Microsoft will soon move Windows Server 2003 into the category of an 80’s big hair metal band, whose aging rock stars no longer fill arenas and no longer even headline casinos. I’m not trying to be mean to aging rock stars, but I am calling out those of you that think keeping Windows Server 2003 in production is viable, especially without taking some steps to secure it after Microsoft pulls support.

Here are some myths about Windows 2003 you may be thinking.


You’re going to be safe online, you have a fancy Firewall

No. I know some of the best firewall dudes on the planet and no Firewall can protect you against every conceivable threat. If a vendor/consultant suggests this, accuse them of being a charlatan and never listen to anything they say ever again. If you have taken a cavalier attitude to firewalling and your Windows Server 2003 is exposed to the Internet I’m going to describe your situation a little graphically…

Your business is the cyber equivalent of bleeding into a pool of sharks. OK, the entire Internet is a big pool, but the sharks are hungry and will find you – I think you get my point here. A Windows 2003 server, after support and security patches stop is a tasty cybercrime target. You may as well add barbeque sauce.

It may be fair ball if your Windows 2003 machine is not on the Internet in any way shape or form, but you better know what you’re doing from a network segmentation point of view. If you know what a VLAN is you may be able to out swim the sharks – at least for a short while.


Your business is compliant

No it’s not. Any chance of compliance went good-bye when support stopped. One of the primary requirements of <insert-your-compliance-requirement-here> is to “apply security patches” or that your “operating system software must be supported by its vendor”.

If there are no security patches any more, or your operating system is no longer supported by the vendor you can’t be compliant. Not being compliant in this day and age of data breach litigation seems uncomfortable, to say the least.

Once lawyers start throwing terms like “negligence” around things move from uncomfortable to damaging. This is an easy case to be made if a vulnerability is publicly disclosed and the vendor does not issue a patch for it. You’re going to have a really tough time convincing people you followed due diligence.

Your business relies on the Windows 2003 server

Not true. The business relies on you to protect it and you can’t protect it without securing it and ultimately thinking about replacement. Change is hard, but rebuilding a 2K3 server from scratch, especially on a 10-plus year-old hardware platform and installing hundreds of patches and driver updates is going to suck way more. And that’s just the OS; now add on the old Database or old client/server software, or some awful early 2000s web interface, and hell just  update your LinkedIn profile with “looking for opportunities”.

There is nothing you can do

Wrong again. There are lots of things you can do. There are plenty of companies that have the expertise, resources and tools to help you. It may cost money for sure, but so will the clean up costs and remediation from when you’re massively, professionally hacked.

Security consultants charge way more in a panic post breach incident response scenario than spending some money on developing, purchasing, or adapting an off-the-shelf solution for the “we can’t live without our critical business Windows Server 2003 server/application that runs on Windows Server 2003”. A legitimate approach is to buy some time.

Ultimately, this security problem is avoidable. Think of it this way. If you retired from the army, your chances of getting shot by bad guys are way less then if you’re still in the Army. It’s that simple. Moving away from Windows Server 2003 will avoid having Windows Server 2003 associated vulnerabilities and a potential data breach.

Make the Internet a safer place to work and play and don’t feed the sharks your server – everyone wins, except the sharks.