Windows Server 2008 End of Life — Ways to Keep Using It Safely

Written by Christine Hall
February 7, 2020

Some shops are especially vulnerable to new security threats aimed at unsupported operating systems.

Windows Server 2008 end of life has finally passed its last incarnation. Some IT operations will still have servers running it though, since some industry- or workplace-specific applications don’t work and play well on more recent Windows Server offerings. This means these shops are especially vulnerable to new security threats aimed at unsupported operating systems.

Microsoft isn’t entirely abandoning those still dependent on Windows Server 2008. For three more years, users can continue to receive support by taking advantage of Microsoft’s Extended Security Update program, which promises to supply “critical” and “important” security patches to those with active Software Assurance or subscription licenses. With a few restrictions, the program is also available to those still using SQL Server 2008, with patches limited to “critical” updates.

Extended Security Update is expensive, however, logging-in at “75% of the full license cost annually,” according to Microsoft. That would represent a broad range of pricing, since licensing costs for any Windows Server version vary widely across different editions. When Windows Server 2008 R2 hit the market, for example, a license could be as inexpensive as $469 yearly for the Web Server edition, or as expensive as $3,999 for the Enterprise edition.

For those who want to consider support options beyond the Microsoft offering and want to keep their instance on-premises instead of lifting and shifting to the cloud, there is only one solution that fits the bill.

A Third-Party Solution

0Patch (as in “zero-patch,” and not to be confused with Oracle’s OPatch utility), is a service of Slovenia-based Acros Security that typically supplies security fixes to companies running currently supported versions of Windows. The fixes either address critical zero-day exploits that haven’t yet been addressed by the vendor, or patches to be used as a stopgap measure while vendor-supplied patches are being tested.

0Patch will keep some no-longer-supported software, including Windows Server 2008 as well as Windows 7, patched against security issues at a cost of a little over $25 annually per machine, with volume discounts starting at 20 computers.

Acros CEO Mitja Kolsek told us that while some of the patches might be based on vendor supplied patches, “We create a lot of patches ourselves.”

Acros’ Mitja Kolsek

“While having access to a vendor’s patch is helpful in determining what the original developers thought was the best way of fixing the vulnerability, we often fix in a different way to minimize the code we change,” he said. “Sometimes our fix is also better that the vendor’s.”

In addition, he said, the company has fixes for some security issues that have yet to be patched by Microsoft.

The company’s reason for needing to “minimize” the changed code might be something that potential users want to consider before …