• No results found

Turn the Page: Why now is the time to migrate off Windows Server 2003

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Turn the Page: Why now is the time to migrate off Windows Server 2003"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Turn the Page:

Why now is the time to migrate off Windows Server 2003

HP Security Research Contents

Introduction ... 1

What does “End of Support” mean? ... 1

What “End of Support” doesn’t mean ... 1

Why you need to leave Windows Server 2003 in the past ... 2

Compliance concerns ... 2

Security ... 2

Hidden costs in maintaining older systems ... 4

Where to go from here ... 4

Get a Custom Support Agreement... 4

Migrate to a newer version of Windows Server ... 4

Migrate to Linux ... 5

Hope for the best ... 5

Conclusion ... 5

(2)

Introduction

In January 2015, Microsoft released a patch to fix an issue in the Network Location Awareness (NLA) service. The vulnerability affects all versions of Windows Server, but a fix was not provided for the Windows Server 2003 platform. As stated in the bulletin, “The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 20031.” This highlights the differences in operating system (OS)

architectures between modern OSes and an OS now over eleven years old. While this alone should not push enterprises to move away from the OS, the impending end of support for this OS should have businesses thinking about what comes next for their remaining Windows Server 2003 deployments.

What does “End of Support” mean?

Microsoft has two different lifecycles for its products: mainstream and extended2. The biggest difference between these levels is the availability of non-security updates. During the mainstream support period, new functionality may be added through service packs or hot fixes. These are in addition to security updates. Once mainstream support ends, usually five years after the product’s initial release date, extended support kicks in. This provides free security updates, but little else.

Mainstream support for Windows Server 2003 ended in 2010, which means there have been no service packs or new functionality changes in over four years. On July 14, 2015, extended support for Windows Server 2003 ends as well. After this date, there will be no additional security fixes or updates of any kind freely available. Deployments of the OS won’t stop working on the 15th of July, but as of that day, these systems represent a different type of risk for the enterprises who use them.

What “End of Support” doesn’t mean

On July 15, 2015, there will be little changed for those using Windows Server 2003. No features will be disabled. There will be no forced update on to a new platform. The vast resources of online guidance for running and troubleshooting the OS will exist as they always have. In short, nothing obvious will change immediately. However, as time goes on, the lack of support – and the lack of updates – will become apparent.

Attacks represent another reality that will not change once support ends. Just as today, adversaries will continue targeting Windows Server 2003. If you are looking for an example of this, you only need to look back to the end of support for Windows XP. Immediately following the end of free security updates for that platform, active attacks were seen in the wild targeting Internet Explorer versions on XP. While Microsoft made the decision to offer patches for XP at that time, it is unlikely they will make this extraordinary decision again. In addition to the current attacks, many of the issues affecting the more modern platforms (e.g. Windows Server 2012 R2) also affect Windows Server 2003. While the OSes are very different, there is still shared code between platforms. In January, 2015, five of the seven security bulletins released by Microsoft impacted both Windows Server 2012 R2 and Windows Server 20033. After support ends, attackers may use the security bulletins as a guide to determine new vulnerabilities on Windows Server 2003. Due to the lack of security updates, enterprises still running Windows Server 2003 after support ends will become an even more attractive target to adversaries.

1 https://technet.microsoft.com/library/security/ms15-005

2 https://support2.microsoft.com/gp/lifepolicy

3 https://technet.microsoft.com/library/security/ms15-jan

(3)

Why you need to leave Windows Server 2003 in the past

While definitive numbers remain elusive, estimates put Windows Server 2003 usage at about one-third of all Windows Server deployments. This seems likely, as Windows Server 2003 remains a remarkably stable OS. Despite this reliability, it is time for enterprises to leave this platform and migrate to a modern OS.

Compliance concerns

In almost every industry, there now exists a form of national or international regulation covering the security and maintenance of computer systems. These regulatory requirements will often mandate that systems within a domain be supported. Correspondingly, if unsupported systems exist within a domain, it is unlikely the enterprise will be within regulatory compliance. The U.S. Computer Emergence Readiness Team (US-CERT) notes, “Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 20034.” Put more simply, once Windows Server 2003 is out of support, the chances of maintaining compliance with applicable regulations closely approaches zero.

Security

While the lack of security updates is a primary concern for those running out-of-support servers, there are additional security concerns related to running Windows Server 2003. One area that is often overlooked is the availability of defense-in-depth (DiD) features available in modern OSes. Starting in the early 2000’s, the concept of placing defenses deep within the OS became a reality. The goal was to prevent known attack techniques from working on a target system, even if the attacker attempts to exploit an unpatched bug. One of the first of these DiD measures implemented was Address Space Layout Randomization (ASLR). In its simplest form, ASLR randomizes memory to make it more difficult for an attacker to get code to the targeted location in memory. Windows Server 2003 does implement ASLR, but the development of memory randomization has continued over the years to include methods that cannot be implemented on Server 2003.

