As Microsoft prepares to end support for the widely installed OS, here are the key security considerations.
Windows Server 2008 and several other popular platforms are going to be retired on January 14, and Microsoft is tempting users to move to its Azure cloud by offering free extended support.
Windows Server 2008, despite its age, is still one of the most popular server platforms in use today. Recent market share numbers aren’t available, but one Microsoft executive said this summer that the OS version still represents 60 percent of the company’s server install base.
Data centers still using this operating system can update, mitigate, or migrate to the cloud.
Updating to a more recent operating system is always a good idea, since there are usually significant cybersecurity benefits to being on the latest release. But not everyone is able to do that.
The other option is mitigation, such as adding extra layers of security around the old machines and paying for Extended Security Updates. ESU will cost a bundle though – about 75 percent of the cost of the annual license itself.
But Microsoft is also offering a third option: keep Windows Server 2008 but run it in Azure and get three years of ESU for free.
“Unfortunately, there are plenty of commercial applications that will not work on newer server and workstation editions,” said Morey Haber, CTO at BeyondTrust, a Phoenix-based cybersecurity vendor. And it’s not just software, he added. There might also be hardware compatibility issues, such as drivers that are not available for newer platforms.
But if these servers face the public internet, they will pose a significant danger to data centers. “The next major vulnerability discovered that is potentially remotely exploitable will leave these devices susceptible to a wormable exploit with no remediation strategy,” Haber said.
That’s what happened with the WannaCry and NotPetya attacks, he said. “Organizations will have very few mitigation strategies to work with.”
Another security problem is that the older systems won’t be able to support new security standards for authentication and certificates, he said, and may also put a data center in violation of regulatory requirements.
Given how widely
widely deployed Windows Server 2008 is, there’s a lot at stake, said Satya Gupta, founder and CTO at Virsec Systems, a San Jose-based cybersecurity vendor.
“Inevitably, a huge number of these servers will remain online, many of them protecting aging infrastructure and healthcare systems,” he said. “Unfortunately, it will likely take another global security crisis, like WannaCry or NotPetya, before many of these stragglers catch up.”
Why Upgrading Isn’t Always as Easy as It Sounds
Some data centers might not have a choice about whether they upgrade or not, said Marty Puranik, CEO at Atlantic.Net, a Florida-based data center and cloud provider.
Atlantic.Net isn’t one of those data centers, he added, because it’s fortunate enough not to have any legacy applications.
The problem with upgrading operating system is that sometimes an upgrade can break a mission critical application, he said. Plus, if a system is running, is stable, and works, then there aren’t any obvious incentives to upgrade, especially when there are plenty of more urgent other tasks for data center managers to worry about.
In fact, a Windows Server 2008 system may be running better than newer machines, because there’s less demand for those resources, he added. “Those servers are lightly loaded, because everything that can be moved off has already been moved off,” he said.
Other times, the data center itself might not have any control over what operating systems are used on the servers, because those servers belong to external customers or other business units in the enterprise.
Now, those outdated servers could be a potential security risk for the entire data center, Puranik said.
Colocation providers, which typically just sell space and power, and whose customers set up their own network connectivity, have less to worry about, he added.
“But if you’re providing the internet as well, it could become a problem,” he said.
There should already be firewalls in place, he said, but this is a good time to doublecheck that all systems are properly isolated.
And if there are computers that are past the end-of-life date, there should be another machine between them and the public internet, one that is patched and updated.
“People are going to scan the whole internet looking for these servers,” he said. “Just cutting off direct access or making it more difficult should provide some level of protection.”
End-of-life servers can be opportunities for hackers to find and exploit vulnerabilities, said James McQuiggan, security awareness advocate at security vendor KnowBe4. That puts the entire data center at risk of ransomware, data exfiltration, or other attacks, he said.
Then there’s the cyber insurance angle, he added. “There are clauses related to having up-to-date systems.” If a data center experiences a breach, and there are older operating systems in the environment, the insurance company will reject the claim.
If end-of-life servers are in an environment, data center managers should be adding extra layers of protection to their networks. That includes increased network monitoring and endpoint protection and response, he said.
“And a change management program [is necessary] to track any and all changes to the systems,” he added.
Alternatively, data center managers could take this as an opportunity to expand their cloud use, said Atlantic.Net’s Puranik. “Ideally, you already have your toes in the water with cloud,” he said. “But if not, this is something you could be starting with.”