Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Windows IT

Ask Slashdot: Should We Expect Attacks When Windows 2003 Support Ends? 117

kooky45 writes: On July 14th 2015, Microsoft will stop supporting Windows 2003. If your company is anything like mine then they're in a panic to update Windowns 2003 systems that have been ignored for years. But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP -- and yet we survived. Did you experience an increase in successful attacks against XP shortly after its support ended, or expect to see one against Windows 2003 this time round?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Should We Expect Attacks When Windows 2003 Support Ends?

Comments Filter:
  • by plopez ( 54068 ) on Tuesday June 09, 2015 @09:58AM (#49875125) Journal

    People will ditch Windows.

    That was oblig. to get the ball rolling....

    • Re:Hopefully..... (Score:5, Insightful)

      by Penguinisto ( 415985 ) on Tuesday June 09, 2015 @11:00AM (#49875713) Journal

      Nah - they'll just firewall the crap out of them and not allow Internet access... just like they do with aging Solaris 8.x and AIX 5.x boxen.

      Seriously - there are probably untold hordes of NT 4 servers still grinding along out there.

      • Seriously - there are probably untold hordes of NT 4 servers still grinding along out there.

        By now it's probably difficult to find hardware with proper NT4 drivers that still functions... but, VMs. So, there are probably untold hordes of virtual NT 4 servers. They got sucked up into vmware at some point and will dwell there for evermore, until they eventually become part of skynet

        • by Scoth ( 879800 )

          I guess this would explain Windows 2000 (or was it XP?) still running on a garbage bin in Firefly, set sometime in the 2500s.

          • I guess this would explain Windows 2000 (or was it XP?) still running on a garbage bin in Firefly, set sometime in the 2500s.

            Most of the time, when I see Windows in public, it's because the application it was supposed to be running has crashed or has had focus stolen from it, or because the machine has bluescreened — you see that a lot in airports, talk about inspiring confidence when they can't even keep the schedule boards running!

            It's hard to imagine that actually being the case here, usually screens are inserted rather than being filmed these days. But I don't know. If it did happen, it would be funny to just go with it

      • As a consultant, 4 years ago (2011) I found one client still running his whole office on an old NT 3.5 server. IT hadnt been turned off or looked at in at least 6 years.

        Most ATMs and Kiosks are still running Windows XP embedded. Even though their are other options now, most of these devices are still running on Pentium III chips. They cant run the newer software and few organizations are motivated to pay the cost to replace them with faster hardware and newer software...
      • Even internet access is okay, as long as you don't use any Microsoft client software. Which is no different from the "latest and greatest" version of Windows.

    • Yeah then they can all switch to Apple.

      Enjoy your locked down hardware/apps.

      • by plopez ( 54068 )

        For most users locked down hardware and apps is a good thing. I've seen enough damage done by marketing or management geeks to know that locking them out is a good idea. And Joe Random User doesn't care.

  • by gstoddart ( 321705 ) on Tuesday June 09, 2015 @10:04AM (#49875183) Homepage

    If within your corporate firewall you are having targeted attacks ... you might want to look at that.

    If you have machines you think could be especially vulnerable, you should probably be looking to harden them at least some.

    And if you have apps which are running on legacy stuff, you should be looking to upgrade, or see what hardening you can put around them (like put it behind a proxy or something).

    Just like before they go EOL, they're still your machines, and you're still ultimately responsible for them.

    I suspect most companies have been trying to plan around this for a while. And if they haven't ... well, then someone isn't taking responsibility for such things and you have other problems.

    It's not like this is coming out of the blue.

    • by Jhon ( 241832 )

      Most larger install bases have extended post EOL support though I'm unsure if 2003 will receive this extended support. We started migrating away from that years ago when most of our vendors stopped supporting it.

      There may be a lot of legacy apps that require 2003. Best bet is to get them on a VM and lock them up behind a firewall just permitting access needed and nothing more. We have a number of XP VMs for just that purpose.

      • by tlhIngan ( 30335 )

        Most larger install bases have extended post EOL support though I'm unsure if 2003 will receive this extended support.

        Yes, it will.

