After months of reminders to upgrade servers and migrate applications, Microsoft officially retired Windows Server 2003 on Tuesday. Unlike the hoopla which surrounded the end-of-life for Windows XP last year, Windows Server 2003's demise was fairly quiet.

July's Patch Tuesday release included nine bulletins affecting various components in Windows Server 2003. Going forward, Microsoft will no longer release security patches and updates for Windows Server 2003. Experts warn that organizations that continue using the old operating system are at risk for potential security breaches as attackers uncover and exploit new vulnerabilities. Not migrating to a newer operating system has serious repercussions as these servers are part of the backbone of the organization's IT infrastructure. Organizations subject to compliance regulations may also fail an audit and face fines if they stay on Windows Server 2003.

"For anyone who still runs Windows 2003, I hope it is where no one can access it, and they are working on a project to replace those servers," said Wolfgang Kandek, chief technology officer for IT security firm Qualys.

Not as Painful as XP End-of-Life

There were similar warnings about staying on Windows XP before the desktop operating system entered end of life last April. But Windows Server 2003 going to end of life never generated as much interest or concern as XP's expiration did despite the important role servers play in business networks.

There is a simple reason for that. While Server 2003 was very successful, it never achieved the kind of install base as XP precisely because it powered servers and not desktops, so there were fewer systems to worry about, said Andrew Storms, security analyst for Tripwire and vice president of security services for New Context.

For many users, moving off XP meant Vista, so they delayed their upgrade plans to get Windows 7 or Windows 8. That really isn't the case with Server 2003, as viable and stable alternatives such as Windows Server 2008 and Windows Server 2012 have been available for some time.

"XP was a different animal altogether than Server 2003," he said.

While some companies have migrated major applications and data off some of their Server 2003 machines, very few have completed the process for all of them. In fact, a recent analysis by Softchoice found that 21 percent of servers scanned in the first half of 2015 were still running Windows Server 2003. Of the more than 200 organizations scanned by Softchoice, a little over a dozen had fully migrated to modern operating systems and had no instances of Server 2003 running. This is in line with a Spiceworks survey from March, which found that 61 percent of businesses were still running at least one instance of Server 2003. For context, Microsoft estimated 11 million servers still running last month.

Migration Challenges Persist

Businesses may be dragging their feet about migrating away from Server 2003 because they would first need to upgrade their hardware, said Karl Sigler, threat intelligence manager at Trustwave. They also need to test if the newer operating systems would still support the old applications they need to run. Consider that most Windows Server 2003 applications are 32-bit, and Windows Server 2008 and later tend to run 64-bit. That is a lot of applications to test and upgrade along with the operating system.

When there are so many tasks vying for the IT manager's attention, it is tempting to take the attitude of, "if it's running, it's not broken and if it's not broken, why fix it?" Sigler said.

Windows Server 2003 may be working well enough to keep around, but the plain truth is that it hasn't kept up with security. There have been many advances in security features over the past decade, and modern server operating systems, such as Windows Server 2012, have many features that aren't present in Server 2003, Sigler said. One example is Dynamic Access Control, which allows system administrators to set new auditing and authorization controls to manage and track who can access the data stored on the system. Windows Server 2003 also doesn't have enhanced virtualization services, website isolation and sandboxing, and Group Managed Service Accounts, all useful for locking down systems.

And don't forget, Microsoft won't release any more security patches, so if someone develops an exploit targeting a heretofore unknown vulnerability in Windows Server 2003, it will never get fixed. That means organizations will always be at risk for that attack. There are exceptions, of course. One vulnerability discovered after XP's end-of-life was sufficiently serious enough that Microsoft bent its rule to release a patch for those XP holdouts. It would be foolhardy to rely on that kind of leniency from Microsoft again if a serious bug is later discovered in Windows Server 2003, though.

Some Action Required

Assessment and planning tools are available from Microsoft. Organizations still running Windows Server 2003 should take immediate action to either replace their systems or isolate them and beef up security on those machines. The upgrade won't be a quick process, as Microsoft estimates an average organization would take about 200 days to fully migrate Windows Server 2003.

Figure out the number of Windows Server 2003 instances remaining and the type of hardware on which they are running. Determine what applications and virtual instances are running on each of these servers and what dependencies they have. Take the full view of the IT environment and plan out a migration plan. This may mean simply upgrading the software, or it may require a full hardware and software refresh. This may also be the opportunity to move to a cloud server, or look into a hybrid IT platform.

"Take a moment to pat your Windows 2003 servers on the back before you make a solid plan to shut them down. They've served us well so let's put them to rest—offline of course," Storms said.

Further Reading

Security Reviews