Windows Server 2003 Loses Product Support
Windows Server 2003 died today as a product, but not necessarily in the hearts and minds of IT pros, nor in the networks they manage.
The July 14, 2015 product lifecycle end date signifies the end of "extended support" for Windows Server 2003. Also losing extended support on this day is the successor product, Windows Server 2003 R2. The end of extended support essentially means that Microsoft won't patch the product when something's amiss, and it won't issue security updates for the product.
In addition, Microsoft announced back in January that it was planning to stop issuing antimalware definitions designed for Windows Server 2003 on this day. While Microsoft had extended issuing antimalware definitions for Windows XP for a while after the end of XP's product lifecycle, it hasn't done the same thing for Windows Server 2003. In fact, Microsoft also stopped issuing antimalware definitions for Windows XP on July 14 as well.
Windows Server 2003 had a 12-year lifespan, but today it's considered by Microsoft to be an "unsupported" product. There's one exception, though, for those organizations that have established a "custom support" agreement with Microsoft. A custom support agreement provides limited custom patching for a year's term. It's reputedly an expensive option, estimated at $600 to $700 per Windows Server 2003 Standard edition license, but the costs also are said to double each year.
It's not clear how many organizations will continue to run Windows Server 2003, despite its exit from Microsoft product lifecycle support policy. Last year, Microsoft estimated that there were 15 million physical servers worldwide running Windows Server 2003. It takes about 200 days to migrate Windows Server 2003, from planning to completion of the project, Microsoft has indicated. The key stumbling blocks for organizations, though, include application remediation issues, 32-bit to 64-bit hardware issues and the general adage of most resource-strapped IT departments that if things aren't broken then they shouldn't be fixed.
Compounding the issue is that there is no direct upgrade path from Windows Server 2003 to Windows Server 2012. The upgrade process is complex, with various server roles having to be moved, including Active Directory, Domain Name Server, Dynamic Host Configuration Protocol, Print, File and Internet Information Services.
Organizations electing to continue with Windows Server 2003 may face potential compliance issues. For instance, PCI and HIPPA have requirements for servers to be patched and in a compliant state. The alternative is to have a "compensating control" in place, such as whitelisting applications. Companies such as Bit9 claim to have an alternative to static whitelisting, as argued in its white paper, "Procrastinators Guide to Windows Server 2003 EOL" (signup required).
Microsoft issued a single blog today noting the end of Windows Server 2003 product support. The server exited its product life with little fanfare, although Microsoft had issued plenty of warnings along the way. The company's main advisory is this portal page, which recommends moving to Windows Server 2012 R2 and/or tapping Microsoft's cloud-based services.
Despite the warnings, IT pros who continue to run Windows Server 2003 have some arguments. They view Windows XP's loss of extended support as being more of a crisis than that of the server. Windows XP users connect to the Internet, creating a vector for malware. In contrast, Windows Server 2003 typically sits behind a firewall and isn't typically used to connect with the Internet, so it's less exposed. Windows Server 2003 might be used to run a line-of-business app that can't be upgraded for some reason. For these IT pros, Windows Server 2003's product support end is viewed as somewhat of an artificial crisis.
Impartial analysis coming from consulting firms such as Gartner Inc. have noted that the end of patching support could lead to functional problems or "incorrect operation of a system," but that's a lower risk than security patch issues. Gartner views the lack of patch support as exposing "vulnerabilities" that could be exploited by hackers. Gartner researcher Carl Claunch indicated in an overview publication that virtualization could be used to ward off attacks to a degree, but it still doesn't address the fundamental problem that "no practical fix can be made" to Windows Server 2003 systems past its product lifecycle end.
Microsoft, in contrast, doesn't advocate virtualizing Windows Server 2003 at all as a solution for its lifecycle end. For instance, Redmond magazine's February cover story cites Mark Linton, senior director of portfolio and product management in the Microsoft Worldwide OEM division, as not favoring that approach:
If you put it in a virtual sandbox and say, "If I whitelist the app running on top of it, it may make it more safe," but the answer is it isn't safe. There are different vectors at which security exploits can come in. They can come from the network layer through the app layer. We really don't recommend that approach.
Microsoft Tools and Tips
Microsoft's main advice is to run some of its free tools to help with planning Windows Server 2003 migrations, although organizations were supposed to have executed the necessary steps before the July 14 product end date. The main tool is the Microsoft Assessment and Planning Toolkit for discovering servers in a network and the Application Compatibility Toolkit for addressing application compatibility issues, as noted in a recent Microsoft blog post. However, if those tools were easy to use, then Microsoft's partner offerings might be slender. Instead, various discovery tools are available, including Dell ChangeBASE and Lakeside Software SysTrack, among others. Third-party migration tools include Dell ChangeBASE, Citrix AppDNA, AppZero and BlueStripe, among others.
Microsoft also has an online tool called the Migration Planning Assistant. It will offer partner support suggestions after running it.
For those IT pros with time to read, Microsoft has published some general "best practices" for Windows Server 2003 migrations in a six-part Server & Cloud blog post series. The series can be found here, with the first post occurring on Aug. 26, 2014.
Microsoft's MVPs also have provided plenty of advice. Step-by-step guides for Windows Server 2003 migrations were posted in CanITPro TechNet blog posts by MVPs Anthony Bartolo, Dave Kawula, Dishan Francis and others. The guides include steps on migrating specific server roles to Windows Server 2012 R2.
So, there's been plenty of advice, as well as even a US-CERT warning for organizations to migrate off Windows Server 2003. In the end, though, Windows Server 2003 likely will continue to be used in organizations. Recent analysis by CloudPhysics is projecting that Windows Server 2003 may continue to run in organizations for as long as three years past its product end date, which is today.