        Remember, July 2015 is when extended (security only) FREE support ends. For Microsoft, there are two dates - the first date is when feature support ends (no more new features will be added to the OS) - OSes like Vista and even 7 have already past this date or are approaching the date rapidly. Beyond that, is another period called extended support, where the OS only receives secu

    • We're in the final stages of retiring our Server 2003 servers. The big trick here is that we use NTFRS, and we're going to have to move to DFS. Other than that, it's been fairly seamless. We did the switch over to Exchange 2010 last year, with the expected headaches, but all in all, other than the awful cost of licensing, it's not been too bad.

    • Yes exactly. We have mitigation plans that start with "turn off/retire unused systems" - followed by round up all remaining W2k3 machines and surround by multiple levels of security devices.

      Mitigation plans are:
      * upgrade products to support newer OS when possible
      * for legacy systems with no upgrade path (or kept for supporting older product) - surround with packet inspectors. Configure system in most secure method possible (eg Windows firewall)

      And have clear owners of the devices.

      • by mlts ( 1038732 )

        That is wise in any case. A machine running Windows Server 2003 is likely over the decade mark in age, and is a relative power hog compared to a modern server which can run the same OS [1] in a VM.

        For optimal security, the parent has it right, but I'd also P2V the instance of WS2003, and put it in a VM with archive snapshots and vShield in place. (vShield is useful because it can catch rootkits that might hide from the client OS, but can't hide from a hypervisor.) Plus, on a VM server, the WS2003 instanc

        • Yes true. In our case we haven't had a native OS on Hardware for over 8 years. VMware all the way!!

          But your suggestion is another tool in the mitigation toolbox. Move the physical to a VM.

          As old as these OSs are - they still work and chug along. I always say that software isn't like milk - it doesn't expire and go bad.

          Even the VMs are behind Network Packet Inspectors. Actually - our whole DC is surround by at least one such ring of devices. My PC traffic goes through such a device to get to the servers insi

  • This is the year of the hacked windows server!

  • by Anonymous Coward

    Isn't his a little like"Is another bus comng". The answer is always yes.

    Do I expect attacks on any computer system ... yes.

    Do I expect it on a Windows based system ... hell yes

  • by Anonymous Coward

    Please don't take anecdotes like "XP was fine, 2003 will be fine" as a shield. It's security by obscurity of the worst kind. All it takes is someone a little interested in your corporate network to find the holes once and you're screwed. XP was "fine" simply because it is run on low importance systems. Server 2003 generally isn't so, for pity's sake, update now - preferably with something that updates organically rather than in huge quantum leaps that force you to re-evaluate everything.

    So no, you shouldn't

    • most of the win 2003 servers are file and print servers, not directly hooked to internet, for small and medium business. if company has proper malware scanning, backups and archives it's probably not big a deal as you stress puppies make it

  • Nope. The end of the world bell was rung when XP Support ended, and nothing happened. I figure the same for 2003. We still have our main intranat site on 2003. The replacement plan is still 1-2 years in the works and requires a additional hire. It's internal only and doesn't face the outside world at all, so figure we're fine.
    • I hope you have some good phishing protection, and have your intranet behind a firewall even internally. A user can get phished, malware installed, and the malware goes after the 2003 box. It's all botnet automated too. Is your company running it's own Exchange server? But even some of my clients run old server OS's. Many have been virtualized and the hardware long gone. Just last month I had to walk some Indian "admin" through installing IIS on win2k after it's database app glitched the whole thing.
      • DMZ'd, and local firewall is on. Only traffic allowed is port 80. It's virtualized as well. There is absolutely nothing vital on it as well, and its not even joined to our domain. So not much can crawl to it. I admit it's not perfect, something could still hit some old IIS vulnerability if we have a infected machine on our internal network. But all they'd get is the some non confidential manufacturing press status pages. We have local exchange server, also DMZ'd, but it doesn't even touch the internet dir
        • I love virtualization. Saves so much time and money. My job uses ESx, my home lab I have used HyperV mostly because work gives an MSDN account. VMware's 60 trial day limit has kept me from doing much with it at home outside of a base install, I've not found a similar "program" on their site.

