Managing the Risks of Running Windows Server 2003 After July 2015



Similar documents
Make Migration From Windows Server 2003 a Priority, Before Support Ends in July 2015

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

Understanding Vulnerability Management Life Cycle Functions

The Outlook for IT to Michael Smith VP Distinguished Analyst January 31, 2014

Agenda Overview for Emerging Marketing Technology and Trends, 2015

Agenda Overview for Multichannel Marketing, 2015

Agenda Overview for Marketing Management, 2015

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity

X.509 Certificate Management: Avoiding Downtime and Brand Damage

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Top 10 Technology Trends, 2013: Cloud Computing and Hybrid IT Drive Future IT Models

Agenda Overview for Digital Commerce, 2015

Selecting a Mobile App Development Vendor

Survey Analysis: Adoption of Cloud ERP, 2013 Through 2023

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

2015 CIO Agenda: An Africa Perspective

What's a Digital Marketing Platform? What Isn't?

How to Reduce Network Equipment Maintenance Costs

Highlights of the 2015 CEO Survey: Business Leaders Are Betting on Tech

Public/Private/Hybrid Cloud choosing horses for courses. NetEvents APAC Cloud Summit

Best Practices for Confirming Software Inventories in Software Asset Management

Agenda Overview for Social Marketing, 2015

Use a TCO Model to Estimate the Costs of Your Data Center

Prepare for the Inevitable With an Effective Security Incident Response Plan

Dutch University's Successful Enterprise System Implementation Yields Valuable Lessons

The Edge Manifesto: Digital Business, Rich Media, Latency Sensitivity and the Use of Distributed Data Centers

This research note is restricted to the personal use of

Now Is the Time for Security at the Application Level

Cloud IaaS: Service-Level Agreements

The Business Case for Security Information Management

Solution Path: Threats and Vulnerabilities

How to Develop an Effective Vulnerability Management Process

Gartner's View on 'Bring Your Own' in Client Computing

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Data in the Cloud: The Changing Nature of Managing Data Delivery

Agenda for Supply Chain Strategy and Enablers, 2012

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

Eight Critical Forces Shape Enterprise Data Center Strategies

Digital Marketing Budgets Increase, Reflecting Focus on Customer Experience

Toolkit: Reduce Dependence on Desk-Side Support Technicians

Key Issues for Identity and Access Management, 2008

What to Consider When Designing Next-Generation Data Centers

Agenda Overview for Customer Experience, 2015

Establishing a Strategy for Database Security Is No Longer Optional

The Six Triggers for Using Data Center Infrastructure Management Tools

Organizations Must Employ Effective Data Security Strategies

The Next Generation of Functionality for Marketing Resource Management

IT asset management (ITAM) will proliferate in midsize and large companies.

IT Architecture Is Not Enterprise Architecture

Singapore Empowers Land Transport Planners With Data Warehouse

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

How To Use Data To Drive Digital Marketing

An outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

Mobile Marketing Primer for 2016

Tactical Guideline: Minimizing Risk in Hosting Relationships

Emerging PC Life Cycle Configuration Management Vendors

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Applaud Solutions Technical Support Policies

Cloud Trends 2015 and beyond

NAC Strategies for Supporting BYOD Environments

Key Issues for Data Management and Integration, 2006

Beware the Effect of the Operating Lease's Demise on Finance and Real Estate

In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand

Securing BYOD With Network Access Control, a Case Study

Brochure. Update your Windows. HP Technology Services for Microsoft Windows 2003 End of Support (EOS) and Microsoft Migrations

Governance Is an Essential Building Block for Enterprise Information Management

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Reduce Risk and Increase Speed Using Gartner's Guide for Salesforce.com Implementation Partners

HP Security Solutions for Microsoft

Eight Criteria for Evaluating Software License Metrics

Simplify Your Windows Server Migration

Private Cloud Computing: An Essential Overview

ORACLE OPS CENTER: VIRTUALIZATION MANAGEMENT PACK

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

Market Guide for Data-Centric Audit and Protection

White paper Reaping Business Value from a Hybrid Cloud Strategy

CUSTOMER GUIDE. Support Services

How To Create A Help Desk For A System Center System Manager

Transcription:

