Ask Slashdot: Should We Expect Attacks When Windows 2003 Support Ends? 117
kooky45 writes: On July 14th 2015, Microsoft will stop supporting Windows 2003. If your company is anything like mine then they're in a panic to update Windowns 2003 systems that have been ignored for years. But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP -- and yet we survived. Did you experience an increase in successful attacks against XP shortly after its support ended, or expect to see one against Windows 2003 this time round?
Hopefully..... (Score:3, Funny)
People will ditch Windows.
That was oblig. to get the ball rolling....
Re:Hopefully..... (Score:5, Insightful)
Nah - they'll just firewall the crap out of them and not allow Internet access... just like they do with aging Solaris 8.x and AIX 5.x boxen.
Seriously - there are probably untold hordes of NT 4 servers still grinding along out there.
Re: (Score:3)
Seriously - there are probably untold hordes of NT 4 servers still grinding along out there.
By now it's probably difficult to find hardware with proper NT4 drivers that still functions... but, VMs. So, there are probably untold hordes of virtual NT 4 servers. They got sucked up into vmware at some point and will dwell there for evermore, until they eventually become part of skynet
Re: (Score:2)
I guess this would explain Windows 2000 (or was it XP?) still running on a garbage bin in Firefly, set sometime in the 2500s.
Re: (Score:2)
I guess this would explain Windows 2000 (or was it XP?) still running on a garbage bin in Firefly, set sometime in the 2500s.
Most of the time, when I see Windows in public, it's because the application it was supposed to be running has crashed or has had focus stolen from it, or because the machine has bluescreened — you see that a lot in airports, talk about inspiring confidence when they can't even keep the schedule boards running!
It's hard to imagine that actually being the case here, usually screens are inserted rather than being filmed these days. But I don't know. If it did happen, it would be funny to just go with it
Re: (Score:2)
Most ATMs and Kiosks are still running Windows XP embedded. Even though their are other options now, most of these devices are still running on Pentium III chips. They cant run the newer software and few organizations are motivated to pay the cost to replace them with faster hardware and newer software...
Re: (Score:2)
Even internet access is okay, as long as you don't use any Microsoft client software. Which is no different from the "latest and greatest" version of Windows.
Re: (Score:2)
Yeah then they can all switch to Apple.
Enjoy your locked down hardware/apps.
Re: (Score:2)
For most users locked down hardware and apps is a good thing. I've seen enough damage done by marketing or management geeks to know that locking them out is a good idea. And Joe Random User doesn't care.
By Betteridge's Law of Headlines: (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
" read last weeks news today"
historical reference?
No matter the platform ... (Score:5, Insightful)
If within your corporate firewall you are having targeted attacks ... you might want to look at that.
If you have machines you think could be especially vulnerable, you should probably be looking to harden them at least some.
And if you have apps which are running on legacy stuff, you should be looking to upgrade, or see what hardening you can put around them (like put it behind a proxy or something).
Just like before they go EOL, they're still your machines, and you're still ultimately responsible for them.
I suspect most companies have been trying to plan around this for a while. And if they haven't ... well, then someone isn't taking responsibility for such things and you have other problems.
It's not like this is coming out of the blue.
Re: (Score:2)
Most larger install bases have extended post EOL support though I'm unsure if 2003 will receive this extended support. We started migrating away from that years ago when most of our vendors stopped supporting it.
There may be a lot of legacy apps that require 2003. Best bet is to get them on a VM and lock them up behind a firewall just permitting access needed and nothing more. We have a number of XP VMs for just that purpose.
Re: (Score:2)
Yes, it will.
Remember, July 2015 is when extended (security only) FREE support ends. For Microsoft, there are two dates - the first date is when feature support ends (no more new features will be added to the OS) - OSes like Vista and even 7 have already past this date or are approaching the date rapidly. Beyond that, is another period called extended support, where the OS only receives secu
Re: No matter the platform ... (Score:2)
Re: (Score:2)
We're in the final stages of retiring our Server 2003 servers. The big trick here is that we use NTFRS, and we're going to have to move to DFS. Other than that, it's been fairly seamless. We did the switch over to Exchange 2010 last year, with the expected headaches, but all in all, other than the awful cost of licensing, it's not been too bad.
Re: (Score:1)
Yes exactly. We have mitigation plans that start with "turn off/retire unused systems" - followed by round up all remaining W2k3 machines and surround by multiple levels of security devices.