          Your setup sounds "good enough" to not get flagged by automated bots...which IMHO is all most non-huge companies really need. Offsite backups of HR and accounting info just in case something does actually happen...
    • How do you know that nothing happened?
      I can assure you that any security breach in our company (we have moved off XP, by the way, so at least that is not an attack vector) would not be published anywhere. And I expect that is how most companies work.
    • Nope. The end of the world bell was rung when XP Support ended, and nothing happened.

      Way to prod the bear.

      I figure the same for 2003. We still have our main intranat site on 2003. The replacement plan is still 1-2 years in the works and requires a additional hire. It's internal only and doesn't face the outside world at all, so figure we're fine.

      Yeah, you're right. It's only a server OS. Nobody ever puts anything important on those. It's just like XP.

    • Rather than respond to each comment I find this easier. My general thought process is there are bigger problems to worry about. I still have one 2003 system on my network, and 3 XP systems. All are secured to the point where they're as locked down as they can be. I'm less concerned with them, than users with brand new fully patched Windows 7 systems that managed to still get malware and viruses on their system, despite a locked down firewall that has virus and security filtering on, a virus and spam filteri
  • Not exactly... (Score:5, Insightful)

    by drinkypoo ( 153816 ) <martin.espinoza@gmail.com> on Tuesday June 09, 2015 @10:21AM (#49875337) Homepage Journal

    It's windows. You should expect it to be attacked in the highlands and the lowlands, near and far, to and fro, hither and yon... You should be expecting attacks right now, and you should also be expecting attacks after support ends.

    • It's windows. You should expect it to be attacked in the highlands and the lowlands, near and far, to and fro, hither and yon...

      Tell me why you shouldn't be treating any server OS the same way --- whatever its market share or geek cred.

      • Tell me why you shouldn't be treating any server OS the same way --- whatever its market share or geek cred.

        You should, Windows just gets more adjectives. A quick look around with a sniffer will show you that most of the attempts are windows-related, even the ones which hit your other machines.

  • If so, why do you expect to keep your job? Windows boxes that old should not be exposed to the world, especially if they are doing something important for the business.
    • by halivar ( 535827 )

      Because... reasons.

    • So you don't know how the real world is, such people will not only keep their jobs but get praised for any "heroic rescue" if cracked. You're enlightened now, you're welcome

    • by gstoddart ( 321705 ) on Tuesday June 09, 2015 @10:50AM (#49875635) Homepage

      What do you think the more likely explanation is ... the lazy tech people have said "oh, that'll be fine, what could possibly go wrong?" ... or that management has said "we have no money for such things, and we need to maximize executive bonuses this quarter"?

      My experience, with anything legacy anywhere, is it's often business decisions which leave legacy stuff doing important stuff, and it's business decisions why nobody can replace it. In a few cases, the sheer magnitude of replacing the system could significantly strain the company because it's an incredibly expensive undertaking.

      So, the people who expect to keep their jobs? Well, they're probably doing exactly what they've been told, and have already made this objection to management.

      People who like to blame the technical people for this usually don't know what the hell they're talking about.

      • by PRMan ( 959735 )
        We still had a Production SQL Server running on a Pentium 4 last year until I bypassed everyone and went directly to the CEO to tell him that 11 year old machines can crash at any moment. He immediately purchased a new server. I got in trouble for going around the process. You'd be amazed at what companies do.
        • You'd be amazed at what companies do.

          No, no I wouldn't. I stopped being amazed a very long time ago.

          I can periodically be appalled or outraged. But not amazed.

  • by Billly Gates ( 198444 ) on Tuesday June 09, 2015 @10:35AM (#49875487) Journal

    First, what kind of company doesn't have a budget set for lifetime for equipment?

    Second, eol means more than just Windows Update. It me no liability insurance, Pci Compliance if you take credit cards, No drivers, etc.

    Third, it means things like future versions of AD and software tools won't be compatible

    Last XP had 2 big attacks where MS had to break EOL to fix one.

    You are IT and are responsible for keeping your skill sets and employers equipment up to date.

