custom Support period.  But payment is retroactive to the initial Custom Support date, so costs are the

To increase the stored vulnerability detection rate, the scanners should crawl an entire web application immediately after the payload injection to the

Guidance on the installation of hotfixes and security patches will be provided by the MOC Network Administrator, the NMAO Chief Information Officer (CIO), or the NOAA

Once the critical flows are determined, optimal rating of all network circuits can be established (and timing of reinforcements in the case of dynamic pricing). The cost of

This essay is an attempt to restore De Quincey’s 1840 essay on the opium trade and China to the public debate of its time, and to suggest ways in which, diverging from the

Policy Example (4/4) Policy Example (4/4) Validation Auto download Manual install Auto download Auto install Central MSUS server (integration) Internet Firewall Branch MSUS

13765 - (MS12-037) Microsoft Internet Explorer HTML Sanitization Information Disclosure (2699988) Category: Windows Host Assessment -> Patches and Hotfixes. (CATEGORY