Turn the Page: Why now is the time to migrate off Windows Server 2003



Similar documents
Bypassing Memory Protections: The Future of Exploitation

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Windows Server 2003 Migration: Take a Fresh Look at Your IT Infrastructure

Why a Server Infrastructure Refresh Now and Why Dell?

Why should I care about PDF application security?

Implications for the Honeywell Enterprise Buildings Integrator User Community

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

Bypassing Browser Memory Protections in Windows Vista

Windows Server 2003 End of Support. What does it mean? What are my options?

LESSON Windows Server Administration Fundamentals. Understand Updates

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Taking a Proactive Approach to Linux Server Patch Management Linux server patching

Custom Penetration Testing

Compensating Security Controls for Windows Server 2003 Security

The Business Case Migration to Windows Server 2012 R2 with Lenovo Servers

OWASP Spain Barcelona 2014

Testing Control Systems

Operating System Security

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Report on Hong Kong SME Cloud Adoption and Security Readiness Survey

Handling Hyper-V. In this series of articles, learn how to manage Hyper-V, from ensuring high availability to upgrading to Windows Server 2012 R2

Patch Management Policy

Implementing Security Update Management

Common security headaches. Common security headaches and how to avoid them. PineApp.com

Windows Server Your data will be non-compliant & at risk on

Sandbox Roulette: Are you ready for the gamble?

Red Hat Enterprise Linux: The ideal platform for running your Oracle database

The SDL Progress Report. Progress reducing software vulnerabilities and developing threat mitigations at Microsoft

2015 Vulnerability Statistics Report

Extreme Networks Security Analytics G2 Vulnerability Manager

Protecting the Irreplacable. November 2013 Athens Ian Whiteside, F-Secure

System Center Configuration Manager

Brochure. Update your Windows. HP Technology Services for Microsoft Windows 2003 End of Support (EOS) and Microsoft Migrations

Computer Security: Principles and Practice

AVOIDING PATCH DOOMSDAY Best Practices for Performing Patch Management

90% of data breaches are caused by software vulnerabilities.

SAFECode Security Development Lifecycle (SDL)

AN INTRODUCTION TO HOSTING

A Path from Windows Desktop to HTML5

Red Hat. By Karl Wirth

STAND THE. Data Center Optimization. Q&A with an Industry Leader

Streamlining Patch Testing and Deployment

4 Critical Risks Facing Microsoft Office 365 Implementation

Make Migration From Windows Server 2003 a Priority, Before Support Ends in July 2015

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Cloud Backup and Recovery

Azul's Zulu JVM could prove an awkward challenge to Oracle's Java ambitions

Streamline Your Windows OS Migration with Novell Endpoint Lifecycle Management Suite

SMART PREPARATION FOR DATA CENTER MIGRATION

Microsoft Baseline Security Analyzer (MBSA)

Simplify Your Windows Server Migration

IBM Security QRadar Vulnerability Manager

Windows Server 2003 migration: Your three-phase action plan to reach the finish line

Altiris IT Management Suite 7.1 from Symantec

Criteria for web application security check. Version

Intelligent End User Compute Strategy. Ted Smith Nigel Brown

Adobe Flash Player and Adobe AIR security

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

Relocating Windows Server 2003 Workloads

Deep Security Vulnerability Protection Summary

Deputy Secretary for Information Technology Date Issued: November 20, 2009 Date Revised: December 20, Revision History Description:

Planning and Administering Windows Server 2008 Servers

Managing the Risks of Running Windows Server 2003 After July 2015

A BETTER SOLUTION FOR MAINTAINING HEALTHCARE DATA SECURITY IN THE CLOUD

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Three Ways to Secure Virtual Applications

Compliance series Guide to meeting requirements of USGCB

A Decision Maker s Guide to Securing an IT Infrastructure

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

ITIL Asset and Configuration. Management in the Cloud

Guideline on Vulnerability and Patch Management

Who moved my cloud? Part I: Introduction to Private, Public and Hybrid clouds and smooth migration