Another example of DiD is known as SafeSEH, which means an image has safe exception handlers. This feature builds a table of safe exception handlers when a program is being compiled. If a program has this in place, when exceptional conditions occur, the table is consulted to ensure a match exists. If a match doesn’t exist in the table, the program is terminated. Of course, the limitation with this feature is that programs must be built with SafeSEH enabled.

Later OSes implemented a second DiD technique called Structured Exception Handler Overwrite Protection (SEHOP). It works differently than SafeSEH, with its main benefit being that it does not require programs to be built with any special flags. SEHOP is able to mitigate Structured Exception Handler overwrites by verifying the integrity of the chain of registered exception handlers at the time that an exceptional condition occurs. Typically, an SEH overwrite will break the integrity of this chain, which is what enables SEHOP to mitigate it. While Windows Server 2003 does have SafeSEH, SEHOP is only available on Windows Server 2008 and later. In the more recent server versions, SEHOP was further extended to permit applications to opt-in on a per-application basis. Previously, SEHOP had to be enabled or disabled for the entire system, which lead to application compatibility issues for some programs.

4 https://www.us-cert.gov/ncas/alerts/TA14-310A

(4)

There are just two examples of DiD security features available in newer OSes. A comparison of other DiD features567, including those found in supported Microsoft Internet Explorer (IE) versions8, is located in Table One.

Table 1: Comparison of DiD features

5 Miller, Matt and Johnson, Ken. 2012, July 25. Black Hat USA 2012 - Exploit Mitigation Improvements in Windows 8. Retrieved from https://www.youtube.com/watch?v=3NriJvra62g.

6 https://msdn.microsoft.com/en-us/library/bb430720.aspx

7 http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigating-common-exploitation- techniques.aspx

8 http://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx

DiD Features

Windows Server 2003

With Internet Explorer 8 Windows Server 2012 R2 With Internet Explorer 11

SEHOP IE Protected Mode

Enhanced Protected Mode

Virtual Table Guard

ASLR Limited Extensive

Stack Randomization Heap Randomization Image Randomization Force Image Randomization Bottom-Up Randomization Top-Down Randomization High Entropy Randomization PEB/TEB Randomization

Heap Hardening Limited Extensive

Header Encoding Terminate on Corruption Guard Pages Allocation Randomization Safe Unlinking Header Checksums

/GS

Enhanced /GS

SafeSEH

(5)

The inclusion of these additional DiD features results in an increased level of difficulty for attackers wishing to take over a system. They no longer just need an exploit in an application; they must now have an exploit combined with techniques to circumvent the DiD features. While these circumventions exist, every step that makes it more difficult for attackers is another chance for defenders to catch them.

Hidden costs in maintaining older systems

While the adage, “If it ain’t broke, don’t fix it” may ring true in many situations, it is often the opposite case for computing systems. Some reports indicate the cost of maintaining older systems is 1.6 times the cost of replacement9 - especially for small- and medium-sized enterprises. The investment of capital needed to replace outdated servers may be daunting at first, but in the end, you may actually be saving money by getting new hardware – and the new software that comes with it.

Where to go from here

For those who are still running Windows Server 2003, there are a few options.

Get a Custom Support Agreement

For those who cannot migrate away from Windows Server 2003, there is an option that will provide security updates after support ends – for a price. Microsoft offers Custom Support Agreements (CSA) for products that have reached their end of support date. For customers who enter into a CSA,

Microsoft will produce security patches for what they deem critical-class vulnerabilities10. Patches for important severity issues may also be provided; however, these are only produced if the customer pays extra. By Microsoft’s own estimate, a CSA agree will run in the neighborhood of over $200,000 US a year11. In the past, the price for a CSA rises year-over-year, meaning that it is likely this cost will only go up. This option should be viewed as a stopgap measure to keep servers up-to-date while a larger migration plan is put in place. The economic feasibility of continuing to pay for support is not sustainable year-over-year.

Migrate to a newer version of Windows Server

Moving to the latest version of Windows Server gets you to a supported state with access to the latest features in both functionality and security. This may seem like the obvious choice, but it is not without problems as well. According to Microsoft, the average migration time is over 200 days12. There is also the issue with finding all of the servers needing to be replaced within an enterprise. This may sound simple, but physically locating every server of a specific type within a large enterprise can be surprisingly difficult.

9 http://www.eweek.com/small-business/older-pcs-drain-time-resources-from-small-businesses-intel.html

10 https://technet.microsoft.com/en-us/security/gg309177.aspx

11 http://blogs.technet.com/b/mpn_uk/archive/2014/01/29/windows-server-2003-end-of-support-is-july-14- 2015-will-you-be-ready-to-seize-the-opportunity.aspx

12 http://blogs.technet.com/b/uktechnet/archive/2014/06/25/are-you-ready-to-migrate-windows-server-2003- end-of-life-is-coming-on-the-july-14th-2015.aspx

(6)

Migrate to Linux

For some companies, migrating servers from Windows to Linux is a viable option. Linux is currently deployed on 36.4% of existing web sites13 and can work equally as well in an enterprise scenario.

