It's hard to believe that it has been 12 years since Windows Server 2003 was released (it was on April 24, 2003 to be exact) and nearly 10 years since WS 2003 R2. In the IT world, that is an eternity and the time has almost come for Microsoft to end support for Windows Server 2003/R2.What Does End of Support (EOS) Mean?
There are really four main areas I like to highlight when explaining EOS:
- No Support
- Complimentary support (phone and online) included with the licenses will no longer be provided
- Paid support (e.g. from Microsoft Premier Support) will no longer cover Windows Server 2003 Family of Products
- No Updates
- Requests for changes to product design or features will no longer be accepted nor accommodated
- Security updates will no longer be provided, exposing your Windows Server 2003 installation to security threats
- Hotfixes and bug fixes will no longer be provided
- No Compliance
- This may include non-compliance with key regulatory and industry standards, or having to pay high penalties and transaction fees.
- Payment Card Industry (PCI) policies will not be met with an operating system that is EOS
- No Safe Haven
- Both virtualized and physical instances of Windows Server 2003 are vulnerable and would not pass a compliance audit.
- Many applications (including those from Microsoft) will also cease to be supported once the operating system they are running on is unsupported.
What is the risk?
New vulnerabilities discovered in Windows Server 2003 after its "end of life" will not be addressed by new security updates from Microsoft. One risk is that attackers will have the advantage, because attackers will likely have more information about vulnerabilities in Windows Server 2003, placing the applications running on Windows Server 2003 in a precarious position. When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality. For example, if a vulnerability is addressed in one version of Windows Server, researchers investigate whether other versions of Windows Server have the same vulnerability.To ensure that Microsoft customers are not at a disadvantage to attackers who employ such practices, one long standing principle that the Microsoft Security Response Center (MSRC) uses when managing security update releases is to release security updates for all affected products simultaneously. This practice ensures customers have the advantage over such attackers, as they get security updates for all affected products before attackers have a chance to reverse engineer them.
But after July 14, 2015, organizations that continue to run Windows Server 2003, as well as any other Microsoft products that have hit their EOS, like Exchange 2003, Outlook 2003 and even Windows XP, won't have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows Server, attackers will reverse engineer those updates, find the vulnerabilities and test Windows Server 2003 to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows Server 2003. Since a security update will never become available for Windows Server 2003 to address these vulnerabilities, Windows Server 2003 will essentially have a "zero day" vulnerability forever.