Mitigation plans are:
* upgrade products to support newer OS when possible
* for legacy systems with no upgrade path (or kept for supporting older product) - surround with packet inspectors. Configure system in most secure method possible (eg Windows firewall)
And have clear owners of the devices.
Re: (Score:2)
That is wise in any case. A machine running Windows Server 2003 is likely over the decade mark in age, and is a relative power hog compared to a modern server which can run the same OS [1] in a VM.
For optimal security, the parent has it right, but I'd also P2V the instance of WS2003, and put it in a VM with archive snapshots and vShield in place. (vShield is useful because it can catch rootkits that might hide from the client OS, but can't hide from a hypervisor.) Plus, on a VM server, the WS2003 instanc
Re: (Score:1)
Yes true. In our case we haven't had a native OS on Hardware for over 8 years. VMware all the way!!
But your suggestion is another tool in the mitigation toolbox. Move the physical to a VM.
As old as these OSs are - they still work and chug along. I always say that software isn't like milk - it doesn't expire and go bad.
Even the VMs are behind Network Packet Inspectors. Actually - our whole DC is surround by at least one such ring of devices. My PC traffic goes through such a device to get to the servers insi
Netcraft confirms, windows on the server is dying (Score:1)
This is the year of the hacked windows server!
Sigh (Score:1)
Isn't his a little like"Is another bus comng". The answer is always yes.
Do I expect attacks on any computer system ... yes.
Do I expect it on a Windows based system ... hell yes
Anecdotal security now? (Score:1)
Please don't take anecdotes like "XP was fine, 2003 will be fine" as a shield. It's security by obscurity of the worst kind. All it takes is someone a little interested in your corporate network to find the holes once and you're screwed. XP was "fine" simply because it is run on low importance systems. Server 2003 generally isn't so, for pity's sake, update now - preferably with something that updates organically rather than in huge quantum leaps that force you to re-evaluate everything.
So no, you shouldn't
Re: (Score:3)
most of the win 2003 servers are file and print servers, not directly hooked to internet, for small and medium business. if company has proper malware scanning, backups and archives it's probably not big a deal as you stress puppies make it
Nope (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Your setup sounds "good enough" to not get flagged by automated bots...which IMHO is all most non-huge companies really need. Offsite backups of HR and accounting info just in case something does actually happen...
Re: (Score:2)
I can assure you that any security breach in our company (we have moved off XP, by the way, so at least that is not an attack vector) would not be published anywhere. And I expect that is how most companies work.
Re: (Score:2)
Nope. The end of the world bell was rung when XP Support ended, and nothing happened.
Way to prod the bear.
I figure the same for 2003. We still have our main intranat site on 2003. The replacement plan is still 1-2 years in the works and requires a additional hire. It's internal only and doesn't face the outside world at all, so figure we're fine.
Yeah, you're right. It's only a server OS. Nobody ever puts anything important on those. It's just like XP.
Re: (Score:3)
Not exactly... (Score:5, Insightful)
It's windows. You should expect it to be attacked in the highlands and the lowlands, near and far, to and fro, hither and yon... You should be expecting attacks right now, and you should also be expecting attacks after support ends.
Re: (Score:3)
It's windows. You should expect it to be attacked in the highlands and the lowlands, near and far, to and fro, hither and yon...
Tell me why you shouldn't be treating any server OS the same way --- whatever its market share or geek cred.
Re: (Score:2)
Tell me why you shouldn't be treating any server OS the same way --- whatever its market share or geek cred.
You should, Windows just gets more adjectives. A quick look around with a sniffer will show you that most of the attempts are windows-related, even the ones which hit your other machines.
Do you have windows 2003 systems exposed? (Score:3)
Re: (Score:2)
Because... reasons.
Re: (Score:2)
So you don't know how the real world is, such people will not only keep their jobs but get praised for any "heroic rescue" if cracked. You're enlightened now, you're welcome
Re:Do you have windows 2003 systems exposed? (Score:5, Insightful)
What do you think the more likely explanation is ... the lazy tech people have said "oh, that'll be fine, what could possibly go wrong?" ... or that management has said "we have no money for such things, and we need to maximize executive bonuses this quarter"?
My experience, with anything legacy anywhere, is it's often business decisions which leave legacy stuff doing important stuff, and it's business decisions why nobody can replace it. In a few cases, the sheer magnitude of replacing the system could significantly strain the company because it's an incredibly expensive undertaking.
