Turn the Page: Why now is the time to migrate off Windows Server 2003

Transcription

1 Turn the Page: Why now is the time to migrate off Windows Server 2003 HP Security Research Contents Introduction... 1 What does End of Support mean?... 1 What End of Support doesn t mean... 1 Why you need to leave Windows Server 2003 in the past... 2 Compliance concerns... 2 Security... 2 Hidden costs in maintaining older systems... 4 Where to go from here... 4 Get a Custom Support Agreement... 4 Migrate to a newer version of Windows Server... 4 Migrate to Linux... 5 Hope for the best... 5 Conclusion... 5

2 Introduction In January 2015, Microsoft released a patch to fix an issue in the Network Location Awareness (NLA) service. The vulnerability affects all versions of Windows Server, but a fix was not provided for the Windows Server 2003 platform. As stated in the bulletin, The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server This highlights the differences in operating system (OS) architectures between modern OSes and an OS now over eleven years old. While this alone should not push enterprises to move away from the OS, the impending end of support for this OS should have businesses thinking about what comes next for their remaining Windows Server 2003 deployments. What does End of Support mean? Microsoft has two different lifecycles for its products: mainstream and extended 2. The biggest difference between these levels is the availability of non-security updates. During the mainstream support period, new functionality may be added through service packs or hot fixes. These are in addition to security updates. Once mainstream support ends, usually five years after the product s initial release date, extended support kicks in. This provides free security updates, but little else. Mainstream support for Windows Server 2003 ended in 2010, which means there have been no service packs or new functionality changes in over four years. On July 14, 2015, extended support for Windows Server 2003 ends as well. After this date, there will be no additional security fixes or updates of any kind freely available. Deployments of the OS won t stop working on the 15 th of July, but as of that day, these systems represent a different type of risk for the enterprises who use them. What End of Support doesn t mean On July 15, 2015, there will be little changed for those using Windows Server No features will be disabled. There will be no forced update on to a new platform. The vast resources of online guidance for running and troubleshooting the OS will exist as they always have. In short, nothing obvious will change immediately. However, as time goes on, the lack of support and the lack of updates will become apparent. Attacks represent another reality that will not change once support ends. Just as today, adversaries will continue targeting Windows Server If you are looking for an example of this, you only need to look back to the end of support for Windows XP. Immediately following the end of free security updates for that platform, active attacks were seen in the wild targeting Internet Explorer versions on XP. While Microsoft made the decision to offer patches for XP at that time, it is unlikely they will make this extraordinary decision again. In addition to the current attacks, many of the issues affecting the more modern platforms (e.g. Windows Server 2012 R2) also affect Windows Server While the OSes are very different, there is still shared code between platforms. In January, 2015, five of the seven security bulletins released by Microsoft impacted both Windows Server 2012 R2 and Windows Server After support ends, attackers may use the security bulletins as a guide to determine new vulnerabilities on Windows Server Due to the lack of security updates, enterprises still running Windows Server 2003 after support ends will become an even more attractive target to adversaries

3 Why you need to leave Windows Server 2003 in the past While definitive numbers remain elusive, estimates put Windows Server 2003 usage at about one-third of all Windows Server deployments. This seems likely, as Windows Server 2003 remains a remarkably stable OS. Despite this reliability, it is time for enterprises to leave this platform and migrate to a modern OS. Compliance concerns In almost every industry, there now exists a form of national or international regulation covering the security and maintenance of computer systems. These regulatory requirements will often mandate that systems within a domain be supported. Correspondingly, if unsupported systems exist within a domain, it is unlikely the enterprise will be within regulatory compliance. The U.S. Computer Emergence Readiness Team (US-CERT) notes, Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server Put more simply, once Windows Server 2003 is out of support, the chances of maintaining compliance with applicable regulations closely approaches zero. Security While the lack of security updates is a primary concern for those running out-of-support servers, there are additional security concerns related to running Windows Server One area that is often overlooked is the availability of defense-in-depth (DiD) features available in modern OSes. Starting in the early 2000 s, the concept of placing defenses deep within the OS became a reality. The goal was to prevent known attack techniques from working on a target system, even if the attacker attempts to exploit an unpatched bug. One of the first of these DiD measures implemented was Address Space Layout Randomization (ASLR). In its simplest form, ASLR randomizes memory to make it more difficult for an attacker to get code to the targeted location in memory. Windows Server 2003 does implement ASLR, but the development of memory randomization has continued over the years to include methods that cannot be implemented on Server Another example of DiD is known as SafeSEH, which means an image has safe exception handlers. This feature builds a table of safe exception handlers when a program is being compiled. If a program has this in place, when exceptional conditions occur, the table is consulted to ensure a match exists. If a match doesn t exist in the table, the program is terminated. Of course, the limitation with this feature is that programs must be built with SafeSEH enabled. Later OSes implemented a second DiD technique called Structured Exception Handler Overwrite Protection (SEHOP). It works differently than SafeSEH, with its main benefit being that it does not require programs to be built with any special flags. SEHOP is able to mitigate Structured Exception Handler overwrites by verifying the integrity of the chain of registered exception handlers at the time that an exceptional condition occurs. Typically, an SEH overwrite will break the integrity of this chain, which is what enables SEHOP to mitigate it. While Windows Server 2003 does have SafeSEH, SEHOP is only available on Windows Server 2008 and later. In the more recent server versions, SEHOP was further extended to permit applications to opt-in on a per-application basis. Previously, SEHOP had to be enabled or disabled for the entire system, which lead to application compatibility issues for some programs. 4