    • You're funny, the size of company that worries about PCI compliance is not the kind where most win 2003 is running.

      if employer doesn't want to spend money, then it won't get done. IT people still need their jobs even if their employer is like that. Stop talking big, you're not going to cough up money to solve anyone's problem

      • You're funny, the size of company that worries about PCI compliance is not the kind where most win 2003 is running.

        if employer doesn't want to spend money, then it won't get done. IT people still need their jobs even if their employer is like that. Stop talking big, you're not going to cough up money to solve anyone's problem

        I see so when shit hits the fan it will be on you! If you agree with this then you endorse it and are part of the problem. I would update my resume as it is a losing situation at this stage. Part of the job is selling to management.

      • I work for a company with over 21,000 employees, and several units have Windows 2003 servers that are being retired as we speak.
    • Third, it means things like future versions of AD and software tools won't be compatible

      Another thing that people don't think about that I think is important is, if you lag too far behind, the upgrade path gets pretty dodgy. This is more of a general rule, and not addressing the particular problem, but it's a good rule.

      Going from Exchange 2010 to Exchange 2013? Pretty easy. Going from Exchange 2000 to Exchange 2013? It might be possible by stepping through some other versions in the middle, but I don't want to do that upgrade. And that's a huge, ubiquitous, well supported app. If you st

      • Oddly incompetent management will do the headache from 2000 to 2013 and spend 6 figures on consultants then say NEVER AGAIN will we upgrade for the sake of upgrading!

        Cycle repeats even worse :-)

  • so your answer is yes. All platforms of Windows are (is?) always under attack. Any product that ships with NSA_KEYS has been compromised before it even hit the market. It will be attacked more, yet it's market share will decline and the OS will be less of a threat target. Only small businesses, criminals, and geeks will keep it running much longer, at least in any exposed mode. Most bigger corps have already transitioned to 2008/2012 for anything with a PAT/NATed port.
  • by dirk ( 87083 ) <dirk@one.net> on Tuesday June 09, 2015 @10:39AM (#49875519) Homepage

    You won't see a huge influx of successful attacks right after support ends. I doubt people are sitting on 2003 vulnerabilities and not using them, just waiting for support to end. If they have them and they work, they would use them now when there are more targets and before someone else uses it and it gets patched. The issue will be when new cross platform vulnerabilities are found that work on 2003. Since those won't be patched, they will continue to remain vulnerable to them. But I don;t imagine there will be a bunch of attacks on 2003 just because ti leaves support.

    • by msobkow ( 48369 )

      I disagree. You're going to see a surge because the crackers are presuming that anyone still running a 2003 system have also been lax about applying security patches -- and the odds are, they're going to be right, and they're going to get in.

    • by Reziac ( 43301 ) *

      It's been pointed out (I think correctly) that *the* major source of information for blackhats is the patches themselves. The patch info tells you what it fixes, and then it's relatively easy to reverse-engineer that patch -- and then you go looking for systems that haven't applied that patch, with full knowledge of exactly what to exploit. Patches function as signposts for vulnerabilities.

      Funny how after Win2K support ended, there wasn't a rash of new Win2K exploits. Same for Win98. Win95. Win3.x. And not

  • Wrong question (Score:4, Informative)

    by wonkey_monkey ( 2592601 ) on Tuesday June 09, 2015 @10:40AM (#49875535) Homepage

    Granted, the summary clarifies that it's talking about an increase, but...

    Should We Expect Attacks When Windows 2003 Support Ends?

    You should expect attacks now.

  • by nine-times ( 778537 ) <nine.times@gmail.com> on Tuesday June 09, 2015 @10:41AM (#49875537) Homepage

    But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP

    Well the world isn't going to end even if you get hacked and your company goes out of business, so we're already in the realm of exaggeration. I think your question fundamentally misunderstands the nature of the problem. The issue is not, "Once the deadline passes, everything will suddenly and spontaneously explode." A big part of the issue is risk-- if there are any undiscovered vulnerabilities, those vulnerabilities will not be patched. Unless hackers have already stockpiled undisclosed vulnerabilities, it'll take some time for them to be discovered, and some of them won't be very serious or dangerous. However, any vulnerabilities that hackers know may not be discovered if there's less scrutiny, and it won't be fixed. This means an increased risk. That risk can be mitigated by shutting those machines off from the Internet. If you're going to do web browsing, using a up to date 3rd-party browser will mitigate the risk, assuming major browser vendors will support Windows XP.

