Transforming IT
Showing results for 
Search instead for 
Did you mean: 

Windows Server 2003 … “I wish I could quit you!”


windows server 2003.gifWindows Server 2003 was launched on April 24, 2003, exactly 11 years, 2 months and 23 days ago.  Do you remember 2003?  Let me jog your memory.  The Concorde made its last ever flight, the Space Shuttle Columbia disintegrated upon reentry, Tampa Bay won the Super Bowl, the invasion of Iraq occurred, Netscape was disbanded and the Mozilla Foundation was established, the last old style Beetle rolled off the assembly line, the price of gas was $1.59 a gallon in the US and the movie Chicago won the Oscar for best picture.   A lot has happened since then, especially in the world of security threats and vulnerabilities and their associated sophistication.  Consider the fact that Microsoft issued 37 critical updates for Windows Server 2003 in 2013 alone; these types of security updates will all disappear in 2015.  


Windows Server 2003 came with a number of advanced security innovations, which arguably were considered leading edge.  These included Public Key Infrastructure (PKI) technologies, an Encrypting File System (EFS), Stored User Names and Passwords to enable Single Sign-On (SSO), security policies, software restriction capabilities and more.  However, this architecture has long since seen its time and it is no longer able to provide the necessary security foundation on which to offer a trusted compute platform to protect against today's cyber threats.  In fact, the last Windows Server 2003 Service Pack was issued over seven (7) years ago and standard support was terminated over four (4) years ago leaving its security posture frozen in time.   


Stuck with Windows Server 2003?  If you are anything like other organizations that must continue to use one or more of the 15 various versions of Windows Server 2003, there are obviously compelling business or technical reasons why you will continue to use an off-support operating system.   No proselytizing here, you will get enough of that from the press and industry analysts.  So, let us talk about what you can do to protect your Windows Server 2003 machines going forward.


Below I put together a list of practical solutions (I think anyway) to consider:


  • Harden the last official operating system release and perform rigorous security penetration testing in order to create your trusted production version.


  • Place as many of your expired OS machines in their own secure network segment, apply multiple layers of defense – apply an abundance of caution. Install TippingPoint NGFW to tightly control who and what gets access to your vulnerable Windows Server 2003 machines.


  • Protect the network segment(s) with the expired OS with TippingPoint NGIPS to create a virtual patching environment. Threats will need to get past your bump-in-the-wire IPS solution that will have filters to stop all those attacks seeking to exploit Windows Server 2003 vulnerabilities – even Zero Day exploits.


  • For truly mission-critical applications running on a Windows Server 2003, try application virtualization. By encapsulating an application to run in an artificial environment, applications written for one OS version can actually execute on another different OS. This allows you to apply more advanced security to protect your legacy applications.


  • Whitelist all applications on the expired OS; only allow authorized and trusted applications and utilities to function.


  • Use an anti-virus product that will continue to support Windows Server 2003.


  • Restrict network connectivity to machine-to-machine, not Internet access (if possible).


On July 14, 2015 or 11 months and 29 days from now, Microsoft will no longer offer security updates, support or technical content updates for Windows Server 2003 (WS2003). It has been widely estimated that migrating a Windows Server can average 200 days, so if you are going to migrate you had better start soon. If not, try out some of the suggestions I previously mentioned.


I would love to hear how your company plans to protect its Windows Server 2003 machines; drop me a line. If you do plan to quit Windows Server 2003, check out what HP can do for you at Migration from Windows Server 2003.

0 Kudos
About the Author


Tari is a Distinguished Technologist with 30 years of IT and cyber security experience. He is dual board certified in information security/business continuity and is responsible for a wide range of management and technology consulting services encompassing information security, disaster recovery, privacy, and risk management. His problem-solving skills, knowledge of various technology platforms, compliance statutes, industries, as well as his experience in deploying defense-in-depth and InfoSec Program solution architectures is commonly applied when advising CIOs/CISOs as well as leveraged in numerous HP client engagements throughout the world. Tari has designed, built, and managed some of the world’s largest InfoSec programs allowing them to defend against even the most aggressive attackers.

June 18 - 20
Las Vegas, NV
HPE Discover 2019 Las Vegas
Learn about all things Discover 2019 in  Las Vegas, Nevada, June 18-20, 2019
Read more
Read for dates
HPE at 2019 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2019.
Read more
View all