ACRBO-Migration_300x300

Nobody likes a nag. But sometimes it’s necessary to be one. MAXfocus Security Lead Ian Trump strongly suggests migrating from Windows Server 2003 – now. However, he provides five IT tips for businesses that can’t meet the July 14 “end of life” deadline.

How many of you grew up with that parent? You know, the mother or father who nagged you to clean your room, do your homework, empty the trash, or take care of some other job you desperately tried to avoid.

Well, for all the procrastinators out there, this question may make you cringe. But it has to be asked – for your sake and that of your customers: Have you migrated from Windows Server 2003 (WS2K3) yet?

You may not care for that question. But you’ll like the consequences of ignoring it far less.

On July 14, Microsoft will stop supporting the outdated operating system and shift full focus to Azure, Office 365 and Windows Server 2012 R2. That means three things if you’ve barely begun the process, or flat out failed to start it at all:

  • You have two months to execute a migration plan.
  • Security updates for WS2K3 will no longer be available starting July 15.
  • Companies that continue relying on the 12-year-old system will likely contend with an increase in cyber-threats.

Citing a study conducted by UK-based technology market researcher Vanson Bourne, BetaNews.com reported that “63 percent of businesses are still running Server 2003.” Of that group, “81 percent of IT professionals whose company was still using Windows Server 2003 said they would shift from the platform before the deadline…”

Assuming every respondent in the majority does in fact migrate on time, what should the remaining 19 percent do? Try these five tips between now and deadline day:

1 – Focus aggressively on backing up the data that resides on the soon-to-be-unsupported server. If the worst should occur and cybercriminals hack it, at least you can restore the server to its pre-compromised state.

It’s all about business resilience.

2 – Conduct an application audit. Take inventory of all services on the server and determine which ones can be removed or turned off. You need to identify services and rules that are no longer used. If there’s software on the server that falls in that category, uninstall it.

This project may take some time. But think of it this way: The more work you do now, the less work you’ll have to do later.

3 – Where possible, do some “security by obscurity.” For example, create firewall rules so only specific IP addresses can access the server. This will dramatically reduce the threat level.

Better yet, perhaps it’s time to place the server behind a virtual private network (VPN). This way, the server isn’t exposed to the Internet. Only users authenticated by the VPN have web access.

4 – Study the normal traffic patterns that the server contributes to the network (e.g., CPU, memory, disc activity). It’s critical to be familiar with these patterns. You’ll want them for comparison purposes should you suspect, or determine, that the server has encountered security issues.

5 – You can bet cybercriminals have been reverse-engineering patches to exploit soon-to-be vulnerabilities. As the final days of support approach, if the server is still connected to the Internet, it’s time to consider physically removing the machine. Otherwise, it will continue to be a consistent threat to the network. The risk will only grow the longer the equipment stays in place.

Make no mistake: This the largest security issue of 2015. Unlike Windows XP machines that were general workstations protected by a network and firewall, services running on WS2K3 are directly exposed to the Internet. This situation is significantly more dangerous.

Sometimes nagging is necessary. This is one of those times.

Ian Trump is Security Lead at MAXfocus, a global provider of cloud-based IT security and management solutions for the world’s largest community of MSPs.

Ian Trump