    So how much of a risk, and how much of that risk can you mitigate? It's hard to say. You're trying to assess the risk of an unknown threat exploiting an unknown vulnerability over an unspecified period of time.

    To some extent, we deal with that kind of a risk all of the time. But here's the big difference: It won't get fixed. It might not seem like that big of a deal, and you might think, "We'll burn that bridge when we get to it." However, a huge, major vulnerability could be discovered tomorrow that makes your server open for any random hacker to take control of, and there will be no fix coming.

    Now think about that for a second. You have a company with servers running an unsupported operating system from more than 12 years ago. Obviously, they're slow to move. They're not free with their budget. Or maybe none of those things are the problem, but the real problem is that you have a huge legacy system that is impossible to upgrade, and so you've just been leaving it alone. Either way, there are reasons why upgrades have been so slow in coming. Do you think those problems are going to suddenly evaporate when there's a crisis? Do you think that company will make good decisions in a crisis, when their business-critical server is suddenly a free playground for hackers? Nope. They're likely to drag their feet and make wildly inappropriate decisions. When faced with a crisis, they'll make the same kind of bone-headed short-term decisions that got them into the mess in the first place.

    And that's the real problem here. It's not really a question about whether 2003 will be severely hacked in the next 6 months. The real question is, is your company thinking ahead, preparing, and making sensible decisions. If they are, they will have had a plan and a budget for replacing these servers, both because the OS is losing support, and because it's a >10 year old server. If you don't replace a 10 year-old server because it's working, and you don't have to replace it, that might be a sensible decision. If you have a 10 year-old server and you are unprepared for the possibility that you'll have to replace it, then you're not a competent IT person.

    • by Lumpy ( 12016 )

      I bet they dont even have a good backup system in place.

    • by PRMan ( 959735 )
      Actually, in my experience, they will do nothing UNTIL they are hacked. Then, it's all hands on deck no expense spared until the problem is fixed. You just have to be ready as an IT professional to ensure that the problem is the old OS and the fix is the new OS (and new hardware if it's required for the new OS).
      • Part of my point is that yes, it's possible that a hack will cause management to respond, but they're just as likely to respond with something stupid. They'll have you trying to install Windows 7 on an old Windows 2003 server because "it's supported". Or they'll buy a new server, but they won't buy appropriate hardware. Or they'll hire an expensive consultant to provide a plan for resolving the "security issue", or they'll fire you for allowing the security breach, even though it was caused by their shor

  • by FaxeTheCat ( 1394763 ) on Tuesday June 09, 2015 @10:44AM (#49875589)
    block your 2003 machines from the network if you plan to keep them. That is what our security people will do.

    The date for end of support for 2003 has been known for like 10 years so there has been enough time to prepare for it.

    IT security is not about "what can we get away with". It is about being ready before the bad people strike. And they will. And you may not even notice.
    • by edis ( 266347 )

      Like bad people did not strike.
      Then, what a server that is out of network.

      Of course, dangers will be increasing, but compromises are part of reality for variety of reasons,
      they may be preceding another support deadline more often than not.

  • by perotbot ( 632237 ) on Tuesday June 09, 2015 @10:50AM (#49875633) Journal
    Like XP, and NT and 2K before them, They've been in battle for over a decade, being attacked, patched, attacked, Service Packed. Not invulnerable because nothing is, but 2K3 is better than it was, that being said, having a Windows box exposed to the internet with no protection is flat out silly. Right tool, right job. Using a windows 2003 server to serve webpages on the internet is like using a 6 yr old to direct traffic. All the requisite parts are there, but the execution isn't the best.
  • Stop cheaping out on your IT.

    If you have a decent firewall and managed network you can make it secure if you have software that will not run on server 2008 or newer.

    If your company is just being cheap bastards, then you deserve all the hacks, viruses, and spyware you get.

    Most companies do not spend what they should on IT infrastructure or staff. It's not a luxury, it's a key part of your business. Business owners need to stop being drooling morons and spend the money.

