Windows Server 2003 doesn’t owe anyone any favors. It has been serving us well for a long time. First released to in April 2003, it had its final major release as Windows Server 2003 R2 in March 2007. On July 14th 2015, Microsoft will end the Extended Support period for all versions of Windows Server 2003. After this time, there will be no more security fixes released for the Windows Server 2003 family of products. Mainstream support for the product ended in July 2010. The Extended Support period that has been in operation since that time provides the following:
- Paid Support
- Security Updates
- Knowledge Base articles and support site access
- Non-Security hot fix support (if purchased before October 11th 2010)
For most organizations, the important item on this list will be the security updates. At present, Microsoft is issuing general fixes for security vulnerabilities discovered in Windows Server 2003. These will end on Tuesday, July 14th, which will be the last ‘Patch Tuesday’ that might contain general security fixes for vulnerabilities discovered in any Windows Server 2003 version. This means that any issues that are discovered after July will not be fixed. Recent security issues, such as ShellShock and HeartBleed, have shown that vulnerabilities can remain in software stacks for a long time before they are discovered. Who knows what could be lurking within the Windows Server 2003 network stack?
This is a problem. Estimates vary about how many instances of Windows Server 2003 are still in production use. Gartner estimates that as of early 2015, there are 8 million Windows Server 2003 servers still in use. They also postulate that 1.6 million of these servers will still be in production past the Extended Support end date. That’s a tempting target for attackers if a new vulnerability is found in Windows Server 2003.
There is still time to migrate services and applications off your Windows Server 2003 legacy servers. Now is the time to take a look at modern options to replace them, such as implementing a virtualised or hybrid cloud based infrastructure with Microsoft Hyper-V, Microsoft Azure, Office 365, or VMware vSphere and vCloud offerings, for example.
If the Windows Server 2003 servers are providing base network services, such as DNS, Directory Services, or file storage, then migrating to Windows Server 2012 R2 should be relatively straightforward. Make sure you consult the Microsoft documentation or your Microsoft Partner to find out about any issues when moving from the Windows Server 2003 version of Active Directory to the current version.
If the servers are running applications on top of Windows Server 2003, then migration could be trickier. Consult with the suppliers of the applications to get their recommendations on migrating to a later version of Windows Server. Again, this would be a good opportunity to see if the application vendor has a Cloud based replacement. You may not need to replace the server at all. Move the application data to the Cloud version and get all the benefits of Cloud services, plus one less server to manage in house.
The end of security support for Windows Server 2003 can present an opportunity to provide significant business value. Move the services and applications to modern infrastructure. Free up your IT staff to work at providing new services for the business, rather than keeping legacy systems running, and give them career enhancing experience on modern IT systems.