So, the people who expect to keep their jobs? Well, they're probably doing exactly what they've been told, and have already made this objection to management.
People who like to blame the technical people for this usually don't know what the hell they're talking about.
Re: (Score:2)
Re: (Score:2)
No, no I wouldn't. I stopped being amazed a very long time ago.
I can periodically be appalled or outraged. But not amazed.
i'm glad i stuck with (Score:1)
Re: (Score:3)
I got a Windows 98SE system that still works fine. I just don't let it go outside.
Re: (Score:2)
Stop excuses and take responsibility (Score:3)
First, what kind of company doesn't have a budget set for lifetime for equipment?
Second, eol means more than just Windows Update. It me no liability insurance, Pci Compliance if you take credit cards, No drivers, etc.
Third, it means things like future versions of AD and software tools won't be compatible
Last XP had 2 big attacks where MS had to break EOL to fix one.
You are IT and are responsible for keeping your skill sets and employers equipment up to date.
Re: (Score:2)
You're funny, the size of company that worries about PCI compliance is not the kind where most win 2003 is running.
if employer doesn't want to spend money, then it won't get done. IT people still need their jobs even if their employer is like that. Stop talking big, you're not going to cough up money to solve anyone's problem
Re: (Score:2)
You're funny, the size of company that worries about PCI compliance is not the kind where most win 2003 is running.
if employer doesn't want to spend money, then it won't get done. IT people still need their jobs even if their employer is like that. Stop talking big, you're not going to cough up money to solve anyone's problem
I see so when shit hits the fan it will be on you! If you agree with this then you endorse it and are part of the problem. I would update my resume as it is a losing situation at this stage. Part of the job is selling to management.
Re: (Score:1)
Re: (Score:2)
Third, it means things like future versions of AD and software tools won't be compatible
Another thing that people don't think about that I think is important is, if you lag too far behind, the upgrade path gets pretty dodgy. This is more of a general rule, and not addressing the particular problem, but it's a good rule.
Going from Exchange 2010 to Exchange 2013? Pretty easy. Going from Exchange 2000 to Exchange 2013? It might be possible by stepping through some other versions in the middle, but I don't want to do that upgrade. And that's a huge, ubiquitous, well supported app. If you st
Re: (Score:2)
Oddly incompetent management will do the headache from 2000 to 2013 and spend 6 figures on consultants then say NEVER AGAIN will we upgrade for the sake of upgrading!
Cycle repeats even worse :-)
We're already being attacked... (Score:2, Insightful)
the danger isn't immediately afterwards (Score:3)
You won't see a huge influx of successful attacks right after support ends. I doubt people are sitting on 2003 vulnerabilities and not using them, just waiting for support to end. If they have them and they work, they would use them now when there are more targets and before someone else uses it and it gets patched. The issue will be when new cross platform vulnerabilities are found that work on 2003. Since those won't be patched, they will continue to remain vulnerable to them. But I don;t imagine there will be a bunch of attacks on 2003 just because ti leaves support.
Re: (Score:2)
I disagree. You're going to see a surge because the crackers are presuming that anyone still running a 2003 system have also been lax about applying security patches -- and the odds are, they're going to be right, and they're going to get in.
Re: (Score:2)
It's been pointed out (I think correctly) that *the* major source of information for blackhats is the patches themselves. The patch info tells you what it fixes, and then it's relatively easy to reverse-engineer that patch -- and then you go looking for systems that haven't applied that patch, with full knowledge of exactly what to exploit. Patches function as signposts for vulnerabilities.
Funny how after Win2K support ended, there wasn't a rash of new Win2K exploits. Same for Win98. Win95. Win3.x. And not
Wrong question (Score:4, Informative)
Granted, the summary clarifies that it's talking about an increase, but...
Should We Expect Attacks When Windows 2003 Support Ends?
You should expect attacks now.
Misunderstanding the problem (Score:4, Insightful)
But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP
Well the world isn't going to end even if you get hacked and your company goes out of business, so we're already in the realm of exaggeration. I think your question fundamentally misunderstands the nature of the problem. The issue is not, "Once the deadline passes, everything will suddenly and spontaneously explode." A big part of the issue is risk-- if there are any undiscovered vulnerabilities, those vulnerabilities will not be patched. Unless hackers have already stockpiled undisclosed vulnerabilities, it'll take some time for them to be discovered, and some of them won't be very serious or dangerous. However, any vulnerabilities that hackers know may not be discovered if there's less scrutiny, and it won't be fixed. This means an increased risk. That risk can be mitigated by shutting those machines off from the Internet. If you're going to do web browsing, using a up to date 3rd-party browser will mitigate the risk, assuming major browser vendors will support Windows XP.
