Managing the Risks of Running Windows Server 2003 After July 2015

Transcription

1 G Managing the Risks of Running Windows Server 2003 After July 2015 Published: 1 April 2014 Analyst(s): Carl Claunch Windows Server 2003 and Windows Server 2003 R2 reach the end of their extended support by Microsoft in mid-2015; using these products after that time has consequences and risks. This research outlines the best practices for organizations that will be in this situation. Key Challenges For many clients, there is not enough time left to migrate all the systems that are running Windows Server 2003 and Windows Server 2003 R2 to a newer version before support ends in July Third-party products may become unsupported as well, triggered by the operating system dates. Operating servers with unsupported operating systems leaves the data center open to future risks due to unfixed security exposures or malfunctioning software. Choosing among the many possible tools and approaches to mitigate the risk is difficult and highly dependent on the individual system and the IT environment. No single solution will address all scenarios; the best practice is to establish a combination of approaches based on a risk management analysis. Recommendations Adopt strategies appropriate for the low probability but high impact of future events, consistent with the sometimes high costs and other challenges of complete mitigation. Leverage the impact analysis of extended outages done as part of a recent disaster recovery planning effort. Build scenarios to handle events, but defer action until (and unless) an event occurs, when fast reaction is possible or the impact of sudden elimination of the system is modest.

2 Create a written plan to prioritize, define responses by type of event, and script the high-level actions to take if given types of events occur. Table of Contents Introduction...2 Analysis...3 Properly Assess the Risks and Consequences of Running Systems Under Windows Server 2003 After Support Ends in Mid Apply Risk Management Principles to Assess and Prioritize Impacted Systems...4 Adopt Proven Practices and Alternatives Appropriate to Each Unsupported System... 4 Gartner Recommended Reading... 5 Introduction In recent months, Gartner saw an increasing volume of inquiries on continuing to use systems whose Windows Server 2003 operating system 1 will be unsupported after 14 July For quite a few clients, it is becoming apparent that these systems will not be migrated in time to new supported versions of the operating system. In these calls, the clients are looking for advice, new ideas and best practices for how similar organizations are addressing this issue. First, we generally talk through the consequences and risks they will face after the extended support period expires next year. With that as a basis for assessing the situation using business risk management principles, we use the remainder of the call to talk through a variety of techniques, tools, strategies and actions that have worked for others. A surprising number of client organizations will be operating those unsupported systems next year and beyond; they range from medium-scale up to the largest enterprise IT organizations. Both technically adept and less sophisticated shops find themselves without sufficient time and budget to completely migrate all workloads. The best practice is migration or conversion, ensuring that no instances of Windows Server 2003 will be in production use after the end of support in July The majority of client organizations are planning to accomplish this, are in the midst of that activity or have already replaced all Windows Server 2003 systems. That is our primary recommendation for current users of this operating system. For a variety of reasons, however, not every client will be able to accomplish this. This document is for those clients that cannot apply the primary best practice of completing a migration before support ends. Page 2 of 7 Gartner, Inc. G

3 No simple, single solution exists to fully manage the risks; rather, the best practice in this area is the application of choices from among a large pool of options. The particular approach selected for each system is dependent on characteristics of that application and of the risk. Analysis Properly Assess the Risks and Consequences of Running Systems Under Windows Server 2003 After Support Ends in Mid-2015 Microsoft's support program for both Windows Server 2003 and Windows Server 2003 R2 is currently in the extended support phase, which is scheduled to cease on 14 July After that date, if a new security vulnerability is discovered in the code, there is no commitment that a fix will be produced and released by Microsoft, nor will Microsoft address nonsecurity defects or assist customers that encounter problems in operation. Further, it is not just the operating system that should concern clients. Third parties that sell and support software including business applications may tie the support of their code to the status of the underlying operating system; running the third-party software on Windows Server 2003 will constitute an unsupported environment. If a security exposure is discovered and exploited by outsiders, clients could have the operation of applications disrupted, data could be stolen or tampered with, and the compromised system may be the launching pad for eavesdropping and active attacks against other systems within the data center. In addition to security risks, it is possible that an IT system running on Windows Server 2003 may cease to operate correctly because of some latent defect that has been triggered by changes in the client's use. There is no assurance that a correction will be possible, rendering that IT system suddenly unable to fulfill its purpose, in part or totally. Even if the problem encountered does not require code changes to solve, it may need expert assistance from Microsoft in order to diagnose the root cause, but those resources may no longer be available. Regulatory and compliance obligations may pertain as well, requiring all production systems to have support available from the product providers. Thus, continuing to use software running on Windows Server 2003 after support ends could violate the compliance or regulatory obligations of your organization. Microsoft is open to negotiating a custom support agreement to provide fixes for security vulnerabilities for Windows Server 2003 after it reaches the end of the extended support phase next year. However, this is not a full solution even if the relatively high cost is acceptable. These agreements are not open-ended; they are signed in the context of a plan with a fixed end date for migration of the remaining systems to a supported version of Windows Server. They do nothing to address any third-party software running on those servers if the maker of that application defines Gartner, Inc. G Page 3 of 7

