5 Security Risks Of Sticking With Windows Server 2003

It's The Final Countdown

As the days count down to the end-of-support date for Windows Server 2003, those who don't migrate in time will face significant security risks, vendors and VARs agree. Those initial security risks can snowball into bigger issues around compliance and competition that could cause fines and revenue hits down the road. With a migration process that can take months, security experts recommended starting sooner rather than later to move systems off of Server 2003 to minimize the risk. For those who decide to stick with Server 2003, take a look at five risks they will face after July 14.

5. Unpatched Vulnerabilities

At its most basic level, the end-of-support date for Windows Server 2003 means an end to regular patches for known vulnerabilities, resulting in an "elevated risk to cybersecurity dangers," according to a November US-CERT alert. For perspective, Microsoft issued 61 security bulletins for the technology in 2014 and has already issued 25 security bulletins since the beginning of this year.

"Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets," the alert said.

4. Old Malware

It's not just new malware threats that face those who don't upgrade from Server 2003. There are also old, lingering threats that have been upgraded to exploit the systems, security experts said. That is a trend that has been seen again and again in the security industry as businesses and users continually fail to take measures to wrap secure policies around their systems, said Chris Strand, senior director of compliance programs for Bit9 + Carbon Black.

"You still see it even now, and I believe we will continue to see it," Strand said. "That has to change."

3. Compliance

While not a security vulnerability itself, businesses who must comply with PCI, HIPAA and other regulatory compliance standards face an extra security challenge by not upgrading from Server 2003. As security and compliance are usually tied tightly together, opening a major security vulnerability into a company's environment could automatically violate compliance regulations, and put it in danger of earning a hefty fine.

"[Not upgrading] makes it a very easy target for people to gain entry to your data through these services," Steve Andrews, consulting manager and senior solutions architect at Perficient, said. "When you've got these compliance environments and [are] looking to pass that audit, of course [a system running Windows Server 2003] is going to straightaway fail."

2. Opening The Floodgates

The big-picture challenge for companies is that Windows Server 2003 vulnerabilities open the door for threats to the rest of the environment, security experts agreed. That means that other areas that are thought to be secure might no longer be, they said.

"If there's a breach in one of those dozens of dozens of applications [running on Server 2003] that could be exploited, then that could be, in effect, passed on to enterprise applications that could be secure," Samad Ali, vice president of HP Solutions at Logicalis U.S., said. "From that perspective, what you've done is give an 'in' to your entire ecosystem, even though on the individual level you have security on the application stack."

1. Compatibility Issues

In its alert, US-CERT warned that not upgrading from Windows Server 2003 could cause software and hardware compatibility issues, as most new applications will not be built for the operating system. From a security perspective, that lack of compatibility can cause problems as older apps will need to be carefully isolated very thoughtfully from the environment in order to be secure. From a business point of view, that can also put a company at a competitive disadvantage if it chooses not to upgrade to newer application technology.