Executive’s Guide to
$
$$
Introduction
On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows XP, Windows Server 2003 continues to be used and relied upon by organizations worldwide with as many 10 million Windows Server 2003 systems still in production.
Custom supports provides:
+Critical patches only.
+Important patches are available at an additional price. Historically, Microsoft labeled many patches as “important” that, in our opinion, should have been labeled as “critical.”
+No support for moderate or low-priority security updates.
+Antivirus solutions will be ineffective on machines running Windows Server 2003 after EOL. Many antivirus products will not be supported and will not have necessary signature updates for new vulnerabilities.
+Many legacy applications built on Windows Server 2003 will no longer be supported after end of life.
+Without compensating controls, Windows Server 2003 will no longer meet regulatory compliance standards.
Facts About Windows Server 2003
July 14, 2015, is the end-of-life date for Windows Server 2003.
There will be NO MORE security updates and critical patches available
after July 14, 2014 unless you pay Microsoft for custom support.
$200,000, the estimated average
What Organizations Are Affected?
Originally launched in 2003, Windows Server 2003 [WS2K3] and its 2005 update Windows Server 2003 R2 is are relied upon by thousands of organizations for critical production workloads. On July 14, 2015, Microsoft will stop security updates for Windows Server 2003, leaving organizations across a multitude of industries vulnerable to malware attacks.
If your organization is driven by compliance requirements, such as SOX, HIPAA, PCI, NERC, Gramm-Leach-Bliley, etc, you will have even greater challenges. In addition to security concerns, your organization also will be noncompliant. According to HP, there are more than 10 million systems still running Windows Server 2003. So chances are your organization has or is going to need to put a Windows Server 2003 EOL plan in place.
The Status of and Barriers to Upgrading
According to AppZero’s 2013 State of Readiness report on Windows Server 2003 End of Life, less than a quarter of organizations have a proper upgrade plan in place and nearly 40 percent are unsure of how they would upgrade existing systems. With the average migration project taking 200 days to implement, if you are only now starting a WS2K3 migration, it is unlikely that you will finish before support stops in July 2015.
“A surprising number of client organizations will be operating those
unsupported systems next year and beyond, they range from medium
scale up to the largest enterprise IT organizations.”
How many Windows Server 2003
devices are you still running?
There are several reasons why your organization may still be running Windows Server 2003 and not be able to upgrade to a supported OS such as Windows Server 2008 R2 or 2012 R2.
+You may need new hardware to support the new operating system.
+Your organizations mission-critical applications are not upgrade-compatible.
+You do not have sufficient budget for migration.
+You do not have the IT resources to execute a migration and maintain day-to-day operations.
33%
13%
24%
7%
10%
6%
1-25 26-100 101-500 501-1000 1001-5000 5000+
+
Application Compatibility
For many organizations, application compatibility is the biggest barrier for upgrading. If you have 32-bit legacy applications running on WS2K3, these applications will not run or cannot easily be upgraded to run on modern 64-bit operating systems such as Windows Server 2012. Additionally, developers of 2003-certified legacy applications or in-house custom applications may not have the budgets or motivation to recompile software for newer releases.
What types of applications cause you the most concern?
You also may have a challenge dealing with third-party applications from vendors such as Oracle, Adobe, etc., which, like Microsoft, are encouraging you to upgrade. It also is unclear whether third-party antivirus and scanning software —which may be part of your current security stack—will be supported.
Financials Customer Relationship Management Enterprise Resource Planning Business Process Management Other + + + + + 33% 19% 14% 7% 29%
What risks of running an unsupported
OS are of primary concern?
The Consequences
Unpatched WS2K3 systems will lead to “zero-day forever scenarios” - that is, there will be no patches for zero-day attacks so new vulnerabilities will never be remediated. And since Windows Server 2003 lacks more advanced memory protection features found in later Windows operating systems, the lack of support can make your situation worse.
Without updates and patches, you may be cited for noncompliance and/or failure to pass assessment and regulatory audits. Here is Microsoft’s official position on the topic:
“Unsupported and unpatched environments are vulnerable to security risks. This may result in
an officially recognized control failure by an internal or external audit body, leading to suspension
of certifications, and/or public notification of the organization’s inability to maintain its systems
and customer information.”
This statement is absolutely true but with proper planning ahead of time there are compensating controls you can put in place to ensure the security and continued compliance of these systems.
Once you have an operating system that can’t be patched and new malware is discovered, your organization will definitely be out of compliance and the effects can be devastating:
+Breach and data compromise: Malware authors can get access to highly confidential information such as
your critical research and development plans, core business databases, consumers credit card/financial data or patient information.
+Financial penalties: Your organization can be fined for failure to pass compliance audits by being in a
noncompliant state.
+Loss of privileges: Your organization can realize lose the right to process major credit card transactions and access to business-critical data you need to conduct business.