So how much of a risk, and how much of that risk can you mitigate? It's hard to say. You're trying to assess the risk of an unknown threat exploiting an unknown vulnerability over an unspecified period of time.
To some extent, we deal with that kind of a risk all of the time. But here's the big difference: It won't get fixed. It might not seem like that big of a deal, and you might think, "We'll burn that bridge when we get to it." However, a huge, major vulnerability could be discovered tomorrow that makes your server open for any random hacker to take control of, and there will be no fix coming.
Now think about that for a second. You have a company with servers running an unsupported operating system from more than 12 years ago. Obviously, they're slow to move. They're not free with their budget. Or maybe none of those things are the problem, but the real problem is that you have a huge legacy system that is impossible to upgrade, and so you've just been leaving it alone. Either way, there are reasons why upgrades have been so slow in coming. Do you think those problems are going to suddenly evaporate when there's a crisis? Do you think that company will make good decisions in a crisis, when their business-critical server is suddenly a free playground for hackers? Nope. They're likely to drag their feet and make wildly inappropriate decisions. When faced with a crisis, they'll make the same kind of bone-headed short-term decisions that got them into the mess in the first place.
And that's the real problem here. It's not really a question about whether 2003 will be severely hacked in the next 6 months. The real question is, is your company thinking ahead, preparing, and making sensible decisions. If they are, they will have had a plan and a budget for replacing these servers, both because the OS is losing support, and because it's a >10 year old server. If you don't replace a 10 year-old server because it's working, and you don't have to replace it, that might be a sensible decision. If you have a 10 year-old server and you are unprepared for the possibility that you'll have to replace it, then you're not a competent IT person.
Re: (Score:2)
I bet they dont even have a good backup system in place.
Re: (Score:2)
Re: (Score:2)
Part of my point is that yes, it's possible that a hack will cause management to respond, but they're just as likely to respond with something stupid. They'll have you trying to install Windows 7 on an old Windows 2003 server because "it's supported". Or they'll buy a new server, but they won't buy appropriate hardware. Or they'll hire an expensive consultant to provide a plan for resolving the "security issue", or they'll fire you for allowing the security breach, even though it was caused by their shor
Company security should.. (Score:5, Insightful)
The date for end of support for 2003 has been known for like 10 years so there has been enough time to prepare for it.
IT security is not about "what can we get away with". It is about being ready before the bad people strike. And they will. And you may not even notice.
Re: (Score:1)
Like bad people did not strike.
Then, what a server that is out of network.
Of course, dangers will be increasing, but compromises are part of reality for variety of reasons,
they may be preceding another support deadline more often than not.
Battle Hardened? sort of? (Score:3)
I have the answer. (Score:2)
Stop cheaping out on your IT.
If you have a decent firewall and managed network you can make it secure if you have software that will not run on server 2008 or newer.
If your company is just being cheap bastards, then you deserve all the hacks, viruses, and spyware you get.
Most companies do not spend what they should on IT infrastructure or staff. It's not a luxury, it's a key part of your business. Business owners need to stop being drooling morons and spend the money.
Re: (Score:2)
If your company is just being cheap bastards, then you deserve all the hacks, viruses, and spyware you get.
Last summer I had an interview at a multi-billion-dollar corporation (that factoid got mentioned a dozen times over), where the IT department routinely had a malware outbreaks and had to manually disinfect each system. I asked them why they weren't using Malwarebytes Anti-Malware [malwarebytes.org] scanner to clean up their systems. The multi-billion-dollar corporation couldn't associate itself with a small company like Malwarebytes, as it would inflate Malwarebyte's valuation in the stock market. Hence, the techs spent more
Re: (Score:2)
Let me guess? They have updates turned off as anything after April 2010 breaks exchange?
Idiots
Re: (Score:2)
You could use a VM as no hardware will support your decade old box when shit hits the fan.
Capacitors last only so long.