Open Source Voting Systems

Module: Sharepoint Administrator

MICROSOFT SERVER LICENSING IN A VIRTUAL ENVIRONMENT. Brought to you by Altaro Software, developers of Altaro VM Backup

Understanding & Improving Hypervisor Security

Transcription:

Turn the Page: Why now is the time to migrate off Windows Server 2003 HP Security Research Contents Introduction... 1 What does End of Support mean?... 1 What End of Support doesn t mean... 1 Why you need to leave Windows Server 2003 in the past... 2 Compliance concerns... 2 Security... 2 Hidden costs in maintaining older systems... 4 Where to go from here... 4 Get a Custom Support Agreement... 4 Migrate to a newer version of Windows Server... 4 Migrate to Linux... 5 Hope for the best... 5 Conclusion... 5

Introduction In January 2015, Microsoft released a patch to fix an issue in the Network Location Awareness (NLA) service. The vulnerability affects all versions of Windows Server, but a fix was not provided for the Windows Server 2003 platform. As stated in the bulletin, The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003 1. This highlights the differences in operating system (OS) architectures between modern OSes and an OS now over eleven years old. While this alone should not push enterprises to move away from the OS, the impending end of support for this OS should have businesses thinking about what comes next for their remaining Windows Server 2003 deployments. What does End of Support mean? Microsoft has two different lifecycles for its products: mainstream and extended 2. The biggest difference between these levels is the availability of non-security updates. During the mainstream support period, new functionality may be added through service packs or hot fixes. These are in addition to security updates. Once mainstream support ends, usually five years after the product s initial release date, extended support kicks in. This provides free security updates, but little else. Mainstream support for Windows Server 2003 ended in 2010, which means there have been no service packs or new functionality changes in over four years. On July 14, 2015, extended support for Windows Server 2003 ends as well. After this date, there will be no additional security fixes or updates of any kind freely available. Deployments of the OS won t stop working on the 15 th of July, but as of that day, these systems represent a different type of risk for the enterprises who use them. What End of Support doesn t mean On July 15, 2015, there will be little changed for those using Windows Server 2003. No features will be disabled. There will be no forced update on to a new platform. The vast resources of online guidance for running and troubleshooting the OS will exist as they always have. In short, nothing obvious will change immediately. However, as time goes on, the lack of support and the lack of updates will become apparent. Attacks represent another reality that will not change once support ends. Just as today, adversaries will continue targeting Windows Server 2003. If you are looking for an example of this, you only need to look back to the end of support for Windows XP. Immediately following the end of free security updates for that platform, active attacks were seen in the wild targeting Internet Explorer versions on XP. While Microsoft made the decision to offer patches for XP at that time, it is unlikely they will make this extraordinary decision again. In addition to the current attacks, many of the issues affecting the more modern platforms (e.g. Windows Server 2012 R2) also affect Windows Server 2003. While the OSes are very different, there is still shared code between platforms. In January, 2015, five of the seven security bulletins released by Microsoft impacted both Windows Server 2012 R2 and Windows Server 2003 3. After support ends, attackers may use the security bulletins as a guide to determine new vulnerabilities on Windows Server 2003. Due to the lack of security updates, enterprises still running Windows Server 2003 after support ends will become an even more attractive target to adversaries. 1 https://technet.microsoft.com/library/security/ms15-005 2 https://support2.microsoft.com/gp/lifepolicy 3 https://technet.microsoft.com/library/security/ms15-jan

