Deadline Day: Microsoft Partners Brace For Windows Server 2003 Security Fiasco

With Microsoft's end-of-support deadline for Windows Server 2003 finally here, solution providers say millions of customers have left themselves wide open to security breaches.

Alan West, founder and chairman of XMS Solutions, an $8 million Henderson, Nev.-based Microsoft Gold partner, says he views the end of support as "an attack vector" for hackers and cyberterrorists. He estimates that about one-third of his customer base is still running Windows Server 2003.

"It actually is a big deal," he said. "You need to get [Server] 2003 off the network. If you have [Server] 2003 on the network, it will be a jumping-off point [for hackers]. Hackers will know of Server 2003 weaknesses because of vulnerabilities identified in 2008 or 2012."

[Related: End-Of-Support: Migrating From Windows Server 2003 To Windows Server 2012]

Sponsored post

West says he views the services surrounding Server 2003 migrations being worth millions to his company.

"Server 2003 opportunity goes way beyond the initial upgrade," he said. "Honestly, I think it'll be a boon to our business. We'll benefit from it in the short term as well as years to come. ... I would expect it to add 33 percent to 50 percent of our otherwise anticipated revenues from this opportunity."

Cyberthreats are accelerating, West said, and they don't just endanger the U.S government -- the threat is real to businesses of all sizes.

"To have a weakness like that is a serious thing," he said. "Those machines need to be replaced."

And, because Microsoft will no longer issue patches to keep outdated software protected, the risk of a security breach rises. There were 37 critical updates released in 2013 for Server 2003, an average of just more than three per month, according to Microsoft, Redmond, Wash. If an operating system is no longer supported, it also fails to meet both PCI and HIPAA compliance standards.

Because there will be no patches released for Server 2003 going forward, any found security flaw will be a window of opportunity for hackers, West said. If a patch is released by Microsoft to fix a weak point in Server 2008 and Server 2012, West said it is more than likely that those same weaknesses can be found in Server 2003.

XMS Solutions doesn't have any customers that don't plan to eventually migrate, but some are going through the long process of upgrading their systems, said West. The predominant issue, according to West, revolves around older applications that run on 32-bit architecture. Development for many of these applications has been discontinued, meaning they cannot run on Server 2008 or Server 2012, which feature 64-bit platforms. West said these customers are then forced to upgrade to all new applications, but they do understand that they need to make the move and are "rolling the dice" the longer they wait.

The second biggest issue customers face is budgetary concerns, as many find they have to replace their hardware in addition to software, especially for international businesses, said West. Some of XMS Solutions' customers are multinational and are facing delays caused by issues with foreign embassies. These customers are missing the end-of-support deadline, West said, but have been working on the migration process, which he estimates will take about six months.


"I think there will be a lot of 'oh my god' moments," said Stephen Monteros, vice president of business development and strategic initiatives at Sigmanet, an Ontario, Calif.-based Microsoft Gold partner. "We're seeing [Server 2003] out there and [clients] don't even realize they have it."

Sigmanet runs assessments for mid- to large enterprise customers, and Monteros said some customers were completely unaware they were running Server 2003 on some networks. After being informed of the risks, however, the customers are going ahead with the upgrade, he said.

"Larger organizations are running a business, and this would be a big risk," he said. "Not mitigating it is not an option."

For small businesses, Monteros believes a large part of why users are missing the deadline is that they are being caught unaware.

"I think there will be a lot of people that won't do it in time," Monteros said. "It's a lack of knowledge and not realizing this has to get done. It's about people not being as well informed, and [they] physically don't touch it every single day. With XP, people knew it because they touch it and see it every day. Server 2003 doesn't come up every time you boot the machine."

"The risk of not patching vulnerabilities, it could put you out of business," said Douglas Grosfield, president and CEO of Xylotek Solutions, a Cambridge, Ontario-based Microsoft partner. "Well over 95 percent of businesses that experience a catastrophic data loss don't survive another year in business. If you're exposing yourself to catastrophic data loss, it's unacceptable to your business. You look at the number of vulnerabilities discovered every month and attacks on those vulnerabilities -- security is a multilayered approach and your network OS is a big part of that. It holds all your intellectual property. All the data of your organization."

About 10 percent of Xylotek's customer base has yet to migrate from Server 2003 for a mix of reasons, according to Grosfield. And it's not uncommon for businesses to delay the upgrade as long as they can, he said.

In many instances, he said he runs into a "forklift upgrade" as businesses have to upgrade both their software and hardware in order to upgrade to a new operating system. A client may use software that can't run on Server 2012 or even Server 2008, and in many instances their hardware might not support the newer operating system either.

"You'll also have companies that will continue to use it despite all common sense," Grosfield added, noting that he sees some companies still using Windows XP.


Microsoft said there were roughly 23.9 million instances of Windows Server 2003 worldwide, both physical and virtualized, at this time last year. AppZero, a vendor that specializes in Server 2003 migrations, estimates that there are still 11 million to 14 million instances running today.

"Microsoft said last year this would be a $45 billion services opportunity, and we assumed that opportunity would come over the course of the last year," said Adine Deford, CMO and vice president of channel development at Andover, Mass.-based AppZero. "It's just been the tip of the iceberg. Most people since then still haven't upgraded."

AppZero recently conducted a survey where it polled more than 100 of its system integrator partners who are dealing with Server 2003 end of life head on. In the survey, AppZero found that about 50 percent of businesses still running Server 2003 are doing so because they did not plan for it or failed to prepare a budget for the migration.

The survey also found that 25 percent of customers will migrate in the second half of this year, while 33 percent have started the migration process but will not be able to complete it by the end-of-support date. The survey also found that 19 percent of customers do not plan to move off Server 2003 despite the lack of support.

Executives from Jersey City, N.J.-based global managed services provider Datapipe said about 10 percent of the company’s customer base -- midsize and smaller clients -- will not meet the end-of-support date.

"We have a fair number [of clients] that just have not been responsive to our numerous inquiries about upgrading," said Todd Smith, product manager at Datapipe. "There's a very small percentage that, for whatever reason, maybe they just don't have any plans to upgrade. We don't have a lot of transparency into those. For those we have been engaging with, it generally equates to some sort of difficulty in terms of resources or re-architecture or application development that they don't have the capabilities around."

A common misconception surrounding Server 2003 is that companies that have yet to migrate from the dated operating system are all SMBs. There are some large enterprise businesses that are laggards as well.

Datapipe's Smith said just a week prior to the deadline date that his company is competing for the business to service some companies with "large names you'd recognize" that are still Server 2003 users.

"I don't know a lot of the details on why they still have hundreds of servers that are still [Server] 2003," Smith said. "But they do have a plan to migrate them; they just haven’t executed it yet."

In terms of its current client base, however, Datapipe is in regular contact with its large enterprise clients and they are not lagging behind.

"I do think that in general there are some big activities out there around this migration," said Datapipe CTO John Landy. "We have a handful of larger deals that are there. I do think it's still driving business, it's just I would call it driving business with laggard teams that basically haven't been working with service providers. In general, the opportunities are still large and they are spanning [across business of all sizes]. … We're still seeing it and have a few pretty big opportunities where there are environments that really need some management."

Larry Gold, owner of Computer-EZ in Mendon, Vt., which services small-business clients in the region, said 10 percent of customers are missing the deadline date, which is why he has been reaching out to them.

"The lack of security is a pretty serious thing," said Gold. "That is the biggest part that could push people to make the move. For me, the real issue is security updates. Things will happen, and hackers will start coming after exploits that we find. It's being penny wise and pound foolish."