Businesses need to act now on Windows Server 2003

Support for Windows Server 2003 ended on July 14th, 2015. This means that Microsoft won’t patch or update this software – no matter what bugs or security holes are found. The remedy may seem simple: update to newer software that is supported with regular patches. But as with all simple solutions, it turns out to be more complicated than that.

Businesses that have been around for a while may be using applications that are difficult to migrate to newer, 64-bit systems. The reason for this is not so much the older, 32-bit application, but the even older 16-bit DLLs these applications use that simply won’t work in a 64-bit environment.

Other problems might be applications built on older versions of Internet Information Service or even Microsoft Front Page Server Extensions that require legacy versions of Internet Explorer. Upgrading to new software is no good if it won’t support legacy applications that are still in regular use.

But the issue of Windows Server 2003 is now an emergency. A newly discovered vulnerability has been found, and any hacker looking to take advantage of this will find it easy to find susceptible servers. With distributed computing, scanning every online server in a single hour is possible.

If you have a Windows 2003 server exposed to the Internet providing Outlook Web Access, SharePoint services or a website with FrontPage extensions, then a hacker could take over using code made available on a public forum.

So what should any business still using Server 2003 do? A plan needs to be put into place to move away from the system as soon as possible, but given this is a lengthy project, there is action that should be taken in the meantime.

Virtualise the Windows 2003 server: There’s a good chance that the hardware your Server 2003 machine is running on is nearing retirement. The first step is moving your 2003 Server off this ancient hardware and into a Hypervisor or VMware Virtual Machine environment running on a robust 64-Bit OS. The advantage of virtualising your old Windows 2003 server is that you can copy the VM or Hypervisor onto another machine, or a robust laptop. This means you now have a development 2003 server to test your production server, without the risk of pulling it down.

Secure the server: Remove and disable as many services and applications as possible. If you can remove it, then do so – AD, DNS, and DHCP should all be moved to a more secure platform. Ditch the likes of Adobe Reader, Java, Flash, QuickTime, and Shockwave unless absolutely necessary. By reducing the services and applications installed on the server, you reduce the “attack surface”. Once core network services are no longer on the 2003 Server, ask a couple of questions:  What remains on the server that’s critical? And does any of this need access to the Internet? If not, secure it with a firewall rule and the problem is solved.

However, if the server has a legitimate need to be online, there is still more to be done. A firewall rule specifically identifying the source and destination for services like Electronic Data Interchange or API connections is vital, and a Geo-IP filtering capability is also advised – if your office is in Slough there is probably no need for Russia or China to be probing your business API.

Backup the Virtual Machine to the Cloud: If you cannot move away from Windows Server 2003, and even if you have done everything you can to reduce the attack surface, you’re still exposed. And that means you’re going to get attacked. Virtual machines are “just files”, if the server suddenly demands bitcoin to unlock thanks to a ransomware attack, simply roll back to an earlier backup.

One estimate put the number of Windows Server 2003 instances on the day that support ended at 1.6million. A Shodan.io search, which looks for internet-facing devices, found hundreds of thousands of devices that could be exploited by this vulnerability.

All businesses need to check that they are not one of these potential targets.

Ian Trump, Global Cyber Security Strategist at SolarWinds MSP.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.