Windows Server 2003 support ends, millions of unprotected servers

Retailers who have not yet made plans for the end of Microsoft support for Windows Server 2003 now have a week to get ready.

As it does periodically for its various software products, Microsoft will terminate support for the operating system that was still in wide use at the beginning of this year, said Andrew Avanessian, VP at security firm Avecto. This means Microsoft will no longer deliver critical security updates or patches for the system.

Microsoft and Gartner have reported that there were about 10 million deployments of Windows Server 2003 at the beginning of the year, and there will be an estimated 2 to 3 million at the July 14 deadline.

Many of these are retailers, Avanessian told FierceRetailIT, although a specific number is not available. "The point-of-sale terminals found in most retailers often run on Windows XP, and this software was built to talk to applications on Windows Server 2003. This means that many retailers may decide to keep WS2003 running to support their POS systems," he said.

"After all, no one wants to be responsible for letting a server migration stop the businesses from processing payments and generating revenue for the business, even for a minute."

In March, Spiceworks published a survey showing that 61 percent of companies in its network were still running WS2003, although many were working actively to migrate their systems to Windows Server 2012 R2 (64 percent) and Windows Server 2012 (14 percent). Among other choices are Windows Server 2008, Windows Server 2008 R2 and Linux. Several companies may be at risk as 22 percent of IT professionals said they do not plan to upgrade every system currently on Windows Sever 2003.

At a time when POS security is top of mind for retailers, this is potentially a big problem. "If these WS2003 machines are directly connected to the POS environments, they present a tremendous risk if they are without Microsoft's security support and open to exploit. This is where the workarounds will help, as retailers migrate their systems slowly and through extensive testing," Avanessian said.

There are three possible short-term workarounds for those who have not migrated, he said:

Administrator rights—System administrators are notorious for demanding privileged access to IT systems, but granting them that access is extremely risky because hackers often seek out privileged accounts to gain entry into a system. Admin rights in a server environment should be limited to the point where admins are given only the privileges they need to respond to urgent break-fix scenarios. Doing so can reduce the potential for attack significantly.

Application whitelisting—Application whitelisting adds more control to a server environment, including remote servers, by applying simple rules to manage trusted applications. This is often regarded as the number one defense against real world threats and can thwart many advanced modular attacks. While trusted applications are allowed to run through configured policies, unauthorized applications and interactions can be blocked, preventing malicious code from executing.

Sandboxing—Sandboxing is the final line of defense that all businesses should have in place at all times. It secures the biggest window of opportunity for malware to enter systems: the internet. Although users shouldn't be browsing the Web on a server, it does often happen when they are under pressure to find a fix for an issue. Sandboxing isolates Web-borne threats, such as malicious documents or websites carrying malware, into a separate secure container. This prevents malware infected documents from accessing business data and persisting in the server environment.

"WS2003 is a very stable system, and there's a common 'If it's not broken, don't fix it' mentality among IT groups, so I suspect that many retailers will have a hard time giving it up, even after the deadline passes," Avanessian said. "These retailers will be sitting ducks—an easy target for hackers and malware attack. Especially if you're a large, well-known retailer, the bad guys will know who is patched and who isn't, and can easily pinpoint those systems where they know there isn't anyone filling the security holes."

For more:
-See this Avecto Microsoft Vulnerabilities Report
-See this IT Management webinar
-See this Spiceworks press release

Related stories:
Mircosoft adds nag screens as Window XP end nears
Report: Most businesses are not PCI compliant
Microsoft working to fix Explorer bug, but XP users are out of luck
Target: Timeline of a data breach
Data hacks: FBI says more breaches in store, Neiman Marcus says 1.1M cards at risk