Why you need to leave Windows Server 2003 in the past While definitive numbers remain elusive, estimates put Windows Server 2003 usage at about one-third of all Windows Server deployments. This seems likely, as Windows Server 2003 remains a remarkably stable OS. Despite this reliability, it is time for enterprises to leave this platform and migrate to a modern OS. Compliance concerns In almost every industry, there now exists a form of national or international regulation covering the security and maintenance of computer systems. These regulatory requirements will often mandate that systems within a domain be supported. Correspondingly, if unsupported systems exist within a domain, it is unlikely the enterprise will be within regulatory compliance. The U.S. Computer Emergence Readiness Team (US-CERT) notes, Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003 4. Put more simply, once Windows Server 2003 is out of support, the chances of maintaining compliance with applicable regulations closely approaches zero. Security While the lack of security updates is a primary concern for those running out-of-support servers, there are additional security concerns related to running Windows Server 2003. One area that is often overlooked is the availability of defense-in-depth (DiD) features available in modern OSes. Starting in the early 2000 s, the concept of placing defenses deep within the OS became a reality. The goal was to prevent known attack techniques from working on a target system, even if the attacker attempts to exploit an unpatched bug. One of the first of these DiD measures implemented was Address Space Layout Randomization (ASLR). In its simplest form, ASLR randomizes memory to make it more difficult for an attacker to get code to the targeted location in memory. Windows Server 2003 does implement ASLR, but the development of memory randomization has continued over the years to include methods that cannot be implemented on Server 2003. Another example of DiD is known as SafeSEH, which means an image has safe exception handlers. This feature builds a table of safe exception handlers when a program is being compiled. If a program has this in place, when exceptional conditions occur, the table is consulted to ensure a match exists. If a match doesn t exist in the table, the program is terminated. Of course, the limitation with this feature is that programs must be built with SafeSEH enabled. Later OSes implemented a second DiD technique called Structured Exception Handler Overwrite Protection (SEHOP). It works differently than SafeSEH, with its main benefit being that it does not require programs to be built with any special flags. SEHOP is able to mitigate Structured Exception Handler overwrites by verifying the integrity of the chain of registered exception handlers at the time that an exceptional condition occurs. Typically, an SEH overwrite will break the integrity of this chain, which is what enables SEHOP to mitigate it. While Windows Server 2003 does have SafeSEH, SEHOP is only available on Windows Server 2008 and later. In the more recent server versions, SEHOP was further extended to permit applications to opt-in on a per-application basis. Previously, SEHOP had to be enabled or disabled for the entire system, which lead to application compatibility issues for some programs. 4 https://www.us-cert.gov/ncas/alerts/ta14-310a

There are just two examples of DiD security features available in newer OSes. A comparison of other DiD features 5 6 7, including those found in supported Microsoft Internet Explorer (IE) versions 8, is located in Table One. Table 1: Comparison of DiD features DiD Features SEHOP IE Protected Mode Windows Server 2003 With Internet Explorer 8 Windows Server 2012 R2 With Internet Explorer 11 Enhanced Protected Mode Virtual Table Guard ASLR Limited Extensive Stack Randomization Heap Randomization Image Randomization Force Image Randomization Bottom-Up Randomization Top-Down Randomization High Entropy Randomization PEB/TEB Randomization Heap Hardening Limited Extensive Header Encoding Terminate on Corruption Guard Pages Allocation Randomization Safe Unlinking Header Checksums /GS Enhanced /GS SafeSEH 5 Miller, Matt and Johnson, Ken. 2012, July 25. Black Hat USA 2012 - Exploit Mitigation Improvements in Windows 8. Retrieved from https://www.youtube.com/watch?v=3nrijvra62g. 6 https://msdn.microsoft.com/en-us/library/bb430720.aspx 7 http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigating-common-exploitationtechniques.aspx 8 http://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx

The inclusion of these additional DiD features results in an increased level of difficulty for attackers wishing to take over a system. They no longer just need an exploit in an application; they must now have an exploit combined with techniques to circumvent the DiD features. While these circumventions exist, every step that makes it more difficult for attackers is another chance for defenders to catch them. Hidden costs in maintaining older systems While the adage, If it ain t broke, don t fix it may ring true in many situations, it is often the opposite case for computing systems. Some reports indicate the cost of maintaining older systems is 1.6 times the cost of replacement 9 - especially for small- and medium-sized enterprises. The investment of capital needed to replace outdated servers may be daunting at first, but in the end, you may actually be saving money by getting new hardware and the new software that comes with it. Where to go from here For those who are still running Windows Server 2003, there are a few options. Get a Custom Support Agreement For those who cannot migrate away from Windows Server 2003, there is an option that will provide security updates after support ends for a price. Microsoft offers Custom Support Agreements (CSA) for products that have reached their end of support date. For customers who enter into a CSA, Microsoft will produce security patches for what they deem critical-class vulnerabilities 10. Patches for important severity issues may also be provided; however, these are only produced if the customer pays extra. By Microsoft s own estimate, a CSA agree will run in the neighborhood of over $200,000 US a year 11. In the past, the price for a CSA rises year-over-year, meaning that it is likely this cost will only go up. This option should be viewed as a stopgap measure to keep servers up-to-date while a larger migration plan is put in place. The economic feasibility of continuing to pay for support is not sustainable year-over-year. Migrate to a newer version of Windows Server Moving to the latest version of Windows Server gets you to a supported state with access to the latest features in both functionality and security. This may seem like the obvious choice, but it is not without problems as well. According to Microsoft, the average migration time is over 200 days 12. There is also the issue with finding all of the servers needing to be replaced within an enterprise. This may sound simple, but physically locating every server of a specific type within a large enterprise can be surprisingly difficult. 9 http://www.eweek.com/small-business/older-pcs-drain-time-resources-from-small-businesses-intel.html 10 https://technet.microsoft.com/en-us/security/gg309177.aspx 11 http://blogs.technet.com/b/mpn_uk/archive/2014/01/29/windows-server-2003-end-of-support-is-july-14-2015-will-you-be-ready-to-seize-the-opportunity.aspx 12 http://blogs.technet.com/b/uktechnet/archive/2014/06/25/are-you-ready-to-migrate-windows-server-2003- end-of-life-is-coming-on-the-july-14th-2015.aspx

Migrate to Linux For some companies, migrating servers from Windows to Linux is a viable option. Linux is currently deployed on 36.4% of existing web sites 13 and can work equally as well in an enterprise scenario. Modern Linux systems also provide many DiD features similar, but not identical, to those found in modern versions of Windows Server. While a new Windows server may require new hardware, a version of Linux exists that will run on your existing systems. This option will not be practical for all enterprises currently running Windows Server 2003, but for a subset of these people, the potential cost savings of moving to Linux dictate at least considering the option. Hope for the best For those without compliance issues, the option to do absolutely nothing still exists. If everything works well within your enterprise, just keep running it and hope that attackers, regulators, shareholders, and everyone else never notices the operating system used for their business transactions is well over a decade old. This also ensures you won t struggle implementing any of the new features modern operating systems allow. Technologies like Hyper-V, hybrid and public cloud, BYOD and mobile device management, and numerous defense-in-depth measures will never become an implementation problem because Windows Server 2003 simply will not support them. Conclusion With the impending end of support for Windows Server 2003, enterprises need to take action. It still works is no longer an excuse for running an outdated operating system. After July 14, 2015, Windows Server 2003 will no longer receive free security updates. In addition to potential long-term cost savings of replacing rather than maintaining older hardware, modern OSes offer defense-in-depth technologies not found on Windows Server 2003. Running an unsupported OS will also lead to issues with regulatory compliance. To prepare for this date, administrators need to determine which course of action they will choose. Some may decide a custom support agreement and paying for patches is their best course of action until they can implement a long-term solution. Others may choose to migrate to a newer, supported version of Windows Server, or even a migration to a supported version of Linux. In all reality, doing nothing to prepare for this date is simply not an option. Attackers will not stop targeting systems that are running Windows Server 2003 simply because it is no longer supported. Vulnerabilities in Server 2003 will continue to be found as well even if they are disguised as bugs in newer server platforms. As we move further away from the end of support date, the risks of continuing to run Windows Server 2003 will only increase and the costs of keeping it in an enterprise will become too great to justify. By July 2015, Windows Server 2003 will be over 12 years old. That is a remarkable feat for any piece of technology, but it is time to retire the product and move on. Modern OSes provide security updates, a better set of features, and a more robust security strategy. Continuing to hold on to the past will stagnate an enterprise s ability to take advantage of new technologies such as hybrid cloud solutions and mobile device management. The July date is fast approaching. There is no better time than now to plan how your servers and enterprise will look in the next decade. 13 http://w3techs.com/technologies/details/os-linux/all/all

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information