4 There are just two examples of DiD security features available in newer OSes. A comparison of other DiD features 5 6 7, including those found in supported Microsoft Internet Explorer (IE) versions 8, is located in Table One. Table 1: Comparison of DiD features DiD Features SEHOP IE Protected Mode Windows Server 2003 With Internet Explorer 8 Windows Server 2012 R2 With Internet Explorer 11 Enhanced Protected Mode Virtual Table Guard ASLR Limited Extensive Stack Randomization Heap Randomization Image Randomization Force Image Randomization Bottom-Up Randomization Top-Down Randomization High Entropy Randomization PEB/TEB Randomization Heap Hardening Limited Extensive Header Encoding Terminate on Corruption Guard Pages Allocation Randomization Safe Unlinking Header Checksums /GS Enhanced /GS SafeSEH 5 Miller, Matt and Johnson, Ken. 2012, July 25. Black Hat USA Exploit Mitigation Improvements in Windows 8. Retrieved from

5 The inclusion of these additional DiD features results in an increased level of difficulty for attackers wishing to take over a system. They no longer just need an exploit in an application; they must now have an exploit combined with techniques to circumvent the DiD features. While these circumventions exist, every step that makes it more difficult for attackers is another chance for defenders to catch them. Hidden costs in maintaining older systems While the adage, If it ain t broke, don t fix it may ring true in many situations, it is often the opposite case for computing systems. Some reports indicate the cost of maintaining older systems is 1.6 times the cost of replacement 9 - especially for small- and medium-sized enterprises. The investment of capital needed to replace outdated servers may be daunting at first, but in the end, you may actually be saving money by getting new hardware and the new software that comes with it. Where to go from here For those who are still running Windows Server 2003, there are a few options. Get a Custom Support Agreement For those who cannot migrate away from Windows Server 2003, there is an option that will provide security updates after support ends for a price. Microsoft offers Custom Support Agreements (CSA) for products that have reached their end of support date. For customers who enter into a CSA, Microsoft will produce security patches for what they deem critical-class vulnerabilities 10. Patches for important severity issues may also be provided; however, these are only produced if the customer pays extra. By Microsoft s own estimate, a CSA agree will run in the neighborhood of over $200,000 US a year 11. In the past, the price for a CSA rises year-over-year, meaning that it is likely this cost will only go up. This option should be viewed as a stopgap measure to keep servers up-to-date while a larger migration plan is put in place. The economic feasibility of continuing to pay for support is not sustainable year-over-year. Migrate to a newer version of Windows Server Moving to the latest version of Windows Server gets you to a supported state with access to the latest features in both functionality and security. This may seem like the obvious choice, but it is not without problems as well. According to Microsoft, the average migration time is over 200 days 12. There is also the issue with finding all of the servers needing to be replaced within an enterprise. This may sound simple, but physically locating every server of a specific type within a large enterprise can be surprisingly difficult end-of-life-is-coming-on-the-july-14th-2015.aspx

6 Migrate to Linux For some companies, migrating servers from Windows to Linux is a viable option. Linux is currently deployed on 36.4% of existing web sites 13 and can work equally as well in an enterprise scenario. Modern Linux systems also provide many DiD features similar, but not identical, to those found in modern versions of Windows Server. While a new Windows server may require new hardware, a version of Linux exists that will run on your existing systems. This option will not be practical for all enterprises currently running Windows Server 2003, but for a subset of these people, the potential cost savings of moving to Linux dictate at least considering the option. Hope for the best For those without compliance issues, the option to do absolutely nothing still exists. If everything works well within your enterprise, just keep running it and hope that attackers, regulators, shareholders, and everyone else never notices the operating system used for their business transactions is well over a decade old. This also ensures you won t struggle implementing any of the new features modern operating systems allow. Technologies like Hyper-V, hybrid and public cloud, BYOD and mobile device management, and numerous defense-in-depth measures will never become an implementation problem because Windows Server 2003 simply will not support them. Conclusion With the impending end of support for Windows Server 2003, enterprises need to take action. It still works is no longer an excuse for running an outdated operating system. After July 14, 2015, Windows Server 2003 will no longer receive free security updates. In addition to potential long-term cost savings of replacing rather than maintaining older hardware, modern OSes offer defense-in-depth technologies not found on Windows Server Running an unsupported OS will also lead to issues with regulatory compliance. To prepare for this date, administrators need to determine which course of action they will choose. Some may decide a custom support agreement and paying for patches is their best course of action until they can implement a long-term solution. Others may choose to migrate to a newer, supported version of Windows Server, or even a migration to a supported version of Linux. In all reality, doing nothing to prepare for this date is simply not an option. Attackers will not stop targeting systems that are running Windows Server 2003 simply because it is no longer supported. Vulnerabilities in Server 2003 will continue to be found as well even if they are disguised as bugs in newer server platforms. As we move further away from the end of support date, the risks of continuing to run Windows Server 2003 will only increase and the costs of keeping it in an enterprise will become too great to justify. By July 2015, Windows Server 2003 will be over 12 years old. That is a remarkable feat for any piece of technology, but it is time to retire the product and move on. Modern OSes provide security updates, a better set of features, and a more robust security strategy. Continuing to hold on to the past will stagnate an enterprise s ability to take advantage of new technologies such as hybrid cloud solutions and mobile device management. The July date is fast approaching. There is no better time than now to plan how your servers and enterprise will look in the next decade. 13