Dell's security arm, SecureWorks, has sent out a warning to the 20 per cent of Australian businesses still running Windows Server 2003.
Microsoft officially ended support for Windows Server 2003 on July 14 but one-in-five Australian organisations are still running the program in one form or another, the most notable of which is the Victorian Government that has just spent $4.4 million on extended support.
Dell SecureWorks principal consultant APJ, Phillip Simpson, has warned that organisations still running Server 2003 infrastructure face an uphill battle in the war against cybercrime. "The number of vulnerabilities identified in Windows Server 2003 significantly increased after it entered the extended support phase in the second half of 2010," he said.
"According to Secunia, 22 vulnerabilities affecting Windows Server 2003 were unpatched as of March 31, 2015, and Microsoft has not announced if any of these issues will be addressed in security updates released before the July support deadline. "The operating system will likely contain unaddressed vulnerabilities now Microsoft has discontinued support, essentially acting as perpetual zero-day vulnerabilities.
Simpson noted that some vulnerability researchers and threat actors have historically delayed announcing severe vulnerabilities until after support for a product ends, increasing the value and potential impact of exploits. "Whilst the best advice is to migrate to a modern server, for those still using Windows Server 2003 and older, the typical migration takes an average of seven months. This is a significant window for cyber criminals to penetrate the unsupported platform and compromise the rest of the business," he said. "During this time, it is critical businesses mitigate the exposure as effectively as possible. Most customers will look at logically segmenting or isolating the vulnerable applications or servers during this time by putting a "virtual" ring fence around the applications themselves. "However, these compensating controls are not recommended as it will not provide complete protection against the vast number of threats that will occur now support has ended.
"The other option is to pay Microsoft to continue to support Windows Server 2003. However, the cost of this outweighs the benefits and it is much more valuable to begin the process of migrating rather than implementing a stop-gap solution. "In addition to the risks posed by the lack of security updates, continued use of an unsupported operating system may violate external regulatory or compliance requirements, and third-party software vendors may withdraw support for products on Windows Server 2003 systems."