Support for Windows Server 2003 family of products will be coming to its End of Support (EOS) on July 14, 2015.
We understand that this EOS brings complexities, but it also brings exciting possibilities to transform your Datacenter. Don't think of it as a lift and shift, but rather an opportunity to position your business for the future.
Now is the time to begin planning to migrate your applications off of Windows Server 2003. Your migration destination does not only include Windows Server 2012 R2, but also Microsoft Azure as well as Office 365.
So what happens when Windows Server 2003 support comes to and end?
- Requests for changes to product design or features will no longer be accepted or accommodated
- Security updates will no longer be provided, exposing your Windows Server 2003 installation to security threats
- Payment Card Industry (PCI) policies will not be met with an operating system that is EOS
- Hotfixes and bug fixes will no longer be provided
- Complimentary support (phone and online) included with the licenses will no longer be provided
- Paid support (e.g. from Microsoft Premier Support) will no longer cover Windows Server 2003 Family of Products
- New vulnerabilities discovered in Window Server 2003 after its "end of life" will not be addressed by new security updates from Microsoft
What is the risk?
One risk is that attackers will have the advantage, because attackers will likely have more information about vulnerabilities in Windows Server 2003, placing the applications running on Windows Server 2003 in a precarious position. When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality.
For example, if a vulnerability is addressed in one version of Windows Server, researchers investigate whether other versions of Windows Server have the same vulnerability. To ensure that our customers are not at a disadvantage to attackers who employ such practices, one long standing principle that the Microsoft Security Response Center (MSRC) uses when managing security update releases is to release security updates for all affected products simultaneously. This practice ensures customers have the advantage over such attackers, as they get security updates for all affected products before attackers have a chance to reverse engineer them.
But after July 14, 2015, organizations that continue to run Windows Server 2003, as well as any other Microsoft products that have hit their EOS, like Exchange 2003, Outlook 2003 and even Windows XP, won't have this advantage over attackers any longer.
The very first month that Microsoft releases security updates for supported versions of Windows Server, attackers will reverse engineer those updates, find the vulnerabilities and test Windows Server 2003 to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows Server 2003. Since a security update will never become available for Windows Server 2003 to address these vulnerabilities, Windows Server 2003 will essentially have a "zero day" vulnerability forever.