Modern Linux systems also provide many DiD features similar, but not identical, to those found in modern versions of Windows Server. While a new Windows server may require new hardware, a version of Linux exists that will run on your existing systems. This option will not be practical for all enterprises currently running Windows Server 2003, but for a subset of these people, the potential cost savings of moving to Linux dictate at least considering the option.

Hope for the best

For those without compliance issues, the option to do absolutely nothing still exists. If everything works well within your enterprise, just keep running it and hope that attackers, regulators, shareholders, and everyone else never notices the operating system used for their business

transactions is well over a decade old. This also ensures you won’t struggle implementing any of the new features modern operating systems allow. Technologies like Hyper-V, hybrid and public cloud, BYOD and mobile device management, and numerous defense-in-depth measures will never become an implementation problem because Windows Server 2003 simply will not support them.

Conclusion

With the impending end of support for Windows Server 2003, enterprises need to take action. “It still works” is no longer an excuse for running an outdated operating system. After July 14, 2015, Windows Server 2003 will no longer receive free security updates. In addition to potential long-term cost savings of replacing rather than maintaining older hardware, modern OSes offer defense-in-depth

technologies not found on Windows Server 2003. Running an unsupported OS will also lead to issues with regulatory compliance. To prepare for this date, administrators need to determine which course of action they will choose. Some may decide a custom support agreement and paying for patches is their best course of action until they can implement a long-term solution. Others may choose to migrate to a newer, supported version of Windows Server, or even a migration to a supported version of Linux.

In all reality, doing nothing to prepare for this date is simply not an option. Attackers will not stop targeting systems that are running Windows Server 2003 simply because it is no longer supported.

Vulnerabilities in Server 2003 will continue to be found as well – even if they are disguised as bugs in newer server platforms. As we move further away from the end of support date, the risks of continuing to run Windows Server 2003 will only increase and the costs of keeping it in an enterprise will become too great to justify.

By July 2015, Windows Server 2003 will be over 12 years old. That is a remarkable feat for any piece of technology, but it is time to retire the product and move on. Modern OSes provide security updates, a better set of features, and a more robust security strategy. Continuing to hold on to the past will stagnate an enterprise’s ability to take advantage of new technologies such as hybrid cloud solutions and mobile device management. The July date is fast approaching. There is no better time than now to plan how your servers and enterprise will look in the next decade.

13 http://w3techs.com/technologies/details/os-linux/all/all

References

Download now ( PDF - 6 Page - 529.83 KB )

Related documents

Llistat de programari inclòs al Programa Select

Windows Server Web Edition 2003 - Windows Web Server 2003 with Service Pack 1 Windows Server Web Edition 2003 with Service Pack 2 - Windows Web Server 2003 Windows Small

SECURED TRANSACTIONS AND COLLATERAL REGISTRIES

The Mövenpick Ambassador Hotel Accra is conveniently located in the central business district of downtown Accra close to ministries, major financial institutions

IT Discovery / Assessment Report Conducted on: DATE (MM/DD/YYY) HERE On-site Discovery By: AOS ENGINEER NAME Assessment Document By: AOS ENGINEER NAME

• Migrate any Roles and Applications off of the two servers running Windows Server 2003 so that these servers can be decommissioned and shut down.. Virtualizing their servers

Windows Server 2003: Why You Should Get Current

Today, Windows Server 2003 is in the extended support phase, which offers a continuation of certain mainstream support items such as paid per-incident support, security updates,

Energy performance of an exhibition hall in a life cycle perspective: embodied energy, operational energy and retrofit strategies

After that, the energy impacts of the retrofit strategies during the life cycle were assessed and compared with the energy savings in the use phase, allowing to calculate the

THE LEARNING DISABILITY MESS

As the previous discussion reflects, we have made little progress since a member of Congress declared in 1975 that “no one really knows what a learning disability is.” 117

ILUKA REVIEW. Acacia papyrocarpa Western Myall tree Eucla Basin, South Australia

Mineral Resources decreased by 0.6 million tonnes of heavy mineral principally associated with mining depletion and write-downs at the Tutunup South deposit (0.2 million tonnes)

BACHELORS OF PLANNING B.PLAN TEACHING AND EXAMINATION SCHEME WITH DETAILED SYLLABUS

(CBCS - 2017 SCHEME) - DETAILED SYLLABUS 17PLN 1.1 – FUNDAMENTALS OF URBAN AND REGIONAL PLANNING CONTACT PERIODS : 3 (Lecture) per week.. PROGRESSIVE MARKS : 50 THEORY MARKS : 100