Don't expect pci liability insurance either to cover if you're eol apps require 2003
Re: (Score:2)
I do, I let the crap fail and lose a shitload of company files.
when asked, i reply with the email where they denied my request for a backup server or storage.
Nothing get's you the IT budget like losing 6 years of accounting database and throwing the CTO under the bus with everyone else in the meeting.
Only if it's open on Internet with firewall off (Score:2)
Most of OS security vulnerabilities are irrelevant for the purposes of the server running specific internal apps. The server is going to be running behind a firewall that blocks everything but a couple of ports and sanitizes anything that comes through those. Employees are going to login with 2 factor authentication before being allowed access. And you are smart enough to not browse warez sites with Internet Explorer from server console right?
Of course if you run your network like Sony, you will probably ge
What should we expect when 2003 support ends? (Score:2)
That's an easy one. It's all in the EULA, after all.
"Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes! The dead rising from the grave! Human sacrifice, dogs and cats living together... mass hysteria!"
Already happening (Score:2)
Not tangible (Score:1)
Security is not tangible. It is a feeling. You should always be expecting attacks.
"Should We Expect Attacks When Windows 2003..." (Score:3)
"Should We Expect Attacks When Windows 2003 Support Ends?"
There's a bit of lag between the time Microsoft EOL's a platform, and their interns are able to start turning out exploits to force you to "upgrade" to their next platform in order to keep their revenue stream intact, so you'll have at least a medium sized window before you should start expecting attacks.
As Microsoft gets better at producing exploits for their own operating systems before they announce an EOL event, expect things to improve, and the window to become narrower, to the point where they are able to release exploits the same day as the EOL date.
Why? No! (Score:2)
What is the point for attackers to continue attacking a Windows without support? They should all move along to newer versions,
and that includes ceasing the use of any already compromised machines.
Budget games (Score:2)
So there's a small subset of IT managers out there who get stuck with lousy budgets. I do a bunch of consulting and get into different businesses and some managers play a game:
Step 1: ask for a bunch of money as a capex expense to migrate servers. Let that request get denied.
Step 2: do it again the next year. Let it get denied again.
Step 3: wait until it's absolutely critical - show management articles on the pending doom that will happen - request a lot more money.
Step: Use all the extra money on all th
Re: (Score:2)
I saw a large site that had a lot of XP workstations and the IT manager didn't push too hard to get Windows 7 licensing. Right before XP went out of maintenance he got a large expense approved to not only upgrade to Windows 7 but to actually replace all of the workstations. I saw the same thing with Windows 2000 and a company using that as an excuse to get into virtualization and purchase all that hardware.
Operating systems and hardware upgrades go hand-in-hand from my experience on a few PC refresh projects in recent years. Not a big surprise considering that the hardware that ran XP/2000 probably had a 32-bit processor, small hard drives and 4GB or less in RAM. It's cheaper to go with newer hardware than upgrading a system that's five or more years out of date.
Were to begin... (Score:2)
So, is the implication here that Windows 2003 boxes are not, already, the subject of numerous attacks? Because, y'know, they definitely are and stuff. The main difference being that when they're out of support they won't have patches for all those attacks.
XP boxes are often somewhat protected, as they're usually behind a firewall. Alas, phishing, worms, viruses, and other malware float around on internal networks all the time. If you've worked in security ops and have decent network instrumentation you
Firewall & restrict access (Score:2)
These are systems that need to be kept around for reference, old EMR or practice management systems where it wasn't feasible to export all data for import into a replacement system. Heck, in at least two cases I know of practices expressly deciding to not even migrate patient lists from an old billing/practice management system into a new EMR/PM sy
The Effects of Near Misses on Risk Decision-Making (Score:2)
Relevant. [schneier.com]
Re: (Score:1)
Anyone still using Windows 2003 when the license runs out will turn GAY. It's official.
You don't have to wait for that dearie
Re:Nope. (Score:4, Interesting)
I've put new openssl, bash and apache on old EOL distros recently, that the business owners don't have time to migrate yet. That's possible in the open source world
Re: (Score:1)
While I'll give you that is technically true in some sense for individual releases of most distros, its actually not true for all of them because not all of them work on a cycle of individual separate releases.
This is irrelevant anyway though because the important point here is that you don't have to pay to upgrade when its Linux. Also, unlike Microsoft, Linux distros typically don't have partnerships with commercial hardware vendors who have vested interests in purposefully obsoleting hardware. While som