4 Windows Server 2003 as an unsupported environment for its product, your custom support agreement with Microsoft doesn't help. Among all possible security and operational risks, some may be solvable by one or more tools. Other risks require different tools or complex custom development of solutions, or they may not be amenable to a fix at all. For example, a tool that manages database access may be the resolution if a security vulnerability is discovered in SQL calls, but not so helpful if the issue affects Internet Information Services (IIS) or the business application itself. A firewall and intrusion monitoring tools may be sufficient to address possible compromise of some of the systems, while other exposures may involve the business rules themselves, demanding a change to the core logic of the application. Apply Risk Management Principles to Assess and Prioritize Impacted Systems Although a risk is identified, it may never occur. Further, the impacts are not the same, and the means of mitigating or resolving different risks may vary significantly. It may be imprudent to spend large amounts of time and money to offset a very low-probability event when the corresponding impact is light. On the other hand, some regulated industries may not be permitted to run certain applications if the system is unsupported. The systems running under Windows Server 2003 may have been in successful operation for almost a decade; what is the risk that a new problem will arise that impairs the system's operation? Security exposures in this operating system version have been frequently detected and patched; how often have the systems been the target of attacks? For some IT systems being assessed, the business has alternative means at hand if the application were to be unavailable for an extended period. This may already have been studied as part of an impact assessment for disaster recovery planning; take advantage of that work to speed the analysis of the future risks. If a means exists to survive without the software, even if it is more cumbersome or expensive for the business users, the impact is controlled. The client may continue to operate the system, while watching for the occurrence of the risk scenarios, at which point the impaired system can be rapidly shut down. The best practice involves setting up a means to watch for the risk events and the creation of a process to follow in that scenario. Risk management is a discipline that seeks the appropriate balance between risks and mitigation activities. Some risks are worth taking, with an impact that is less than the costs of eliminating the risk. Some actions can be deferred, given the low odds that a given event will occur in the coming years; if the action can be applied quickly to cap the impact of a possible event, this may be a better decision than to launch an immediate high-resource effort to migrate or replace the system. Adopt Proven Practices and Alternatives Appropriate to Each Unsupported System Since a client need not eliminate every risk, particularly if the mitigation can be readily applied in the future if the risk materializes, the best practice is to have developed broad classes of potential issues and to have identified the appropriate response for each. Clients prioritize and begin Page 4 of 7 Gartner, Inc. G

5 activities only for the systems with very high impacts or facing situations with a high likelihood of happening. There are many ways in which these risks can be addressed, far more than can be detailed in a document like this. A few examples will help to illustrate the best practices applied or scenario responses developed by different clients. Most clients will have a range of such approaches identified that pertain to their environment and the specific systems they will continue operating later next year. Additional software products could be installed and used to block security exposures or overcome operational problems, in the event these arise in the future. For the most part, these are specific solutions to narrow classes of problems. One tool may allow rules to be imposed on the database queries and updates, by interposing itself between the vulnerable database and all software or users accessing that system. If a risk arises that is related to the database and its exploitation can be blocked by institution of some clear rules, then a tool like this would be an effective mitigation. The concept of a demilitarized zone (DMZ) has been frequently used to isolate systems that are accessible by outsiders, to minimize what they could do to the rest of the data center if they become compromised. Further, much tighter control can be placed on which other systems they are permitted to contact and the types of access allowed. This may reduce the usability of a system, but it may be better than the alternative of losing all use if a new vulnerability becomes known. The nature of the vulnerability and the usefulness of the system in that case will help decide whether a DMZ may be sufficient to address risks. When alternative software or manual processes exist that could take the place of an infected or impaired system, these may be the most appropriate actions to take if an event does occur in the future. Script at a high level the way this will be handled, and institute the right measures to detect and trigger the action if the event takes place. There are cases in which migration or replacement of the system is the best practice, rather than unsupported operation under Windows Server In these cases, some means must be found to make this happen in the next year. There are a few good ideas that clients can use to drive the funding when this approach is needed. If you are expecting to have Windows Server 2003 in operation from mid-2015 onward, apply the approaches from this document, determine if some of the best practices described will be useful for your situation, and build your plan of action. In an inquiry call, we can help you tailor your approach and can offer additional best practices, not listed in this overview, that are potential solutions to situations you may face. Gartner Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Time to Adjust Your Windows Server Migration Plans" Gartner, Inc. G Page 5 of 7

6 Evidence For more detail on the Microsoft support policy, see "Microsoft Support Lifecycle Policy FAQ." 1 The operating system products whose support will end in 2015 include Windows Server 2003, Windows Server 2003 R2, and Windows Server 2003 Small Business Server. Our advice is applicable to all of those products. Page 6 of 7 Gartner, Inc. G

7 GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT USA Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. Gartner, Inc. G Page 7 of 7