G00263054 Managing the Risks of Running Windows Server 2003 After July 2015 Published: 1 April 2014 Analyst(s): Carl Claunch Windows Server 2003 and Windows Server 2003 R2 reach the end of their extended support by Microsoft in mid-2015; using these products after that time has consequences and risks. This research outlines the best practices for organizations that will be in this situation. Key Challenges For many clients, there is not enough time left to migrate all the systems that are running Windows Server 2003 and Windows Server 2003 R2 to a newer version before support ends in July 2015. Third-party products may become unsupported as well, triggered by the operating system dates. Operating servers with unsupported operating systems leaves the data center open to future risks due to unfixed security exposures or malfunctioning software. Choosing among the many possible tools and approaches to mitigate the risk is difficult and highly dependent on the individual system and the IT environment. No single solution will address all scenarios; the best practice is to establish a combination of approaches based on a risk management analysis. Recommendations Adopt strategies appropriate for the low probability but high impact of future events, consistent with the sometimes high costs and other challenges of complete mitigation. Leverage the impact analysis of extended outages done as part of a recent disaster recovery planning effort. Build scenarios to handle events, but defer action until (and unless) an event occurs, when fast reaction is possible or the impact of sudden elimination of the system is modest.

Create a written plan to prioritize, define responses by type of event, and script the high-level actions to take if given types of events occur. Table of Contents Introduction...2 Analysis...3 Properly Assess the Risks and Consequences of Running Systems Under Windows Server 2003 After Support Ends in Mid-2015... 3 Apply Risk Management Principles to Assess and Prioritize Impacted Systems...4 Adopt Proven Practices and Alternatives Appropriate to Each Unsupported System... 4 Gartner Recommended Reading... 5 Introduction In recent months, Gartner saw an increasing volume of inquiries on continuing to use systems whose Windows Server 2003 operating system 1 will be unsupported after 14 July 2015. For quite a few clients, it is becoming apparent that these systems will not be migrated in time to new supported versions of the operating system. In these calls, the clients are looking for advice, new ideas and best practices for how similar organizations are addressing this issue. First, we generally talk through the consequences and risks they will face after the extended support period expires next year. With that as a basis for assessing the situation using business risk management principles, we use the remainder of the call to talk through a variety of techniques, tools, strategies and actions that have worked for others. A surprising number of client organizations will be operating those unsupported systems next year and beyond; they range from medium-scale up to the largest enterprise IT organizations. Both technically adept and less sophisticated shops find themselves without sufficient time and budget to completely migrate all workloads. The best practice is migration or conversion, ensuring that no instances of Windows Server 2003 will be in production use after the end of support in July 2015. The majority of client organizations are planning to accomplish this, are in the midst of that activity or have already replaced all Windows Server 2003 systems. That is our primary recommendation for current users of this operating system. For a variety of reasons, however, not every client will be able to accomplish this. This document is for those clients that cannot apply the primary best practice of completing a migration before support ends. Page 2 of 7 Gartner, Inc. G00263054

No simple, single solution exists to fully manage the risks; rather, the best practice in this area is the application of choices from among a large pool of options. The particular approach selected for each system is dependent on characteristics of that application and of the risk. Analysis Properly Assess the Risks and Consequences of Running Systems Under Windows Server 2003 After Support Ends in Mid-2015 Microsoft's support program for both Windows Server 2003 and Windows Server 2003 R2 is currently in the extended support phase, which is scheduled to cease on 14 July 2015. After that date, if a new security vulnerability is discovered in the code, there is no commitment that a fix will be produced and released by Microsoft, nor will Microsoft address nonsecurity defects or assist customers that encounter problems in operation. Further, it is not just the operating system that should concern clients. Third parties that sell and support software including business applications may tie the support of their code to the status of the underlying operating system; running the third-party software on Windows Server 2003 will constitute an unsupported environment. If a security exposure is discovered and exploited by outsiders, clients could have the operation of applications disrupted, data could be stolen or tampered with, and the compromised system may be the launching pad for eavesdropping and active attacks against other systems within the data center. In addition to security risks, it is possible that an IT system running on Windows Server 2003 may cease to operate correctly because of some latent defect that has been triggered by changes in the client's use. There is no assurance that a correction will be possible, rendering that IT system suddenly unable to fulfill its purpose, in part or totally. Even if the problem encountered does not require code changes to solve, it may need expert assistance from Microsoft in order to diagnose the root cause, but those resources may no longer be available. Regulatory and compliance obligations may pertain as well, requiring all production systems to have support available from the product providers. Thus, continuing to use software running on Windows Server 2003 after support ends could violate the compliance or regulatory obligations of your organization. Microsoft is open to negotiating a custom support agreement to provide fixes for security vulnerabilities for Windows Server 2003 after it reaches the end of the extended support phase next year. However, this is not a full solution even if the relatively high cost is acceptable. These agreements are not open-ended; they are signed in the context of a plan with a fixed end date for migration of the remaining systems to a supported version of Windows Server. They do nothing to address any third-party software running on those servers if the maker of that application defines Gartner, Inc. G00263054 Page 3 of 7

