Cybersecurity at Core of Windows Server 2008 End-of-Life Considerations
Windows Server 2008 and several other popular platforms are going to be retired on January 14, and Microsoft is tempting users to move to its Azure cloud by offering free extended support.
Windows Server 2008, despite its age, is still one of the most popular server platforms in use today. Recent market-share numbers aren’t available, but one Microsoft executive said last summer that the OS version still represents 60% of the company’s server install base.
Data centers still using this operating system can update, mitigate, or migrate to the cloud.
Updating to a more recent operating system is always a good idea, since there are usually significant cybersecurity benefits to being on the latest release. But not everyone is able to do that.
The other option is mitigation, such as adding extra layers of security around the old machines and paying for extended security updates (ESU). ESU will cost a bundle though — about three-quarters of the cost of the annual license itself.
But Microsoft also offers a third option: Keep Windows Server 2008 but run it in Azure and get three years of ESU for free.
The Risk of Staying Put
“Unfortunately, there are plenty of commercial applications that will not work on newer server and workstation editions,” said Morey Haber, CTO at BeyondTrust, a Phoenix-based cybersecurity vendor.
And it’s not just software, he added. There might also be hardware compatibility issues, such as drivers that are not available for newer platforms.
But if these servers face the public internet, they will pose a significant danger to data centers.
“The next major vulnerability discovered that is potentially remotely exploitable will leave these devices susceptible to a wormable exploit with no remediation strategy,” Haber said.
That’s what happened with the WannaCry and NotPetya attacks, he said. “Organizations will have very few mitigation strategies to work with.”
Another security problem is that the older systems won’t be able to support new security standards for authentication and certificates, and may also put a data center in violation of regulatory requirements.
Given how widely deployed Windows Server 2008 is, there’s a lot at stake, said Satya Gupta, founder and CTO at Virsec Systems, a San Jose-based cybersecurity vendor.
“Inevitably, a huge number of these servers will remain online, many of them protecting aging infrastructure and health care systems,” he said. “Unfortunately, it will likely take another global security crisis, like WannaCry or NotPetya, before many of these stragglers catch up.”
Why Upgrading Isn’t Always as Easy as It Sounds
Some data centers might not have a choice about whether they upgrade, said Marty Puranik, CEO at Atlantic.Net, a Florida-based data center and cloud provider.
Atlantic.Net isn’t one of those data centers because it’s fortunate enough not to have any legacy applications.
The problem with upgrading operating systems is that sometimes an upgrade can break a mission-critical application, he said. Plus, if a system is running, is stable, and works, then there aren’t any obvious incentives to upgrade, especially when there are plenty of more urgent other tasks for data center managers to worry about.
In fact, a Windows Server 2008 system may be running better than newer machines, because there’s less demand for those resources.
“Those servers are lightly loaded, because everything that can be moved off has already been moved off,” he said.
Other times, the data center itself might not have any control over what operating systems are used on the servers, because those servers belong to …