WinServer 2003 end of support is only days away: What CISOs should do

CISOs have learned to resist the siren call of vendors when they issue new versions of software, understanding that added capabilities have to be needed to justify the expense. However, there’s a point when venerable applications have to be cast aside. But it appears that organizations are still taking chances by running hardware with Windows Server 2003, although Microsoft will stop issuing security patches next week.

In April, integration firm Avanade — which is partly owned by Microsoft — issued a study showing that half of Canadian firms still had at least one server running the OS, and there’s no reason to believe that number is in single digits now.

That doesn’t mean they are running critical systems in production, but it’s still a risk.

So here’s a reminder: The last critical security patches will be issued July 14. Do something, because every day after that the odds increase an attacker will take advantage of vulnerabilities — as they did when support ended for Windows XP.

“There’s not going to be an immediate risk,” Karl Sigler, threat intelligence manager, Trustwave said in an interview. But, he added, “it’s going to be a slow crawl towards insecurity. Every month that goes by where critical vulnerabilities are discovered they are going to go unpatched.”

Microsoft will continue support for the OS — for a fee: US$600 per server in the first year.