+Damage to your corporate brand: This is often the most devastating consequence and can be difficult to
remediate. In fact, according to the Nation Cyber Security Alliance, 60 percent of small and medium businesses that suffer a breach go out of business within six months.
With Microsoft custom support estimated to cost $200,000 per year on average, IT managers would be wise to look into other compensating control options, such as application whitelisting, to ensure continued security and compliance of these systems.
23%
54% 12%
12%
Increased Cost
& Downtime Vulnerability Security & Management Regulatory
Compliance
Other
App Zero 2013 State of Readiness for Windows Server 2003 End of Support
23% 54% 12%
Compensating Controls
If you are late to addressing a solution to WS2K3 end of life, don’t panic. There are compensating controls you can consider to keep your Windows Server 2003 system secure after end of life, key among them are application whitelisting and network isolation.
Network Isolation
With network isolation, you isolate Windows 2003 servers so that these machines cannot access your central services. A 2003 server will interact with other systems on the isolated network, but cannot interact with any machines outside of the isolated network or connect to the Internet. With network isolation, you will protect your WS2K3 devices from malware attacks but this will only work in cases where your applications do not need Internet access and/or access to other systems outside of an isolated network. Seeing as most servers host critical applications that must be accessible to employees and connected to other corporate servers, this is likely not a viable option for most WS2K3 workloads. For isolated department- or team-specific legacy applications, this can be a viable option but for email, domain, Web and other corporate production servers, network isolation is unlikely to be a viable long-term option.
Application Whitelisting
Application whitelisting is a security model focused on allowing known “good” applications rather than blocking known “bad,” and is widely regarded as the industry’s best form for advanced threat prevention. While highly recommended as a standard security stack component for all devices, when implemented in “default-deny” mode application whitelisting is a highly effective compensating control to meet regulatory compliance standards and harden out-of-date systems, such as WS2K3. By ensuring only trusted software is allowed to run, application whitelisting will prevent zero-day exploits and advanced malware and also can negate or delay the need for software patching.
While developing an application whitelist once required significant administrative effort, advanced application whitelisting solutions include features designed to greatly reduce that effort, such as cloud-driven software reputation ratings and integrations with leading configuration management solutions, such as Microsoft SCCM, to dynamically approve IT-driven and other trusted software.
Bit9 + Carbon Black offers an advanced security solution that your organization can deploy as a compensating security control in lieu of regular patching and updates that are no longer available from Microsoft. Bit9 extends the security window and protects your WS2K3 devices from breach and data compromise past the end-of-life date. With Bit9, your WS2K3 systems will remain compliant because the solution provides:
+Complete visibility into everything that is happening on every in-scope server and endpoint so you can measure compliance and risk.
+Automated, real-time detection of zero-day and other advanced threats.
+A change history and full audit trail of all server and endpoint activity along with real-time compliance risk measurement and reporting of your in-scope systems, including those which are no longer supported. This reporting provides the actionable intelligence to monitor compliance, identify any unexpected activity or event, and proactively improve your security posture.
+Prevention to stop advanced threats and other forms of malware from executing, including targeted, customized attacks that are unique to your organization.
+Integration across the existing security infrastructure to understand enterprise-wide compliance risk and exposure.
The Benefits of Bit9 as a Compensating Control
Most important, get your WS2K3 systems into a compliant state BEFORE the July 14, 2015, deadline and eliminate financial penalties and brand damage associated with failed audits, data breaches, or noncompliance.
+Consolidate your enterprise security stack and eliminate the need for and costs associated with other security software. Bit9 is all you need to get visibility, detection and protection for all servers and endpoints across the enterprise.
+Lower the cost of obtaining compliance data because Bit9 uses an up-front trust policy to control change and filter data, enabling you to focus only on those events that are relevant to your business.
+Eliminate the high costs of WS2K3 custom support contracts and hardware upgrades. Bit9 is an affordable, cost-effective solution when compared to the costs associated with Microsoft’s out-of-band support and/or replacing racks of aging servers and custom applications.
266 Second Avenue Waltham, MA 02451 USA
ABOUT BIT9 + CARBON BLACK
The combination of Bit9 + Carbon Black offers the most complete answer to the newer, more advanced threats and targeted attacks intent on breaching an organization’s endpoints. This comprehensive approach makes it easier for organizations to see—and
immediately stop—advanced threats. Our solution combines Carbon Black’s lightweight endpoint sensor, which can be rapidly deployed with no configuration to deliver “incident response in seconds,” and Bit9’s industry-leading prevention technologies. Benefits include:
+ Continuous, real-time visibility into what’s happening on every computer + Real-time threat detection, without relying on signatures
+ Instant response by seeing the full “kill chain” of any attack + Protection that is proactive and customizable
