Windows Server 2003's Death Is Fast Approaching
Don't expect Microsoft to help you keep the aged server OS secure after July 14, 2015.
- By Greg Shields
The end is near for Windows Server 2003. While mainstream support ended more than four years ago, the OS has remained on "extended support" ever since, meaning Microsoft has provided only security updates.
You might think Microsoft pushes those updates out only when absolutely necessary. Yet surprisingly, some organizations still have systems running Windows Server 2003, even as the clock ticks closer to an untenable future of zero support and fantastically increased risk of compromise.
The impending death knell of any technology makes for great scary, click-friendly headlines. This encroaching deadline, however, has got some teeth to it that bears thinking carefully before choosing not to do anything.
This year, Microsoft released 37 critical updates for Windows Server 2003 and Windows Server 2003 R2 during 2013 alone. No security updates means no solution -- whatsoever! -- should some enterprising malware author find a nasty vulnerability to exploit.
The "You'll have no safe haven!" argument is admittedly a bit of playing security boogeyman, but it goes without saying that some risks sometimes are not worth taking.
Arguably more important about the imminent day of reckoning of Windows Server 2003 is the impact on compliance. A few hundred days from now, and all at once, every single Windows Server 2003 machine will cease to pass a compliance audit. Depending on with whom you're being compliant, that day could mean a termination of business with key partners and increased scrutiny by regulators.
What Migration Means
I noticed some curious figures in a recent Microsoft presentation on migrating off Windows Server 2003. The presentation offered some "optimistic estimates" for the number of days required to complete a server and application migration off the old OS. It suggested 200 days were necessary for just the server piece and 300-plus days for the application piece.
We're well within that range today, a reality that can make you sick if you've waited this long to get started. So, what defines a migration? With all the doom and gloom, what's needed to actually fix the problem? That same Microsoft presentation offers a four-step plan for getting off the aging OS. It suggests starting with a Discover phase by creating a catalog of the applications and services you have.
The Assess phase comes next, where decisions are made about what to do with the applications and workloads you find. Some can be migrated as is. Others will need to be repaired, rewritten or refactored. Even others can be "shimmed" into functionality using the diminishing set of Microsoft and third-party solutions still on the market. The worst offenders might be virtualized and "sandboxed," buried deeply beneath multiple layers of network and other security protections. Doing so might keep the app alive and on life support until a long-term fix can be ascertained.
Target is the suggested third step. In this step, an acceptable destination needs to be found. It's here where Microsoft's marketing machine dials up the knobs to 11, suggesting loudly that Windows Server 2012 R2 is only one of the variety of targets now available. Microsoft Azure and its services are becoming ever more a likely candidate, as is the Microsoft cloud OS network of cloud services providers. Even Office 365 gets a nod as a possible solution, because some apps might just be better as Office or SharePoint apps once you really start considering what tasks they were originally designed to support.
The fourth step in the Microsoft migration process is simply... Migrate. Or, what might be better called Do Something! That's the real gist of the entire Microsoft migration campaign: Some people haven't done anything, and now here you are. If you don't act soon, the problem is only going to get worse.
Perhaps that's a hard line to take. I fully anticipate the variety of reasons not to act that'll surely make their way into the online comments.
I welcome the debate. Explain your vendor lock-in problems, their nonexistent support, your lack of political will, all the usual reasons why not to get started. That end of support deadline will still be coming. Are you prepared?
About the Author
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.