    • If your company is just being cheap bastards, then you deserve all the hacks, viruses, and spyware you get.

      Last summer I had an interview at a multi-billion-dollar corporation (that factoid got mentioned a dozen times over), where the IT department routinely had a malware outbreaks and had to manually disinfect each system. I asked them why they weren't using Malwarebytes Anti-Malware [malwarebytes.org] scanner to clean up their systems. The multi-billion-dollar corporation couldn't associate itself with a small company like Malwarebytes, as it would inflate Malwarebyte's valuation in the stock market. Hence, the techs spent more

    • You could use a VM as no hardware will support your decade old box when shit hits the fan.

      Capacitors last only so long.

      Don't expect pci liability insurance either to cover if you're eol apps require 2003

  • Most of OS security vulnerabilities are irrelevant for the purposes of the server running specific internal apps. The server is going to be running behind a firewall that blocks everything but a couple of ports and sanitizes anything that comes through those. Employees are going to login with 2 factor authentication before being allowed access. And you are smart enough to not browse warez sites with Internet Explorer from server console right?

    Of course if you run your network like Sony, you will probably ge

  • That's an easy one. It's all in the EULA, after all.

    "Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes! The dead rising from the grave! Human sacrifice, dogs and cats living together... mass hysteria!"

  • If a server is exposed online it's already being attacked, probably at random and not machine targeted. Whether the attack succeeds or how far in the attack gets is another matter and depends on firewall settings, honeypots, etc. .
  • Security is not tangible. It is a feeling. You should always be expecting attacks.

  • by tlambert ( 566799 ) on Tuesday June 09, 2015 @12:07PM (#49876255)

    "Should We Expect Attacks When Windows 2003 Support Ends?"

    There's a bit of lag between the time Microsoft EOL's a platform, and their interns are able to start turning out exploits to force you to "upgrade" to their next platform in order to keep their revenue stream intact, so you'll have at least a medium sized window before you should start expecting attacks.

    As Microsoft gets better at producing exploits for their own operating systems before they announce an EOL event, expect things to improve, and the window to become narrower, to the point where they are able to release exploits the same day as the EOL date.

  • What is the point for attackers to continue attacking a Windows without support? They should all move along to newer versions,
    and that includes ceasing the use of any already compromised machines.

  • So there's a small subset of IT managers out there who get stuck with lousy budgets. I do a bunch of consulting and get into different businesses and some managers play a game:

    Step 1: ask for a bunch of money as a capex expense to migrate servers. Let that request get denied.

    Step 2: do it again the next year. Let it get denied again.

    Step 3: wait until it's absolutely critical - show management articles on the pending doom that will happen - request a lot more money.

    Step: Use all the extra money on all th

    • I saw a large site that had a lot of XP workstations and the IT manager didn't push too hard to get Windows 7 licensing. Right before XP went out of maintenance he got a large expense approved to not only upgrade to Windows 7 but to actually replace all of the workstations. I saw the same thing with Windows 2000 and a company using that as an excuse to get into virtualization and purchase all that hardware.

      Operating systems and hardware upgrades go hand-in-hand from my experience on a few PC refresh projects in recent years. Not a big surprise considering that the hardware that ran XP/2000 probably had a 32-bit processor, small hard drives and 4GB or less in RAM. It's cheaper to go with newer hardware than upgrading a system that's five or more years out of date.

  • So, is the implication here that Windows 2003 boxes are not, already, the subject of numerous attacks? Because, y'know, they definitely are and stuff. The main difference being that when they're out of support they won't have patches for all those attacks.

    XP boxes are often somewhat protected, as they're usually behind a firewall. Alas, phishing, worms, viruses, and other malware float around on internal networks all the time. If you've worked in security ops and have decent network instrumentation you

  • That's what we're going to be doing with a few 2003 servers, all but one already running as VMs and that last one likely to be converted in the next month or two.

    These are systems that need to be kept around for reference, old EMR or practice management systems where it wasn't feasible to export all data for import into a replacement system. Heck, in at least two cases I know of practices expressly deciding to not even migrate patient lists from an old billing/practice management system into a new EMR/PM sy

Thufir's a Harkonnen now.

Working...