Windows Server 2003 as an unsupported environment for its product, your custom support agreement with Microsoft doesn't help. Among all possible security and operational risks, some may be solvable by one or more tools. Other risks require different tools or complex custom development of solutions, or they may not be amenable to a fix at all. For example, a tool that manages database access may be the resolution if a security vulnerability is discovered in SQL calls, but not so helpful if the issue affects Internet Information Services (IIS) or the business application itself. A firewall and intrusion monitoring tools may be sufficient to address possible compromise of some of the systems, while other exposures may involve the business rules themselves, demanding a change to the core logic of the application. Apply Risk Management Principles to Assess and Prioritize Impacted Systems Although a risk is identified, it may never occur. Further, the impacts are not the same, and the means of mitigating or resolving different risks may vary significantly. It may be imprudent to spend large amounts of time and money to offset a very low-probability event when the corresponding impact is light. On the other hand, some regulated industries may not be permitted to run certain applications if the system is unsupported. The systems running under Windows Server 2003 may have been in successful operation for almost a decade; what is the risk that a new problem will arise that impairs the system's operation? Security exposures in this operating system version have been frequently detected and patched; how often have the systems been the target of attacks? For some IT systems being assessed, the business has alternative means at hand if the application were to be unavailable for an extended period. This may already have been studied as part of an impact assessment for disaster recovery planning; take advantage of that work to speed the analysis of the future risks. If a means exists to survive without the software, even if it is more cumbersome or expensive for the business users, the impact is controlled. The client may continue to operate the system, while watching for the occurrence of the risk scenarios, at which point the impaired system can be rapidly shut down. The best practice involves setting up a means to watch for the risk events and the creation of a process to follow in that scenario. Risk management is a discipline that seeks the appropriate balance between risks and mitigation activities. Some risks are worth taking, with an impact that is less than the costs of eliminating the risk. Some actions can be deferred, given the low odds that a given event will occur in the coming years; if the action can be applied quickly to cap the impact of a possible event, this may be a better decision than to launch an immediate high-resource effort to migrate or replace the system. Adopt Proven Practices and Alternatives Appropriate to Each Unsupported System Since a client need not eliminate every risk, particularly if the mitigation can be readily applied in the future if the risk materializes, the best practice is to have developed broad classes of potential issues and to have identified the appropriate response for each. Clients prioritize and begin Page 4 of 7 Gartner, Inc. G00263054

activities only for the systems with very high impacts or facing situations with a high likelihood of happening. There are many ways in which these risks can be addressed, far more than can be detailed in a document like this. A few examples will help to illustrate the best practices applied or scenario responses developed by different clients. Most clients will have a range of such approaches identified that pertain to their environment and the specific systems they will continue operating later next year. Additional software products could be installed and used to block security exposures or overcome operational problems, in the event these arise in the future. For the most part, these are specific solutions to narrow classes of problems. One tool may allow rules to be imposed on the database queries and updates, by interposing itself between the vulnerable database and all software or users accessing that system. If a risk arises that is related to the database and its exploitation can be blocked by institution of some clear rules, then a tool like this would be an effective mitigation. The concept of a demilitarized zone (DMZ) has been frequently used to isolate systems that are accessible by outsiders, to minimize what they could do to the rest of the data center if they become compromised. Further, much tighter control can be placed on which other systems they are permitted to contact and the types of access allowed. This may reduce the usability of a system, but it may be better than the alternative of losing all use if a new vulnerability becomes known. The nature of the vulnerability and the usefulness of the system in that case will help decide whether a DMZ may be sufficient to address risks. When alternative software or manual processes exist that could take the place of an infected or impaired system, these may be the most appropriate actions to take if an event does occur in the future. Script at a high level the way this will be handled, and institute the right measures to detect and trigger the action if the event takes place. There are cases in which migration or replacement of the system is the best practice, rather than unsupported operation under Windows Server 2003. In these cases, some means must be found to make this happen in the next year. There are a few good ideas that clients can use to drive the funding when this approach is needed. If you are expecting to have Windows Server 2003 in operation from mid-2015 onward, apply the approaches from this document, determine if some of the best practices described will be useful for your situation, and build your plan of action. In an inquiry call, we can help you tailor your approach and can offer additional best practices, not listed in this overview, that are potential solutions to situations you may face. Gartner Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Time to Adjust Your Windows Server Migration Plans" Gartner, Inc. G00263054 Page 5 of 7

Evidence For more detail on the Microsoft support policy, see "Microsoft Support Lifecycle Policy FAQ." 1 The operating system products whose support will end in 2015 include Windows Server 2003, Windows Server 2003 R2, and Windows Server 2003 Small Business Server. Our advice is applicable to all of those products. Page 6 of 7 Gartner, Inc. G00263054

GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit http://www.gartner.com/technology/about.jsp 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. Gartner, Inc. G00263054 Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information